Re: [Freeipa-users] Error: invalid 'AD domain controller' when establishing trust

Wed, 08 Oct 2014 05:19:21 -0700 

On Wed, 08 Oct 2014, Genadi Postrilko wrote:

Both Domain functional level and Forest functional level are Windows Server
2008 R2.

You need to check if the AD DC server IPA tries to contact has PDC
emulator role _and_ is a domain controller for the root domain of the
forest.

I've added some fixes to enforce this checked in 4.0 (and backported to
3.3 in some RHEL 7 update which is not yet pushed out) but the easiest
thing to ensure you are using right domains and right servers.

forest root domain = first domain created in the forest. If forest name
is example.com, then that's the forest root domain as well.

Using http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust
you can generate proper logs to see where the issue is.



2014-10-08 9:24 GMT+02:00 Sumit Bose <sb...@redhat.com>:


On Wed, Oct 08, 2014 at 02:42:47AM +0200, Genadi Postrilko wrote:
> Hello.
>
> I am attempting to create trust between AD and IPA.
>
> I have deployed AD environment as follows:
>
> I have created domain RED.COM
> Then i add new domain tree root - BLUE.COM.
>
> Now i would like to establish trust with IPA as a sub domain (
LINUX.BLUE.COM)
> of BLUE.COM.
>
> I followed the guide and when reaching to trust agreement creation i
> stumbled into this error:
>
>  ipa trust-add --type=ad blue.com --admin Administrator --password
> Active directory domain administrator's password:
> ipa: ERROR: invalid 'AD domain controller': unsupported functional level

can you check the domain and forest functional levels of your domains?
You can find this information in the 'Active Directory Domains and
Trusts' utility by right-clicking the domain name and selecting
properties? iirc the minimal level we support in 2003R2.

bye,
Sumit

>
> Both AD server are 2008 R2.
> IPA version is 3.3, installed on RHEL 7.
>
> Help will be appreciated.
>
> Genadi.

> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to