[Freeipa-users] Error: invalid 'AD domain controller' when establishing trust

Alexander Bokovoy abokovoy at redhat.com
Wed Oct 8 15:48:20 UTC 2014 

On Wed, 08 Oct 2014, Genadi Postrilko wrote:
>The forest root domain in my case is RED.COM.
You need to establish trust to red.com then. Any domain which is member
of the forest red.com will be visible through trust.

Forest trust can only be established between forest root domains, that's
how it is designed by Microsoft.

>
>I have attached the log files.
These logs show you are attempting to establish trust to blue.com which
is not a forest root domain, thus nothing works.

>
>2014-10-08 14:15 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
>
>> On Wed, 08 Oct 2014, Genadi Postrilko wrote:
>>
>>> Both Domain functional level and Forest functional level are Windows
>>> Server
>>> 2008 R2.
>>>
>> You need to check if the AD DC server IPA tries to contact has PDC
>> emulator role _and_ is a domain controller for the root domain of the
>> forest.
>>
>> I've added some fixes to enforce this checked in 4.0 (and backported to
>> 3.3 in some RHEL 7 update which is not yet pushed out) but the easiest
>> thing to ensure you are using right domains and right servers.
>>
>> forest root domain = first domain created in the forest. If forest name
>> is example.com, then that's the forest root domain as well.
>>
>> Using http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#
>> Debugging_trust
>> you can generate proper logs to see where the issue is.
>>
>>
>>
>>> 2014-10-08 9:24 GMT+02:00 Sumit Bose <sbose at redhat.com>:
>>>
>>>  On Wed, Oct 08, 2014 at 02:42:47AM +0200, Genadi Postrilko wrote:
>>>> > Hello.
>>>> >
>>>> > I am attempting to create trust between AD and IPA.
>>>> >
>>>> > I have deployed AD environment as follows:
>>>> >
>>>> > I have created domain RED.COM
>>>> > Then i add new domain tree root - BLUE.COM.
>>>> >
>>>> > Now i would like to establish trust with IPA as a sub domain (
>>>> LINUX.BLUE.COM)
>>>> > of BLUE.COM.
>>>> >
>>>> > I followed the guide and when reaching to trust agreement creation i
>>>> > stumbled into this error:
>>>> >
>>>> >  ipa trust-add --type=ad blue.com --admin Administrator --password
>>>> > Active directory domain administrator's password:
>>>> > ipa: ERROR: invalid 'AD domain controller': unsupported functional
>>>> level
>>>>
>>>> can you check the domain and forest functional levels of your domains?
>>>> You can find this information in the 'Active Directory Domains and
>>>> Trusts' utility by right-clicking the domain name and selecting
>>>> properties? iirc the minimal level we support in 2003R2.
>>>>
>>>> bye,
>>>> Sumit
>>>>
>>>> >
>>>> > Both AD server are 2008 R2.
>>>> > IPA version is 3.3, installed on RHEL 7.
>>>> >
>>>> > Help will be appreciated.
>>>> >
>>>> > Genadi.
>>>>
>>>> > --
>>>> > Manage your subscription for the Freeipa-users mailing list:
>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> > Go To http://freeipa.org for more info on the project
>>>>
>>>>
>>>>
>>  --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go To http://freeipa.org for more info on the project
>>>
>>
>>
>> --
>> / Alexander Bokovoy
>>



-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list