A DNS entry and a static IP address must be available for the VMware Identity Manager virtual appliance. Because each company administers their IP addresses and DNS records differently, before you begin your installation, request the DNS record and IP addresses to use.

Configuring reverse lookup is mandatory. When you implement reverse lookup, you must define a PTR record on the DNS server so the virtual appliance uses the correct network configuration.

Note:

You must use a static IP address and it must have a PTR and an A record defined in the DNS.

You can use the following sample list of DNS records when you talk to your network administrator. Replace the sample information with information from your environment. This example shows forward DNS records and IP addresses.

Table 1. Examples of Forward DNS Records and IP Addresses
Domain Name Resource Type IP Address
myidentitymanager.company.com A 10.28.128.3

This example shows reverse DNS records and IP addresses.

Table 2. Examples of Reverse DNS Records and IP Addresses
IP Address Resource Type Host Name
10.28.128.3 PTR myidentitymanager.company.com

After you complete the DNS configuration, verify that the reverse DNS lookup is properly configured. For example, the virtual appliance command host IPaddress must resolve to the DNS name lookup.

Planning for Kerberos Authentication

If you plan to set up Kerberos authentication, note the following requirements:
  • In a scenario where you use the embedded connector in VMware Identity Manager for Kerberos authentication, the VMware Identity Manager host name must match the Active Directory domain to which VMware Identity Manager is joined. For example, if the Active Directory domain is sales.example.com, the VMware Identity Manager host name must be vidmhost.sales.example.com.

    If you cannot assign a hostname that matches the Active Directory domain structure, you need to configure VMware Identity Manager and Active Directory manually. See the Knowledge Base for information.

  • In a scenario where you use external connectors for Kerberos authentication, the connector host name must match the Active Directory domain to which the connector is joined. For example, if the Active Directory domain is sales.example.com, the connector host name must be connectorhost.sales.example.com.

    If you cannot assign a hostname that matches the Active Directory domain structure, you need to configure the connector and Active Directory manually. See the Knowledge Base for information.

Using a Unix/Linux-based DNS Server

If you are using a Unix or Linux-based DNS server and plan to join VMware Identity Manager to the Active Directory domain, make sure that the appropriate service (SRV) resource records are created for each Active Directory domain controller.

Note: If you have a load balancer with a Virtual IP address (VIP) in front of the DNS servers, note that VMware Identity Manager does not support using a VIP. You can specify multiple DNS servers separated by a comma.