Bill Peck wrote: > > > > On Wed, Jul 16, 2014 at 9:03 AM, Petr Viktorin <pvikt...@redhat.com > <mailto:pvikt...@redhat.com>> wrote: > > On 07/16/2014 02:34 PM, Choudhury, Suhail wrote: > > Hi, > > I'd like some clarification on what a "master" and "replica" is > please. > > > Once installed, all masters are identical (except some might have a > CA and some not). > The distinction is useful when installing a replica, where "master" > and "replica" generally mean "existing master" and "new master", > respectively. > > > This doc suggests you start with 1 master and a replica can be > promoted > to a master by changing "/var/lib/pki-ca/conf/CS.cfg": > > http://docs.fedoraproject.org/__en-US/Fedora/15/html/FreeIPA___Guide/promoting-replica.html > > <http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html> > > > That doc is ancient (Fedora 15), don't use it. > > > However IPA is supposed to be multi-master replication, and > replication > agreements appears to be two ways when checking > "ipa-replica-manage list > hostname" on a given IPA server. > > So when creating a replica using: > > ipa-replica-install --setup-ca --setup-dns --forwarder=172.20.220.25 > --forwarder=172.20.220.27 /root/replica-info-ipa01.__domain.com.gpg > > am I creating another "master replica"? > > > Yes, you're creating a new master; since you gave --setup-ca the two > masters will be equivalent. > > > So you no longer need to do anything to promote a replica to be a CA > master? Another way to ask the question, can I remove the original > master and everything will still work?
All masters are equal is a bit of a loaded term. From the NSS data perspective that is true, including DNS data whether a given master actually runs bind or not. The distinction comes in with the CA. It has its own replication topology and not every master needs to run one. We recommend at least two. There are two things that are only done on one IPA master with a CA: generating the CRL and managing renewal of the CA subsystem certificates. The initial IPA server installed is picked as the one to do these two tasks but it can be done by any of them. How to change it is documented at http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project