On 16.01.23 15:48, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 16 tammi 2023, Ronald Wimmer via FreeIPA-users wrote:
> I have a setup where we have four IPA servers. Two of them are able to
> talk to the AD Domain Controllers directly. I set them up as AD Trust
> controllers.
>
> The other two IPA servers can only talk to these IPA servers and not
> to the AD DCs directly. Thats why I wanted them to have the Trust
> Agent Role only.
Trust Agent also should be able to talk to AD DCs. If those servers
cannot talk to AD DCs, they cannot be trust agents.
So it seems that I have misunderstood how trust agents can be used. I
thought AD communication is only done on trust controllers whereas trust
agents are some kind of proxies.
> I used "ipa-adtrust-install --add-agents" on these
servers. After
> configuring the roles and finishing the setup I did a "ipa
> server-role-find" to check if the roles where set correctly. I found
> out that all four IPA servers do have the Trust Controller role. And
> here comes my question... why? Why have the two servers been added as
> trust controllers and not as agents only?
You should have ran 'ipa-adtrust-install --add-agents' on existing trust
controllers, not on agents-to-be. This is what documentation says you to
do.
Running 'ipa-adtrust-install --add-agents' seems to have no effect. When
I run that command on an ipa server it still has the agent AND the
controller rolle afterwards.
Cheers,
Ronald