[Freeipa-users] Error: invalid 'AD domain controller' when establishing trust

Alexander Bokovoy abokovoy at redhat.com
Wed Oct 8 17:06:01 UTC 2014

On Wed, 08 Oct 2014, Genadi Postrilko wrote:
>2014-10-08 17:48 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
>> On Wed, 08 Oct 2014, Genadi Postrilko wrote:
>>> The forest root domain in my case is RED.COM.
>> You need to establish trust to red.com then. Any domain which is member
>> of the forest red.com will be visible through trust.
>> Forest trust can only be established between forest root domains, that's
>> how it is designed by Microsoft.
>It doesn't matter how complex the forest is? Even if the forest contains
>number of domain trees, the trust has to be
>established with the forest root domain?
Yes, see "Forest trusts" section of

>>> I have attached the log files.
>> These logs show you are attempting to establish trust to blue.com which
>> is not a forest root domain, thus nothing works.
>I assumed that DNS forwarding has to be created between IPA (linux.blue.com)
>and the AD (blue.com).
>Should any DNS configuration change?
It should be between all AD domains which would use IPA services, namely
forest root domain (red.com) and all other domains whose users will be
accessing the trust (blue.com in your case).

Usually this is solved globally, of course.
/ Alexander Bokovoy

More information about the Freeipa-users mailing list