[Freeipa-users] Error: invalid 'AD domain controller' when establishing trust
Genadi Postrilko
genadipost at gmail.com
Wed Oct 8 15:10:15 UTC 2014
The forest root domain in my case is RED.COM.
I have attached the log files.
2014-10-08 14:15 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
> On Wed, 08 Oct 2014, Genadi Postrilko wrote:
>
>> Both Domain functional level and Forest functional level are Windows
>> Server
>> 2008 R2.
>>
> You need to check if the AD DC server IPA tries to contact has PDC
> emulator role _and_ is a domain controller for the root domain of the
> forest.
>
> I've added some fixes to enforce this checked in 4.0 (and backported to
> 3.3 in some RHEL 7 update which is not yet pushed out) but the easiest
> thing to ensure you are using right domains and right servers.
>
> forest root domain = first domain created in the forest. If forest name
> is example.com, then that's the forest root domain as well.
>
> Using http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#
> Debugging_trust
> you can generate proper logs to see where the issue is.
>
>
>
>> 2014-10-08 9:24 GMT+02:00 Sumit Bose <sbose at redhat.com>:
>>
>> On Wed, Oct 08, 2014 at 02:42:47AM +0200, Genadi Postrilko wrote:
>>> > Hello.
>>> >
>>> > I am attempting to create trust between AD and IPA.
>>> >
>>> > I have deployed AD environment as follows:
>>> >
>>> > I have created domain RED.COM
>>> > Then i add new domain tree root - BLUE.COM.
>>> >
>>> > Now i would like to establish trust with IPA as a sub domain (
>>> LINUX.BLUE.COM)
>>> > of BLUE.COM.
>>> >
>>> > I followed the guide and when reaching to trust agreement creation i
>>> > stumbled into this error:
>>> >
>>> > ipa trust-add --type=ad blue.com --admin Administrator --password
>>> > Active directory domain administrator's password:
>>> > ipa: ERROR: invalid 'AD domain controller': unsupported functional
>>> level
>>>
>>> can you check the domain and forest functional levels of your domains?
>>> You can find this information in the 'Active Directory Domains and
>>> Trusts' utility by right-clicking the domain name and selecting
>>> properties? iirc the minimal level we support in 2003R2.
>>>
>>> bye,
>>> Sumit
>>>
>>> >
>>> > Both AD server are 2008 R2.
>>> > IPA version is 3.3, installed on RHEL 7.
>>> >
>>> > Help will be appreciated.
>>> >
>>> > Genadi.
>>>
>>> > --
>>> > Manage your subscription for the Freeipa-users mailing list:
>>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>> > Go To http://freeipa.org for more info on the project
>>>
>>>
>>>
> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141008/ae8d59b7/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa_trust_debug.zip
Type: application/zip
Size: 1108363 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141008/ae8d59b7/attachment.zip>
More information about the Freeipa-users
mailing list