I have googled around a bit, but I still have a couple of questions:
1) is it possible to get "getent shadow" to return shadow entries from
the ipa server? This is so we can do a DR test on some server or set
of servers without also having to restore the IPA server first. I can
do a "getent passwd" easily enough, and I could rebuild the shadow
file for local users, so it's not critical, but it would be a "nice to
have" in the case of a DR.
2) What is everyone else doing to prepare IPA for a DR? I've read
that the best way to do it is to turn off the IPA services on a
replica and then back that replica up. I also read that this will
miss some important files that only exist on the master. I don't want
to turn off the master server services for a DR due to failover lag.
Would it be safe to take a backup of the master while "hot", then
restore a replica, and promote it to master using the "hot" backup of
the master (just the specific CA files needed)?
Freeipa-users mailing list