On Thu, 2013-08-29 at 09:14 -0400, Bret Wortman wrote: > On Thu, Aug 29, 2013 at 9:09 AM, Simo Sorce <s...@redhat.com> wrote: > On Thu, 2013-08-29 at 08:07 -0400, Bret Wortman wrote: > > Okay, I have a replica built and running. My original, > "sick" server > > is ipamaster and the new one is ipamaster2. All I've done > thus far on > > ipamaster2 is run ipa-replica-install --setup-dns > --no-forwarders > > replica-info-ipamaster2.foo.net.gpg. > > > > > > What additional steps do I need to take to ensure that the > process of > > shutting down ipamaster, wiping it out, building it up fresh > and then > > replicating ipamaster2 back to ipamaster and making > ipamaster again > > the center of the universe and my certificate authority work > > correctly, cleanly, and with minimal fuss? Given the mess I > got our > > servers already, I figured I should ask before I start > messing about > > today. > > > > > > I think the process should look something like this (I don't > want you > > all thinking I'm looking for someone to do all my thinking > for me): > > > > > > 1. Take snapshot of ipamaster (just in case) > > 2. [ipamaster2]# > > > ipa-ca-install /var/lib/ipa/replica-info-ipamaster2.foo.net.gpg (I > > should've done this during the ipa-ca-install, but since the > ca step > > is so rare, I didn't have it in my wiki notes). > > 3. [ipamaster]# reboot > > > > > > This reboot will trigger a Cobbler & Puppet-based wipe of > the system > > and reinstallation of F18 and freeipa-server. While that's > going on: > > > > > > 4. [ipamaster2]# ipa-replica-prepare ipamaster.foo.net > 1.2.3.4 > > > You need to use ipa-replica-manage to remove the original > ipamaster > before you can prepare to add a new one. > > After it is fully removed and replica file generated you need > to restart > at yleast 389ds on ipamaster2 this is due to the fact that DS > does nto > purge valid tickets, and it holds a ticket valid for the old > ipamaster, > however when you reinstall the new the name will match so > replication > between ipamaster2 -> ipamaster may fail because ipamsater2 > has a wrong > ticket (using old key you just nuked before the reinstall). > > > > > > Got it. Glad I asked! I'll add these steps to my procedure. > > > When ipamaster is back up: > > > > > > 5. [ipamaster]# cd /var/lib/ipa && scp > > > You can copy in /root > > > I usually do it in /var/lib/ipa I guess because that's where the > server puts the file, so it makes it easy for me to remember that's > where it is. But point taken. > > > > ipamaster2:/var/lib/ipa/replica-info-ipamaster.foo.net.gpg . > > 6. [ipamaster]# ipa-replica-install --setup-dns > --no-forwarders > > --setup-ca replica-info-ipamaster.foo.net.gpg > > > > > > Usually, there's some reason I need to go back to ipamaster2 > and > > either delete a dns entry or ipa host-del the system. > > > Uh ? Sound like this is going to screw up things, why should > you delete > DNS entries ? > ipa host-del of a master is *certainly* going to break > replication and > basically everything. Is this what you did in your old setup ? > > > Only if ipa-replica-install said I needed to.
ok this means you previously uninstalled a replica directly on the machine but tdid not remove it from the domain, this is bad practice. you should use ipa-replica-manage before you retire a machine if possible, otherwise you leave dangling replication agreements, DNS names, ID ranges (this means you loose ID space), and keys. > > After the replica install is done: > > > > > > 7. Shut down and delete the ipamaster2 VM. > > > Do not forget to ipa-replica-manage remove it first. > > > Awesome. This is why I asked. > > > 8. Upgrade existing "replicas" to F18 and latest IPA > version. > > 9. Establish replication agreements with now-functioning > ipamaster. > > > > > > Does that sound right? > > > > > > See above. > > Simo. > > > -- > Simo Sorce * Red Hat, Inc * New York > > > -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users