Hi folks,
Multi-region AWS IPA user here. We've got an ancient and brittle IPA
setup with broken replication and an inability to upgrade. Rather than
fix I want to stand up a whole new set of IPA servers running the latest
version so I can get replication working again as well as leverage all
the great new features in IPA and SSSD subsystem.
However in my environment it's an incredibly complex process to set up a
1-way trust with Active Directory.
The administrators work for a managed service provider and they are
outside of the normal support loop so they rarely interact with peons
and outsiders like myself. Just getting their attention is a procedural
and political effort. The first AD trust took more than 3 months to
setup (!)
I need to start the process again for requesting a new AD trust
arrangement for the new IPA servers I intend to build.
Realized that I had a really dumb question ...
If my goal is to have a 4-node replicating cluster (2x in us-east AWS
region and 2x in eu-central-2 region) how many discrete AD trusts do I
actually have to arrange with my remote AD administrators?
If I get a good 1-way trust working on a single IPA node in the cluster,
will the replicating targets inherit this trust?
Do I need to set up the trust individually on each of the 4 planned IPA
boxes?
Thanks!
_Chris