Ok - I'll answer my own question. I needed to establish the trust with the
forest-root domain (domain.com), not the child domain. I have verified using
'ipa trustdomain-find' that I can see the child domain (ad.domain.com) now.
Sorry for the noise!
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Baird, Josh
Sent: Monday, March 09, 2015 5:06 PM
Subject: [Freeipa-users] Error establishing trust with AD domain
I have successfully established a trust in my lab environment running IPA 4.1
(RHEL7.1) and a Windows 2008 R2 domain with Windows 2003 domain/forest
functional levels. I'm now trying to establish a trust with my production AD
domain (same functional level). The only difference is that my production
domain (ad.domain.lan) is a child-domain of a forest named domain.lan. There
is no forest in my lab envrionment. I'm getting the following error when
running 'ipa trust-add':
# ipa trust-add --type ad ad.domain.lan --range-type=ipa-ad-trust --admin
Active Directory domain administrator's password:
ipa: ERROR: Domain 'ad.domain.lan' is not a root domain for forest 'domain.lan'
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project