[Freeipa-users] Replacing the primary IPA server
Sigbjorn Lie
sigbjorn at nixtra.com
Mon Feb 13 23:14:18 UTC 2012
On 02/13/2012 09:43 PM, Simo Sorce wrote:
> On Mon, 2012-02-13 at 21:37 +0100, Sigbjorn Lie wrote:
>> On 02/13/2012 08:55 PM, Simo Sorce wrote:
>>> On Mon, 2012-02-13 at 20:43 +0100, Sigbjorn Lie wrote:
>>>> On 02/13/2012 08:16 PM, Rob Crittenden wrote:
>>>>> Sigbjorn Lie wrote:
>>>>>> Hi,
>>>>>>
>>>>>> What precautions need to be taken when replacing the primary/first IPA
>>>>>> server?
>>>>>>
>>>>>> Is it enough to reinstall the server and run a ipa-replica-install from
>>>>>> one of the other replicas?
>>>>> It depends on what type of CA installation you have. Did you install
>>>>> with dogtag or with a selfsign CA?
>>>>>
>>>>> rob
>>>>>
>>>> Dogtag
>>> If you installed the CA on more than one replica, then you can remove
>>> the first master, all the info is replicated on the other replicas that
>>> have a clone of the CA. Note that the CA is not replicated by default
>>> see the --setup-ca option or ipa-ca-install
>> Excellent. Yes, I've used --setup-ca when I created the replicas. :)
>>
>> What if I have 3 IPA servers. 2 being replicated off the first master.
>> The master is re-installed and re-setup using ipa-replica-install from
>> one of the 2 other IPA servers.
>>
>> Will not the 3rd server be left without a sync agreement? Does the 3rd
>> server need to be manually added back in with a sync agreement?
> Before removing any server you should make sure it will not break the
> topology.
>
> You can use ipa-replica-manage and ipa-ca-replica-manage to create links
> between the 2 other servers before you retire the hub.
>
> You have to use both the commands as CA replication agreements are
> distinct from IPA replication agreements.
>
>
1. Let's say the server has crashed. Unrecoverable. Can new replication
agreements still be set up between the remaining hosts?
2. I do not see a way for displaying relationships between the IPA hosts
when viewing the replicas with ipa-replica-manage list. I see the same
output on all the IPA hosts.
So if I was not the one who set up IPA, and did not have the
documentation handy available, is there a command provided with IPA
where I can figure out how the existing replication agreements are set
up between the hosts?
...except of looking in the LDAP tree under
cn=replicaname,cn=replica,cn=domain,cn=mapping tree,cn=config?
3. Perhaps this was discussed earlier: Can there be configured a ring of
replicas with IPA?
Regards,
Siggi
More information about the Freeipa-users
mailing list