<div dir="rtl"><div dir="ltr">The ipa server is able to resolve <a href="http://blue.com">blue.com</a>.</div><div dir="ltr"><br></div><div dir="ltr"><div dir="ltr">dig SRV _ldap._<a href="http://tcp.blue.com">tcp.blue.com</a></div><div dir="ltr"><br></div><div>does return answer.</div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div dir="ltr">2014-10-08 14:11 GMT+02:00 Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>:</div><blockquote class="gmail_quote" style="margin:0 .8ex;border-left:1px #ccc solid;border-right:1px #ccc solid;padding-left:1ex;padding-right:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 10/08/2014 07:29 AM, Genadi
Postrilko wrote:<br>
</div>
<blockquote type="cite">
<div dir="rtl">
<div dir="ltr">Both Domain functional level and Forest
functional level are Windows Server 2008 R2.</div>
</div>
<div class="gmail_extra"><br>
</div>
</blockquote>
<br></span>
Does <a href="http://blue.com" target="_blank">blue.com</a> actually resolves to the AD host?<br>
May be there is some DNS misconfiguration on the Linux system where
you run the command from.<div><div class="h5"><br>
<br>
<blockquote type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<div dir="ltr">2014-10-08 9:24 GMT+02:00 Sumit Bose <span dir="ltr"><<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>></span>:</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On Wed, Oct 08, 2014 at 02:42:47AM +0200, Genadi
Postrilko wrote:<br>
> Hello.<br>
><br>
> I am attempting to create trust between AD and IPA.<br>
><br>
> I have deployed AD environment as follows:<br>
><br>
> I have created domain <a href="http://RED.COM" target="_blank">RED.COM</a><br>
> Then i add new domain tree root - <a href="http://BLUE.COM" target="_blank">BLUE.COM</a>.<br>
><br>
> Now i would like to establish trust with IPA as a sub
domain (<a href="http://LINUX.BLUE.COM" target="_blank">LINUX.BLUE.COM</a>)<br>
> of <a href="http://BLUE.COM" target="_blank">BLUE.COM</a>.<br>
><br>
> I followed the guide and when reaching to trust
agreement creation i<br>
> stumbled into this error:<br>
><br>
> ipa trust-add --type=ad <a href="http://blue.com" target="_blank">blue.com</a>
--admin Administrator --password<br>
> Active directory domain administrator's password:<br>
> ipa: ERROR: invalid 'AD domain controller':
unsupported functional level<br>
<br>
</span>can you check the domain and forest functional levels
of your domains?<br>
You can find this information in the 'Active Directory
Domains and<br>
Trusts' utility by right-clicking the domain name and
selecting<br>
properties? iirc the minimal level we support in 2003R2.<br>
<br>
bye,<br>
Sumit<br>
<div>
<div><br>
><br>
> Both AD server are 2008 R2.<br>
> IPA version is 3.3, installed on RHEL 7.<br>
><br>
> Help will be appreciated.<br>
><br>
> Genadi.<br>
<br>
</div>
</div>
<span><font color="#888888">> --<br>
> Manage your subscription for the Freeipa-users
mailing list:<br>
> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
<br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888"><pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</font></span></div>
<br>--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div>