<div dir="rtl"><div dir="ltr">The forest root domain in my case is <a href="http://RED.COM">RED.COM</a>.</div><div dir="ltr"> </div><div dir="ltr">I have attached the log files.</div></div><div class="gmail_extra"> <div class="gmail_quote"><div dir="ltr">2014-10-08 14:15 GMT+02:00 Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>>:</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Wed, 08 Oct 2014, Genadi Postrilko wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Both Domain functional level and Forest functional level are Windows Server 2008 R2. </blockquote> You need to check if the AD DC server IPA tries to contact has PDC emulator role _and_ is a domain controller for the root domain of the forest. I've added some fixes to enforce this checked in 4.0 (and backported to 3.3 in some RHEL 7 update which is not yet pushed out) but the easiest thing to ensure you are using right domains and right servers. forest root domain = first domain created in the forest. If forest name is <a href="http://example.com" target="_blank">example.com</a>, then that's the forest root domain as well. Using <a href="http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust" target="_blank">http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust</a> you can generate proper logs to see where the issue is.<div class="HOEnZb"><div class="h5"> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> 2014-10-08 9:24 GMT+02:00 Sumit Bose <<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On Wed, Oct 08, 2014 at 02:42:47AM +0200, Genadi Postrilko wrote: > Hello. > > I am attempting to create trust between AD and IPA. > > I have deployed AD environment as follows: > > I have created domain <a href="http://RED.COM" target="_blank">RED.COM</a> > Then i add new domain tree root - <a href="http://BLUE.COM" target="_blank">BLUE.COM</a>. > > Now i would like to establish trust with IPA as a sub domain ( <a href="http://LINUX.BLUE.COM" target="_blank">LINUX.BLUE.COM</a>) > of <a href="http://BLUE.COM" target="_blank">BLUE.COM</a>. > > I followed the guide and when reaching to trust agreement creation i > stumbled into this error: > > ipa trust-add --type=ad <a href="http://blue.com" target="_blank">blue.com</a> --admin Administrator --password > Active directory domain administrator's password: > ipa: ERROR: invalid 'AD domain controller': unsupported functional level can you check the domain and forest functional levels of your domains? You can find this information in the 'Active Directory Domains and Trusts' utility by right-clicking the domain name and selecting properties? iirc the minimal level we support in 2003R2. bye, Sumit > > Both AD server are 2008 R2. > IPA version is 3.3, installed on RHEL 7. > > Help will be appreciated. > > Genadi. > -- > Manage your subscription for the Freeipa-users mailing list: > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project </blockquote></blockquote> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project </blockquote> </div></div> -- / Alexander Bokovoy </blockquote></div> </div>