On 16.11.2016 16:40, Baird, Josh wrote: > Hi, > > I'm currently testing an IPA 4.3 (RHEL 7.2) to IPA 4.4 (RHEL 7.3) upgrade and > had a few questions about the concept of trust agents/controllers. > > Prior to IPA 4.4, were all IPA masters (that 'ipa-adtrust-install' was ran > on) considered 'trust controllers'? In my lab, the upgrade automatically > provisioned my IPA masters as controllers (not agents). Is this the default > behavior?
I would recommend to read https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/creating-trusts.html#trust-controller-agent > The official recommendation appears to be to minimize the number of trust > controllers. Given an IPA deployment with two masters in each location, is > the recommendation to only have 1 of these configured as a 'trust controller' > and the other as a 'trust agent'? > > What happens if all 'trust controllers' become unavailable, but 'trust > agents' remain available? Will the trust between IPA and AD be broken? ... Trust controllers can be used for trust management operations, such as adding trust agreements and enabling or disabling separate domains from a trusted forest to access IdM resources. Additionally, AD domain controllers contact trust controllers when validating the trust. If I'm not mistaken, temporary unavailability of trust controller should not break the trust as it is used only for trust management operations. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project