Martin Babinsky wrote: > On 12/01/2016 01:28 PM, Neal Harrington | i-Neda Ltd wrote: >> Hi IPA Gurus, >> >> >> I had a 3 site multi master IPA replication setup (1 office and 2 >> datacentres) with 2 IPA servers at each site. Each server was >> replicating successfully to 3 other servers (the other local site server >> and one server at each of the two remote sites). Everything is running >> on the default packages from CentOS 7.2 and each server is a full >> replica (ipa-replica-install >> /var/lib/ipa/replica-info-id-myserver.fqdn.com.gpg --setup-ca >> --setup-dns --mkhomedir --forwarder 8.8.8.8) >> >> >> Everything was ticking over nicely until we had notice that the >> office site was moving on short notice. >> >> >> I successfully created IPA servers at the new site, setup replication >> again between the new office and the two datacentres that were to remain >> online, tested and everything worked as expected - unfortunately in the >> rush I did not have time to properly retire the IPA servers in the old >> office. >> >> >> The problem this has caused is that I only ever created users in one of >> the IPA servers in the original office - so only those servers have a >> DNA range and I am now unable to create new users on the active servers. >> The original office servers are still in the IPA replication and powered >> on but offline so potential split brain? >> >> >> I now have two things I would like to know before proceeding: >> >> * Is the best fix here to force remove the original IPA servers and >> manually add a new dna range significantly different from the >> original to avoid overlaps? >> * Is there anything else I should check? I can't see any issues >> however did not notice the DNA range until I tried to create a user. >> >> Any pointers greatly appreciated. >> >> >> Thanks, >> >> Neal. >> >> >> >> >> >> > > Hi Neal, > > If you already disconnected/decomissioned the old masters then I thnk > the best you can do is option a, i.e. re-set DNA ranges on replicas to > new values while avioding overlap with old ranges. > > We have an upstream document[1] describing the procedure. Hope it helps. > > Also make sure that you migrated CA renewal and CRL master > responsibilities to the new replicas, otherwise you may get problems > with expiring certificates which are really hard to solve. See the > following guide for details. [2] > > [1] http://www.freeipa.org/page/V3/Recover_DNA_Ranges > [2] http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master >
You may want to look at this too, http://blog-rcritten.rhcloud.com/?p=50 rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
