On 02/14/2012 12:31 AM, Simo Sorce wrote:
On Tue, 2012-02-14 at 00:14 +0100, Sigbjorn Lie wrote:
On 02/13/2012 09:43 PM, Simo Sorce wrote:
On Mon, 2012-02-13 at 21:37 +0100, Sigbjorn Lie wrote:
On 02/13/2012 08:55 PM, Simo Sorce wrote:
On Mon, 2012-02-13 at 20:43 +0100, Sigbjorn Lie wrote:
On 02/13/2012 08:16 PM, Rob Crittenden wrote:
Sigbjorn Lie wrote:

What precautions need to be taken when replacing the primary/first IPA

Is it enough to reinstall the server and run a ipa-replica-install from
one of the other replicas?
It depends on what type of CA installation you have. Did you install
with dogtag or with a selfsign CA?


If you installed the CA on more than one replica, then you can remove
the first master, all the info is replicated on the other replicas that
have a clone of the CA. Note that the CA is not replicated by default
see the --setup-ca option or ipa-ca-install
Excellent. Yes, I've used --setup-ca when I created the replicas. :)

What if I have 3 IPA servers. 2 being replicated off the first master.
The master is re-installed and re-setup using ipa-replica-install from
one of the 2 other IPA servers.

Will not the 3rd server be left without a sync agreement? Does the 3rd
server need to be manually added back in with a sync agreement?
Before removing any server you should make sure it will not break the

You can use ipa-replica-manage and ipa-ca-replica-manage to create links
between the 2 other servers before you retire the hub.

You have to use both the commands as CA replication agreements are
distinct from IPA replication agreements.

1. Let's say the server has crashed. Unrecoverable. Can new replication
agreements still be set up between the remaining hosts?
Yes, you should be able to change the agreements, as all the principals
already exists so there is no need to replicate through the old hub just
to set the m up.

2. I do not see a way for displaying relationships between the IPA hosts
when viewing the replicas with ipa-replica-manage list. I see the same
output on all the IPA hosts.
ipa-replica-manage list shows all servers
ipa-replica-manage list servername shows the replication agreements that
server uses

If they all look the same it means you have a full mesh :)

3. Perhaps this was discussed earlier: Can there be configured a ring of
replicas with IPA?
If by ring you mean A<->  B<->  C<->  A then yes. In general we
recommend to not have more than 4 replication agreements per server, but
that's more of a rule of thumb than a hard limit.

Thank you. :)

For anyone else reading this thread and looking for more information, see the link below. I see some of my questions we're already documented there.


Freeipa-users mailing list

Reply via email to