On 06/19/2013 02:09 AM, Joshua J. Kugler wrote:
> We are migrating from an ancient FreeIPA 2.0 server to a 3.1.5 server. Is 
> there a documented procedure to export all the data from the 2.0 server and 
> import it into the 3.1.5 server?

Not yet (but there will be till the end of June) - you can help us with the
guide by providing your feedback on current outline.

> If I copy files over (PKI DB, main IPA DB, Kerberos stuff), will they be 
> upgraded on next restart, or is it much, much, more complicated than that.

There are dragons hidden in procedures like this one - you can easily forget
copy something.

> So far, I have the rough steps (see attached). But I don't know for sure if 
> that will work.
> Any ideas or insights?

This is the migration plan that should work:

0) We have IPA server(s) of aging version (2.0 in your case)

1) On one of your servers, create a replica (ipa-replica-prepare) and copy the
replica file to the new server/VM which will host the updated IPA version

2) You install the up-to-date FreeIPA server (ipa-replica-install). It should
have all the services as the original server had, i.e.
- if original server had CA installed (it probably did), you will also add
"--setup-ca" option
- if original server had DNS installed , you will also add "--setup-dns" option

The new server should now have all the capability of the aging servers + it
will have features introduced in the new version.

4) (Optional but recommended) If the installation went well and you are
satisfied with the new server and plan to migrate, you may also spin off some
replicas from it just to keep the redundancy in case this server break in any 

5) If the new server was properly installed, you stop all the old IPA servers:
# ipactl stop
- this step is important, this will prevent loosing data in case the new server
misses something and let you test the new server

6) On your client(s), you verify that they continue to function as before. If
you use DNS with IPA, this should be easy as they should fallback to the new
IPA servers automatically simply by reading new server address from DNS SRV
records. If you do not use automatic DNS discovery and you use a fixed list of
servers, you would have to update these lists in /etc/sssd/sssd.conf and
/etc/krb5.conf and other configuration files you used.

7) When you verify that clients keep functioning properly, you remove the old
IPA servers, i.e:
- log in to the new ipa server and delete the old servers
$ ipa-replica-manage list
$ ipa-replica-manage del old.ipa.server.fqdn

8) You can now uninstall old IPA servers (ipa-server-install --uninstall) or
discard their VMs/machines

9) You successfully migrated!

Please note that this procedure works only if your FreeIPA basic settings (like
REALM) stays intact. If you would want to create a whole new deployment using
different settings, the following RFE would need to be finished first:


Any comments? Does this procedure make sense to you?


Freeipa-users mailing list

Reply via email to