On 02/13/2012 09:43 PM, Simo Sorce wrote:
On Mon, 2012-02-13 at 21:37 +0100, Sigbjorn Lie wrote:
On 02/13/2012 08:55 PM, Simo Sorce wrote:
On Mon, 2012-02-13 at 20:43 +0100, Sigbjorn Lie wrote:
On 02/13/2012 08:16 PM, Rob Crittenden wrote:
Sigbjorn Lie wrote:

What precautions need to be taken when replacing the primary/first IPA

Is it enough to reinstall the server and run a ipa-replica-install from
one of the other replicas?
It depends on what type of CA installation you have. Did you install
with dogtag or with a selfsign CA?


If you installed the CA on more than one replica, then you can remove
the first master, all the info is replicated on the other replicas that
have a clone of the CA. Note that the CA is not replicated by default
see the --setup-ca option or ipa-ca-install
Excellent. Yes, I've used --setup-ca when I created the replicas. :)

What if I have 3 IPA servers. 2 being replicated off the first master.
The master is re-installed and re-setup using ipa-replica-install from
one of the 2 other IPA servers.

Will not the 3rd server be left without a sync agreement? Does the 3rd
server need to be manually added back in with a sync agreement?
Before removing any server you should make sure it will not break the

You can use ipa-replica-manage and ipa-ca-replica-manage to create links
between the 2 other servers before you retire the hub.

You have to use both the commands as CA replication agreements are
distinct from IPA replication agreements.

1. Let's say the server has crashed. Unrecoverable. Can new replication agreements still be set up between the remaining hosts?

2. I do not see a way for displaying relationships between the IPA hosts when viewing the replicas with ipa-replica-manage list. I see the same output on all the IPA hosts.

So if I was not the one who set up IPA, and did not have the documentation handy available, is there a command provided with IPA where I can figure out how the existing replication agreements are set up between the hosts?

...except of looking in the LDAP tree under cn=replicaname,cn=replica,cn=domain,cn=mapping tree,cn=config?

3. Perhaps this was discussed earlier: Can there be configured a ring of replicas with IPA?


Freeipa-users mailing list

Reply via email to