I'm currently testing an IPA 4.3 (RHEL 7.2) to IPA 4.4 (RHEL 7.3) upgrade and
had a few questions about the concept of trust agents/controllers.
Prior to IPA 4.4, were all IPA masters (that 'ipa-adtrust-install' was ran on)
considered 'trust controllers'? In my lab, the upgrade automatically
provisioned my IPA masters as controllers (not agents). Is this the default
The official recommendation appears to be to minimize the number of trust
controllers. Given an IPA deployment with two masters in each location, is the
recommendation to only have 1 of these configured as a 'trust controller' and
the other as a 'trust agent'?
What happens if all 'trust controllers' become unavailable, but 'trust agents'
remain available? Will the trust between IPA and AD be broken?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project