On 12/01/2016 01:28 PM, Neal Harrington | i-Neda Ltd wrote:
Hi IPA Gurus,
I had a 3 site multi master IPA replication setup (1 office and 2
datacentres) with 2 IPA servers at each site. Each server was
replicating successfully to 3 other servers (the other local site server
and one server at each of the two remote sites). Everything is running
on the default packages from CentOS 7.2 and each server is a full
--setup-dns --mkhomedir --forwarder 188.8.131.52)
Everything was ticking over nicely until we had notice that the
office site was moving on short notice.
I successfully created IPA servers at the new site, setup replication
again between the new office and the two datacentres that were to remain
online, tested and everything worked as expected - unfortunately in the
rush I did not have time to properly retire the IPA servers in the old
The problem this has caused is that I only ever created users in one of
the IPA servers in the original office - so only those servers have a
DNA range and I am now unable to create new users on the active servers.
The original office servers are still in the IPA replication and powered
on but offline so potential split brain?
I now have two things I would like to know before proceeding:
* Is the best fix here to force remove the original IPA servers and
manually add a new dna range significantly different from the
original to avoid overlaps?
* Is there anything else I should check? I can't see any issues
however did not notice the DNA range until I tried to create a user.
Any pointers greatly appreciated.
If you already disconnected/decomissioned the old masters then I thnk
the best you can do is option a, i.e. re-set DNA ranges on replicas to
new values while avioding overlap with old ranges.
We have an upstream document describing the procedure. Hope it helps.
Also make sure that you migrated CA renewal and CRL master
responsibilities to the new replicas, otherwise you may get problems
with expiring certificates which are really hard to solve. See the
following guide for details. 
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project