When upgrading from IPA version prior to 4.2 or installing 4.2 version from scratch, new IPA sidgen and exdom plugins' configuration contained improper value of basedn (literally "$SUFFIX") instead of basedn of the IPA LDAP tree.
Security Identifiers (SIDs) for IPA users and objects were not generated properly due to misconfigured sidgen plugin. As result, all AD trusts created on affected version of IPA did not work while advertising that the trust was established correctly.
Configuration of the sidgen and extdom plugins have been fixed as part of the server upgrade to this version. Trusts to AD forests must be re-created manually (by 'ipa trust-add' command). User warnings have been added to inform user that a trust to AD must be recreated.
After recreating the broken AD trusts, the AD trusts should work as expected.