Thanks for this.

I suspect something is fundamentally broken in replication for me, possibly due to a missing user or bad auth in the LDAP subsystem due to our constant chasing of incremental upgrades -- but based on your advice and a re-read of the Admin guide I'm going to see if I can deploy some fresh servers and get any sort of replication going at all with connected segments -- if that works I'll be able to add new segments, merge all the IPA data and then delete/drop the orphaned systems.


Ludwig Krispenz via FreeIPA-users wrote:
looks like you have a one directional topology segment on each server, they are created from existing replication agreements when raising the domain lvel, they should be replicated and merged to one bi-directional segment - so it looks like replication was not working already back then.

to investigate the replication state we would have to look into ds error logs, examine the replication agreements and ruvs.

as you suggested, you could add a new replica from one of the existing servers, then connect this new one to the other old one and remove the dangling segments.

if you were running frequent upgrades and were doing upgrades in parallel, you could also have replication conflict entries complicating things
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to