[Freeipa-users] Error: invalid 'AD domain controller' when establishing trust
abokovoy at redhat.com
Wed Oct 8 12:15:33 UTC 2014
On Wed, 08 Oct 2014, Genadi Postrilko wrote:
>Both Domain functional level and Forest functional level are Windows Server
You need to check if the AD DC server IPA tries to contact has PDC
emulator role _and_ is a domain controller for the root domain of the
I've added some fixes to enforce this checked in 4.0 (and backported to
3.3 in some RHEL 7 update which is not yet pushed out) but the easiest
thing to ensure you are using right domains and right servers.
forest root domain = first domain created in the forest. If forest name
is example.com, then that's the forest root domain as well.
you can generate proper logs to see where the issue is.
>2014-10-08 9:24 GMT+02:00 Sumit Bose <sbose at redhat.com>:
>> On Wed, Oct 08, 2014 at 02:42:47AM +0200, Genadi Postrilko wrote:
>> > Hello.
>> > I am attempting to create trust between AD and IPA.
>> > I have deployed AD environment as follows:
>> > I have created domain RED.COM
>> > Then i add new domain tree root - BLUE.COM.
>> > Now i would like to establish trust with IPA as a sub domain (
>> > of BLUE.COM.
>> > I followed the guide and when reaching to trust agreement creation i
>> > stumbled into this error:
>> > ipa trust-add --type=ad blue.com --admin Administrator --password
>> > Active directory domain administrator's password:
>> > ipa: ERROR: invalid 'AD domain controller': unsupported functional level
>> can you check the domain and forest functional levels of your domains?
>> You can find this information in the 'Active Directory Domains and
>> Trusts' utility by right-clicking the domain name and selecting
>> properties? iirc the minimal level we support in 2003R2.
>> > Both AD server are 2008 R2.
>> > IPA version is 3.3, installed on RHEL 7.
>> > Help will be appreciated.
>> > Genadi.
>> > --
>> > Manage your subscription for the Freeipa-users mailing list:
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > Go To http://freeipa.org for more info on the project
>Manage your subscription for the Freeipa-users mailing list:
>Go To http://freeipa.org for more info on the project
/ Alexander Bokovoy
More information about the Freeipa-users