Hi List The deployment I'm contemplating is as follows:
1. FreeIPA master at a central site,with AD Trust established to the primary DC. 2. Replicas of the FreeIPA master at 4 other sites (with varying WAN latency between central and site),with replication agreements only with to the master at the central site. (So the AD trust is estalished only between the master IPA server and the primary AD domain controller) There is also an existing domain controller at each site that synchs to the primary domain controller at the main site. I'd like AD user access to Linux systems at each site to be stable and consistent as possible, so to rule out the effect of WAN latency and possibly intermittent connectivity (and a host of possibly other unknown factors), I plan to establish an AD trust between the replica at each site and the local AD domain controller. My thinking is that AD user accounts information will then be available to the replica almost as soon as it's available to the AD dc at that site. So ultimately, the consistency of user information should be as good as can be expected from AD's cross wan replication to remote sites, even if the synchronisation between a replica and master is not 100% sin synch at all times (e.g due to WAN latency). My concern is that multiple trusts established this way may lead to replication inconsistency betweend master IPA server and it's replicas,especially in the case where the replica is seeing AD information in different stages of replication. My question: Does IPA cope with this scenario? Is it safe, and will it improve AD authentication performance (at least from the user point of view) to establish trust between each replica and the local domain controller in each given site? NOTE: I'm aware that AD replication also runs on a schedule and 'slaves' can lag the primary from around 180 minutes to a day depending on WAN conditions. Traiano -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
