Ok - I'll answer my own question. I needed to establish the trust with the forest-root domain (domain.com), not the child domain. I have verified using 'ipa trustdomain-find' that I can see the child domain (ad.domain.com) now.
Sorry for the noise! Thanks, Josh From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Baird, Josh Sent: Monday, March 09, 2015 5:06 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Error establishing trust with AD domain Hi, I have successfully established a trust in my lab environment running IPA 4.1 (RHEL7.1) and a Windows 2008 R2 domain with Windows 2003 domain/forest functional levels. I'm now trying to establish a trust with my production AD domain (same functional level). The only difference is that my production domain (ad.domain.lan) is a child-domain of a forest named domain.lan. There is no forest in my lab envrionment. I'm getting the following error when running 'ipa trust-add': # ipa trust-add --type ad ad.domain.lan --range-type=ipa-ad-trust --admin jbadmin --password Active Directory domain administrator's password: ipa: ERROR: Domain 'ad.domain.lan' is not a root domain for forest 'domain.lan' Any ideas? Thanks, Josh
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project