[Freeipa-users] Replacing the primary IPA server

Sigbjorn Lie sigbjorn at nixtra.com
Mon Feb 13 23:14:18 UTC 2012 

On 02/13/2012 09:43 PM, Simo Sorce wrote:
> On Mon, 2012-02-13 at 21:37 +0100, Sigbjorn Lie wrote:
>> On 02/13/2012 08:55 PM, Simo Sorce wrote:
>>> On Mon, 2012-02-13 at 20:43 +0100, Sigbjorn Lie wrote:
>>>> On 02/13/2012 08:16 PM, Rob Crittenden wrote:
>>>>> Sigbjorn Lie wrote:
>>>>>> Hi,
>>>>>>
>>>>>> What precautions need to be taken when replacing the primary/first IPA
>>>>>> server?
>>>>>>
>>>>>> Is it enough to reinstall the server and run a ipa-replica-install from
>>>>>> one of the other replicas?
>>>>> It depends on what type of CA installation you have. Did you install
>>>>> with dogtag or with a selfsign CA?
>>>>>
>>>>> rob
>>>>>
>>>> Dogtag
>>> If you installed the CA on more than one replica, then you can remove
>>> the first master, all the info is replicated on the other replicas that
>>> have a clone of the CA. Note that the CA is not replicated by default
>>> see the --setup-ca option or ipa-ca-install
>> Excellent. Yes, I've used --setup-ca when I created the replicas. :)
>>
>> What if I have 3 IPA servers. 2 being replicated off the first master.
>> The master is re-installed and re-setup using ipa-replica-install from
>> one of the 2 other IPA servers.
>>
>> Will not the 3rd server be left without a sync agreement? Does the 3rd
>> server need to be manually added back in with a sync agreement?
> Before removing any server you should make sure it will not break the
> topology.
>
> You can use ipa-replica-manage and ipa-ca-replica-manage to create links
> between the 2 other servers before you retire the hub.
>
> You have to use both the commands as CA replication agreements are
> distinct from IPA replication agreements.
>
>
1. Let's say the server has crashed. Unrecoverable. Can new replication 
agreements still be set up between the remaining hosts?

2. I do not see a way for displaying relationships between the IPA hosts 
when viewing the replicas with ipa-replica-manage list. I see the same 
output on all the IPA hosts.

So if I was not the one who set up IPA, and did not have the 
documentation handy available, is there a command provided with IPA 
where I can figure out how the existing replication agreements are set 
up between the hosts?

...except of looking in the LDAP tree under 
cn=replicaname,cn=replica,cn=domain,cn=mapping tree,cn=config?

3. Perhaps this was discussed earlier: Can there be configured a ring of 
replicas with IPA?


Regards,
Siggi

More information about the Freeipa-users mailing list