On 11/05/2013 10:16 PM, Rob Crittenden wrote:
>>>> If you have deployed original IPA server with integrated CA, then your
>>>> other replicas better to have at least one with CA configured to allow
>>>> proper recovery in case primary one is destroyed.
>> Is there any caveats to not deploy CA on all replicas as a simples
>> solution?
> You don't need a CA on every single replica, but you probably want at
> least two.
It is important to understand that CA is crucial to IPA so if for some
reason you loose all the replicas that have CA you are facing a
This is why we suggest having "enough" replicas with CA and also to do
periodically snapshot one of the replicas with CA so that everything is
lost you can recover from the snapshot.
We are working on a more comprehensive disaster recovery document but it
is worth mentioning it here.

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to