In my case DNS is not an issue, FreeIPA is integrated with existing DNS

The above procedure would work for migrating the user's data to a new IPA
server that has a new host name. What if I would like to restore the
original IPA server ? Could I repeat the above steps with the exception of
 #4, in which I would restore backed-up certificates and keytab files. This
should avoid the need to regenerate them, no?

In short how would you perform a full back-up and restore of the Primary
IPA server?  I understand this is not a trivial task for the IPA server and
from what I've learned it is probably not fully supported in the current
ver 3.x



On Thu, Jan 23, 2014 at 1:32 AM, Martin Kosek <> wrote:

> On 01/22/2014 06:57 PM, Petr Viktorin wrote:
> > On 01/22/2014 06:26 PM, Dimitar Georgievski wrote:
> >> Would you use ldapmodify -f file-name-with-exported-data to import the
> >> data back to a new copy of FreeIPA?
> >
> > No, that generally won't work. There's more to IPA than the data in LDAP.
> > Instead of copying data you should install the new server as a replica
> of the
> > old one.
> That would give you FreeIPA with the same domain, realm or certificate
> subject
> name.
> If you want to start with different settings, I would recommend:
> 1) Installing new IPA server
> 2) Using "ipa migrate-ds" command to migrate users and groups
> 3) Use the ldapsearch&ldapmodify to migrate DNS (you may need to change
> the DN
> in the LDIF file to use correct SUFFIX if the realm changed)
> 4) For all hosts - unenroll and enroll again against the new IPA. This is
> needed to regenerate the new certificates or host keytab
> HTH,
> Martin
Freeipa-users mailing list

Reply via email to