I'm currently testing an IPA 4.3 (RHEL 7.2) to IPA 4.4 (RHEL 7.3) upgrade and 
had a few questions about the concept of trust agents/controllers.

Prior to IPA 4.4, were all IPA masters (that 'ipa-adtrust-install' was ran on)  
considered 'trust controllers'?  In my lab, the upgrade automatically 
provisioned my IPA masters as controllers (not agents).  Is this the default 

The official recommendation appears to be to minimize the number of trust 
controllers.  Given an IPA deployment with two masters in each location, is the 
recommendation to only have 1 of these configured as a 'trust controller' and 
the other as a 'trust agent'?

What happens if all 'trust controllers' become unavailable, but 'trust agents' 
remain available?  Will the trust between IPA and AD be broken?



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to