[Freeipa-users] Advise on the best way to configure the following

[pgb205]

We have:AD->winsync->FIPA1<->replica<->FIPA2etc to multiple other replicas from FIPA1

What we want is to establish separate set of FIPA replicas which wold still have information from AD and yet would not 'pollute' the FIPA1/FIPA2 replicas above.
So far we have considered following options:1. Set up new FIPA3 replica to grab its information from FIPA1.This didn't work as two-way-trust would replicate 'bad' information from FIPA3 back to FIPA1/2
2. One way trust between replicas.Somehow establish one way replication from FIPA1->FIPA3. 'Good' information gets to FIPA3. But new additions on FIPA3 won't make it back to 'clean' environment.From reading posts on the list this is impossible. 
3. Setup separate winsync 'channels' from AD directly to FIPA3. Ie AD->winsync->FIPA3.The problem with this is winsync of user accounts is possible, but password sync requires there to be only one point of contact between AD domain and FIPA domain.That is all AD controllers contact one and only one FIPA controller using passsync utility. So there is no way (if I understand correctly) to do:AD->sync->FIPA1      ->sync->FIPA3
If my understanding above is correct what would be the correct way of setting up separate FIPA environments, sourced from the same AD domain and to replicate both users and passwords?
thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160519/c68b84ee/attachment.htm>