On 01/13/2014 01:33 PM, Rob Crittenden wrote: > Dimitar Georgievski wrote: >> This question is really about HA of FreeIPA. I've noticed that new >> records cannot be added on the replica server while the primary is down. >> >> Ideally these services should be always available even when the Primary >> server is down (for maintenance or other reasons). >> >> Is it possible to have another Primary server replicating with the first >> Primary or to use one of the Replica servers to manage records while the >> Primary server is down. > > All servers in IPA are equal masters, the only difference may be the > services running on any given server (DNS and a CA). > > The exception is if a master runs out of DNA values or has never been > used to add an entry that requires one and the original IPA master is > down. An IPA server will request a DNA range the first time it needs > one but doesn't get one until then. I'm guessing that is what happened. > > I believe IPA 3.3 added some options to ipa-replica-manage to be able > to control the DNA configuration.
We might be talking about the entries that have certificates. Is this the case? If so the certificate operations are proxied to the server that has full CA but AFAIR there is not failover there and I vaguely recall that there was ticket filed to address this scenario. So which entries we are talking about? > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipafirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users