I ran into this exact same problem with my IPA domain in a one way external trust to our Windows 2012 R2 AD forest. It appears that Microsoft may have removed the routing suffix option from the Windows 2012 R2 native forest trust gui. My solution was to follow the instructions in the "Define host name-to-Kerberos realm mappings" section of this document from Microsoft: https://support.microsoft.com/en-us/help/947706/windows-server-2008-group-policy-settings-for-interoperability-with-non-microsoft-kerberos-realms .
Assuming the IPA realm name is the same as the domain name you would use: Value Name: I.RDMEDIA.COM Value: .i.rdmedia.com (Notice the period at the beginning of the domain name) I applied the GPO to all of my workstations (not the servers) but I don't see any harm across all the windows systems. Rob Johnson On Tue, Jun 20, 2017 at 3:04 PM, Alexander Bokovoy via FreeIPA-users < email@example.com> wrote: > On ti, 20 kesä 2017, Tiemen Ruiten via FreeIPA-users wrote: > >> Please see the attached screenshot for the Trust settings, and thank you >> for your time. >> > Thanks. I'm not sure why is that happening even for the immediate forest > root domain that i.rdmedia.com is. I'll check with Microsoft doc help > team while here at the Redmond Interop 2017. > > > -- > / Alexander Bokovoy > _______________________________________________ > FreeIPA-users mailing list -- firstname.lastname@example.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >
_______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org