Chapter 103. Verifying your IdM and AD trust configuration using IdM Healthcheck

download PDF

Learn more about identifying issues with IdM and an Active Directory trust in Identity Management (IdM) by using the Healthcheck tool.


  • The Healthcheck tool is only available on RHEL 8.1 or newer

103.1. IdM and AD trust Healthcheck tests

The Healthcheck tool includes several tests for testing the status of your Identity Management (IdM) and Active Directory (AD) trust.

To see all trust tests, run ipa-healthcheck with the --list-sources option:

# ipa-healthcheck --list-sources

You can find all tests under the source:

This test checks the SSSD configuration when the machine is configured as a trust agent. For each domain in /etc/sssd/sssd.conf where id_provider=ipa ensure that ipa_server_mode is True.
This test checks if the trust domains match SSSD domains by comparing the list of domains in sssctl domain-list with the list of domains from ipa trust-find excluding the IPA domain.

This test resolves resolves an AD user, Administrator@REALM. This populates the AD Global catalog and AD Domain Controller values in sssctl domain-status output.

For each trust domain look up the user with the id of the SID + 500 (the administrator) and then check the output of sssctl domain-status <domain> --active-server to ensure that the domain is active.

This test verifies that the sidgen plugin is enabled in the IPA 389-ds instance. The test also verifies that the IPA SIDGEN and ipa-sidgen-task plugins in cn=plugins,cn=config include the nsslapd-pluginEnabled option.
This test verifies that the current host is a member of cn=adtrust agents,cn=sysaccounts,cn=etc,SUFFIX.
This test verifies that the current host is a member of cn=adtrust agents,cn=sysaccounts,cn=etc,SUFFIX.
This test verifies that the current host starts the ADTRUST service in ipactl.
This test verifies that ldapi is enabled for the passdb backend in the output of net conf list.
This test verifies that the admins group’s SID ends with 512 (Domain Admins RID).
This test verifies that the trust-ad package is installed if the trust controller and AD trust are not enabled.

Run these tests on all IdM servers when trying to find an issue.

103.2. Screening the trust with the Healthcheck tool

Follow this procedure to run a standalone manual test of an Identity Management (IdM) and Active Directory (AD) trust health check using the Healthcheck tool.

The Healthcheck tool includes many tests, therefore, you can shorten the results by:

  • Excluding all successful test: --failures-only
  • Including only trust tests:


  • To run Healthcheck with warnings, errors and critical issues in the trust, enter:

    # ipa-healthcheck --failures-only

Successful test displays empty brackets:

# ipa-healthcheck --failures-only

Additional resources

  • See man ipa-healthcheck.
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.