On 02/13/2017 10:12 PM, Aaron Young wrote:

So, I recently took over this site and a couple days into it, the first
ipa server died because of disk corruption.

Right now, I've built another ipa server to step into the topology as a
replica, but I keep getting strange dns errors during update

Looking at it closer, it appears that when nsupdate runs, it fails updating

looking closer, I notice that the SOA comes back with the name of the
missing server

So, it seems like I should change that. So far I've been unable to

I get messages back from nsupdate like

"response to SOA query was unsuccessful"

I'm not sure what information I should send to help with this

My main question is, is there a way to force the change of the SOA?

Aaron Young
MarketFactory, Manager of Site Reliability Engineering
425 Broadway, 3FL
New  York, NY 10013
Office: +1 212 625 9988
Direct +1 646 779 3710
US Support: +1 (212) 625-0688 <tel:%2B1%20%28212%29%20625-0688> | UK
Support: +44 (0) 203 695-7997 <tel:%2B44%20%280%29%20203%20695-7997>

Hi Aaron,

there may be some stale NS record on other IPA masters which serve your DNS zone. you can verify this by running:

# ipa dnsrecord-show <DOMAIN_NAME> @

and check the list of nameservers returned.

To remove the record of the old master run

# ipa dnsrecord-del  <DOMAIN_NAME> @ --ns-rec <MASTER_FQDN>

Also, make sure you cleaned up old agreements, services, etc. of the old master by running `ipa-replica-manage del --force --cleanup <MASTER_FQDN>` on some other IPA master.

You will also probably have to stand-up a new CA renewal/CRL master[1] on one of remaining replicas if the first server died and you have CA configured.

[1] http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

Hope this helps

Martin^3 Babinsky

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to