Hi all, It seems something broke somewhere along the lines when I was trying to set up Windows Sync. Please take a look at the following outputs. I can connect both directions manually via SSL, but the actual ipa-replica-manage script seems to be pulling certs from somewhere else. The current sync between ipaserver-01 & ipaserver-02 is working fine. If anyone has any suggestions, I would be open to them. Thanks! example.local = active directory domain <a href="http://example.com">example.com</a> = ipa realm ----- [root@ipaserver-01 ~]# certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI DigiCertCA CT,,C AD CA cert CT,,C ipaserver-01 u,u,u #----- # everything looks right #----- [root@ipaserver-01 ~]# [root@ipaserver-01 ~]# /usr/lib64/mozldap/ldapsearch -h adserver-01.example.local -p 636 -Z -P /etc/dirsrv/slapd-EXAMPLE-COM/cert8.db -D "passsync@example.local" -w 'notrealpassword' -s base -b "" "objectclass=*" version: 1 dn: currentTime: 20110111153848.0Z ... ... supportedControl: 1.2.840.113556.1.4.1948 supportedControl: 1.2.840.113556.1.4.1974 supportedControl: 1.2.840.113556.1.4.1341 supportedControl: 1.2.840.113556.1.4.2026 supportedLDAPVersion: 3 supportedLDAPVersion: 2 supportedLDAPPolicies: MaxPoolThreads ... ... dnsHostName: adserver-01.example.local ldapServiceName: example.local:adserver-01$@example.local ... ... isSynchronized: TRUE isGlobalCatalogReady: TRUE domainFunctionality: 3 forestFunctionality: 3 domainControllerFunctionality: 3 [root@ipaserver-01 ~]# #----- # good valid results for the query [reduced for clarity] #----- [root@ipaserver-01 ~]# ipa-replica-manage list Directory Manager password: unexpected error: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"} [root@ipaserver-01 ~]# #----- # welp, it looks like something is broken somewhere.. #-----