On 11/05/2013 10:16 PM, Rob Crittenden wrote: >> >>>> If you have deployed original IPA server with integrated CA, then your >>>> other replicas better to have at least one with CA configured to allow >>>> proper recovery in case primary one is destroyed. >> >> Is there any caveats to not deploy CA on all replicas as a simples >> solution? > > You don't need a CA on every single replica, but you probably want at > least two. > It is important to understand that CA is crucial to IPA so if for some reason you loose all the replicas that have CA you are facing a redeployment. This is why we suggest having "enough" replicas with CA and also to do periodically snapshot one of the replicas with CA so that everything is lost you can recover from the snapshot. We are working on a more comprehensive disaster recovery document but it is worth mentioning it here.
-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users