Hi, Are ipa1 and ipa2 configured as DNS servers? This can be checked with kinit admin ipa server-role-find --role 'DNS server' (since the replication doesn't seem to be working, please check the commands on each server).
If they are configured as DNS servers, is there a forwarder configured? kinit admin ipa dnsconfig-show ipa dnsserver-show ipa1.sj.bps ipa dnsserver-show ipa2.sj.bps If they are not DNS servers, what is their DNS client configuration? Are there any errors related to replication in /var/log/dirsrv/slapd-<YOUR-DOMAIN>/errors? You can find a few things to check in https://www.freeipa.org/page/Troubleshooting/Directory_Server#Replication_issues flo On Tue, Aug 30, 2022 at 2:42 AM Simon Matthews via FreeIPA-users < [email protected]> wrote: > Some time back I set up an IPA replica. The initial setup was successful, > but now I see that it is not syncing. It's possible that it has never > successfully synced. I suspect that something related to DNS may not be > working properly. Advice on debugging and fixing this would be appreciated. > > # ipa-replica-manage list -v ipa2.sj.bps > ipa1.sj.bps: replica > last update status: Error (18) Replication error acquiring replica: > Incremental update transient warning. Backing off, will retry update > later. (transient warning) > last update ended: 1970-01-01 00:00:00+00:00 > > I think that something related to DNS is not working correctly on my > replica. My IPA domain is "ipa.<mycompany>.com". However, the DNS domain > used on the network is "sj.bps" and the primary nameserver is not ether of > the IPA servers. > > Both the primary and replica have DNS that works for the "sj.bps" domain > to an extent. I can ping using names in the "sj.bps" domain on the replica > (ipa2): > > [root@ipa2 ~]# ping ipa1.sj.bps. > PING ipa1.sj.bps (192.168.254.18) 56(84) bytes of data. > 64 bytes from ipa1.sj.bps (192.168.254.18): icmp_seq=1 ttl=64 time=0.451 ms > ^C > --- ipa1.sj.bps ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > rtt min/avg/max/mdev = 0.451/0.451/0.451/0.000 ms > > But a local lookup doesn't work: > > [root@ipa2 ~]# dig @localhost ipa1.sj.bps. > > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost > ipa1.sj.bps. > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34740 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;ipa1.sj.bps. IN A > > ;; Query time: 5 msec > ;; SERVER: ::1#53(::1) > ;; WHEN: Mon Aug 29 20:37:37 EDT 2022 > ;; MSG SIZE rcvd: 40 > > A similar dig command on the primary works: > [root@ipa1 ~]# dig @localhost ipa1.sj.bps. > > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost > ipa1.sj.bps. > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63201 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;ipa1.sj.bps. IN A > > ;; ANSWER SECTION: > ipa1.sj.bps. 2222 IN A 192.168.254.18 > > ;; AUTHORITY SECTION: > sj.bps. 2222 IN NS ns.bps. > > ;; ADDITIONAL SECTION: > ns.bps. 2222 IN A 192.168.254.2 > > ;; Query time: 0 msec > ;; SERVER: ::1#53(::1) > ;; WHEN: Mon Aug 29 20:38:34 EDT 2022 > ;; MSG SIZE rcvd: 89 > > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
