My existing FreeIPA 3.0 (CentOS 6) setup is as follows:

Kerberos Realm: test.com
I have several DNS zones

ipa01.mgmt.test.com - FreeIPA 3.0 Master
ipa02.mgmt.test.com - FreeIPA 3.0 Replica

The FreeIPA servers actually reside in mgmt.test.com.  test.com in FreeIPA
3 has forwarding DNS servers configured.

We are going to move to FreeIPA 4.2 (CentOS 7) and here is the path I have
tested that appears to work.

I followed this guide.


1 Create an IPA 4 server (ipa03.mgmt.test.com) that is a replica of the IPA
3 master server (ipa01.mgmt.test.com)
2 Remove replica agreement for ipa02.mgmt.test.com on IPA 3 master (
3 Shutdown ipa02.mgmt.test.com to prep for an IPA 4 server to take its place
4 Build a new server and install IPA 4 server that will become a new
5 Make ipa02.mgmt.test.com a replica of ipa03.mgmt.test.com
6 Make ipa02.mgmt.test.com the master CRL server instead of
7 Shutdown ipa01.mgmt.test.com to prep for an IPA 4 server to take its place
8 Build a new server and install IPA 4 server that will become a new
9 Make ipa01.mgmt.test.com a replica of ipa02.mgmt.test.com

The reason for removing old servers to take the place of new servers is so
that I can reuse the IP addresses and do not need to change DNS entries on
any client

The problem occurs when I realize that the test.com zone needs to be a
forwarded zone in IPA 4 but in IPA 3 is it a normal DNS zone and I need to
have test.com be a forwarded zone.  In IPA 3 there is no entry for
ipa-ca.test.com but I do see it in IPA 4.  In my testing I have removed the
test.com zone and made it a forwarding zone but that removes the entry for
ipa-ca.test.com as well as all the test.com kerberos entries.

What I do not know is what did I break when I removed test.com since it is
the Kerberos realm.  It appears that replication between the servers still
works and I was able to add a IPA 4 client server without issue.  We plan
on using certs generated from IPA 4 for OpenVPN but I do not have enough
information to know if the removal of the test.com zone will break that
certificate validation and revocation since the ipa-ca.test.com DNS entry
no longer exists.

I believe where I went wrong was that I should have setup mgmt.test.com as
the Kerberos realm rather than test.com and I would not have the questions
I do now.

Thank you for your help.

*Mike Plemmons | Senior DevOps Engineer*
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to