On 12/01/2016 01:28 PM, Neal Harrington | i-Neda Ltd wrote:
Hi IPA Gurus,

I had a 3 site multi master IPA replication setup (1 office and 2
datacentres) with 2 IPA servers at each site. Each server was
replicating successfully to 3 other servers (the other local site server
and one server at each of the two remote sites). Everything is running
on the default packages from CentOS 7.2 and each server is a full
replica (ipa-replica-install
/var/lib/ipa/replica-info-id-myserver.fqdn.com.gpg  --setup-ca
--setup-dns --mkhomedir --forwarder

Everything was ticking over nicely until we had notice that the
office site was moving on short notice.

I successfully created IPA servers at the new site, setup replication
again between the new office and the two datacentres that were to remain
online, tested and everything worked as expected - unfortunately in the
rush I did not have time to properly retire the IPA servers in the old

The problem this has caused is that I only ever created users in one of
the IPA servers in the original office - so only those servers have a
DNA range and I am now unable to create new users on the active servers.
The original office servers are still in the IPA replication and powered
on but offline so potential split brain?

I now have two things I would like to know before proceeding:

  * Is the best fix here to force remove the original IPA servers and
    manually add a new dna range significantly different from the
    original to avoid overlaps?
  * Is there anything else I should check? I can't see any issues
    however did not notice the DNA range until I tried to create a user.

Any pointers greatly appreciated.



Hi Neal,

If you already disconnected/decomissioned the old masters then I thnk the best you can do is option a, i.e. re-set DNA ranges on replicas to new values while avioding overlap with old ranges.

We have an upstream document[1] describing the procedure. Hope it helps.

Also make sure that you migrated CA renewal and CRL master responsibilities to the new replicas, otherwise you may get problems with expiring certificates which are really hard to solve. See the following guide for details. [2]

[1] http://www.freeipa.org/page/V3/Recover_DNA_Ranges
[2] http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

Martin^3 Babinsky

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to