[Freeipa-users] Multi-Master IPA deployment with AD Trusts: Stability and Consistency Expectations?

Alexander Bokovoy abokovoy at redhat.com
Mon Apr 13 06:02:28 UTC 2015 

On Mon, 13 Apr 2015, Traiano Welcome wrote:
>Hi List
>
>The deployment I'm contemplating is as follows:
>
>1. FreeIPA master at a central site,with AD Trust established to the primary DC.
>2. Replicas of the FreeIPA master at 4 other sites (with varying WAN
>latency between central and site),with replication agreements only
>with to the master at the central site.
>
>(So the AD trust is estalished only between the master IPA server and
>the primary AD domain controller)
>
>There is also an existing domain controller at each site that synchs
>to the primary domain controller at the main site.
>
>I'd like AD user access to Linux systems at each site to  be stable
>and consistent as possible, so to rule out the effect of WAN latency
>and possibly intermittent connectivity (and a host of possibly other
>unknown factors), I plan to establish an AD trust between the replica
>at each site and the local AD domain controller. My thinking is that
>AD user accounts information will then be available to the replica
>almost as soon as it's available to the AD dc at that site.
>So ultimately, the consistency of user information should be as good
>as can be expected from AD's cross wan replication to remote sites,
>even if the synchronisation between a replica and master is not 100%
>sin synch at all times (e.g due to WAN latency).
>
>My concern is that multiple trusts established this way may lead to
>replication inconsistency betweend master IPA server and it's
>replicas,especially in the case where the replica is seeing AD
>information in different stages of  replication.
>
>My question: Does IPA cope with this scenario? Is it safe, and will it
>improve AD authentication performance (at least from the user point of
>view) to establish trust between each replica and the local domain
>controller in each given site?
This topic was raised already in March on this list so please study
archives for more details about site-awareness in SSSD.

One thing I must note is that you seem to share a common
misunderstanding of how trust to Active Directory is established. There
is *no* need to 'establish an AD trust between the replica at each site
and the local AD domain controller'. The trust is established once and
for whole forest. Information about the trust is replicated to all IPA
masters. In order to get them activated to *provide* access to already
established trust you need to run 'ipa-adtrust-install' on each IPA
master. However, you *don't* need to run 'ipa trust-add' again, and even
if you ran it, it would fail because each of your local AD DCs are not
a primary domain controllers for your forest root domain.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list