[Freeipa-users] Error: invalid 'AD domain controller' when establishing trust

Alexander Bokovoy abokovoy at redhat.com
Wed Oct 8 12:15:33 UTC 2014


On Wed, 08 Oct 2014, Genadi Postrilko wrote:
>Both Domain functional level and Forest functional level are Windows Server
>2008 R2.
You need to check if the AD DC server IPA tries to contact has PDC
emulator role _and_ is a domain controller for the root domain of the
forest.

I've added some fixes to enforce this checked in 4.0 (and backported to
3.3 in some RHEL 7 update which is not yet pushed out) but the easiest
thing to ensure you are using right domains and right servers.

forest root domain = first domain created in the forest. If forest name
is example.com, then that's the forest root domain as well.

Using http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust
you can generate proper logs to see where the issue is.

>
>2014-10-08 9:24 GMT+02:00 Sumit Bose <sbose at redhat.com>:
>
>> On Wed, Oct 08, 2014 at 02:42:47AM +0200, Genadi Postrilko wrote:
>> > Hello.
>> >
>> > I am attempting to create trust between AD and IPA.
>> >
>> > I have deployed AD environment as follows:
>> >
>> > I have created domain RED.COM
>> > Then i add new domain tree root - BLUE.COM.
>> >
>> > Now i would like to establish trust with IPA as a sub domain (
>> LINUX.BLUE.COM)
>> > of BLUE.COM.
>> >
>> > I followed the guide and when reaching to trust agreement creation i
>> > stumbled into this error:
>> >
>> >  ipa trust-add --type=ad blue.com --admin Administrator --password
>> > Active directory domain administrator's password:
>> > ipa: ERROR: invalid 'AD domain controller': unsupported functional level
>>
>> can you check the domain and forest functional levels of your domains?
>> You can find this information in the 'Active Directory Domains and
>> Trusts' utility by right-clicking the domain name and selecting
>> properties? iirc the minimal level we support in 2003R2.
>>
>> bye,
>> Sumit
>>
>> >
>> > Both AD server are 2008 R2.
>> > IPA version is 3.3, installed on RHEL 7.
>> >
>> > Help will be appreciated.
>> >
>> > Genadi.
>>
>> > --
>> > Manage your subscription for the Freeipa-users mailing list:
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > Go To http://freeipa.org for more info on the project
>>
>>

>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go To http://freeipa.org for more info on the project


-- 
/ Alexander Bokovoy




More information about the Freeipa-users mailing list