Chapter 5. Checking DNS records using IdM Healthcheck
You can identify issues with DNS records in Identity Management (IdM) using the Healthcheck tool.
5.1. DNS records healthcheck test
The Healthcheck tool includes a test for checking that the expected DNS records required for autodiscovery are resolvable.
To list all tests, run the ipa-healthcheck with the --list-sources option:
# ipa-healthcheck --list-sources
You can find the DNS records check test under the ipahealthcheck.ipa.idns source.
- IPADNSSystemRecordsCheck
-
This test checks the DNS records from the
ipa dns-update-system-records --dry-runcommand using the first resolver specified in the/etc/resolv.conffile. The records are tested on the IPA server.
5.2. Screening DNS records using the healthcheck tool
Follow this procedure to run a standalone manual test of DNS records on an Identity Management (IdM) server using the Healthcheck tool.
The Healthcheck tool includes many tests. Results can be narrowed down by including only the DNS records tests by adding the --source ipahealthcheck.ipa.idns option.
Prerequisites
-
You must perform Healthcheck tests as the
rootuser.
Procedure
To run the DNS records check, enter:
# ipa-healthcheck --source ipahealthcheck.ipa.idns
If the record is resolvable, the test returns
SUCCESSas a result:{ "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "SUCCESS", "uuid": "eb7a3b68-f6b2-4631-af01-798cac0eb018", "when": "20200415143339Z", "duration": "0.210471", "kw": { "key": "_ldap._tcp.idm.example.com.:server1.idm.example.com." } }The test returns a
WARNINGwhen, for example, the number of records does not match the expected number:{ "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid": "972b7782-1616-48e0-bd5c-49a80c257895", "when": "20200409100614Z", "duration": "0.203049", "kw": { "msg": "Got {count} ipa-ca A records, expected {expected}", "count": 2, "expected": 1 } }
Additional resources
-
See
man ipa-healthcheck.