On ti, 26 touko 2020, Monkey Bizness via FreeIPA-users wrote:
Hi,
I have an infrastructure with 2 ad clusters. AD 1 trusts AD 2
How does it trust each other? Forest trust between AD 1 and AD 2, they are part of the same (bigger) forest, they have external trust to each other or something else?
If I establish a one way trust between freeipa and AD1, users from AD2 can authenticate on feeipa clients right? based on https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... id="-x-evo-selection-start-marker">
If these are two separate forests, AD1 and AD2, then you need to establish trust between IPA and AD1 and between IPA and AD2 separately. This is a requirement from Active Directory side. Forest trust relationship does not extend onto other trust relations outside the trusting forest.
The following document gives an overview of how Active Directory domain and forest structure is designed https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-se...)
At the end of that document there is a tiny bit that explains it, burried in a paragraph that is not marked any special way so it is easy to miss it:
Forest trusts can be created between two forests only and cannot be implicitly extended to a third forest. This means that if a forest trust is created between Forest 1 and Forest 2, and another forest trust is created between Forest 2 and Forest 3, Forest 1 does not have an implicit trust with Forest 3.