[Freeipa-users] Trust-Agents

I have a setup where we have four IPA servers. Two of them are able to talk to the AD Domain Controllers directly. I set them up as AD Trust controllers. The other two IPA servers can only talk to these IPA servers and not to the AD DCs directly. Thats why I wanted them to have the Trust Agent Role only. I used "ipa-adtrust-install --add-agents" on these servers. After configuring the roles and finishing the setup I did a "ipa server-role-find" to check if the roles where set correctly. I found out that all four IPA servers do have the Trust Controller role. And here comes my question... why? Why have the two servers been added as trust controllers and not as agents only? Cheers, Ronald