sorry for the late response, yes, this was helpful I ended up realizing that each IPA server is a kind of SOA and that I needed to get rid of the old master and much of it resolved itself...until the next problem surfaced that is keeping me from creating a new master (at least, with my limited knowledge)
i'll start a new message about this to help the web searchers in the future On Tue, Feb 14, 2017 at 2:18 AM, Martin Babinsky <[email protected]> wrote: > On 02/13/2017 10:12 PM, Aaron Young wrote: > >> hello >> >> So, I recently took over this site and a couple days into it, the first >> ipa server died because of disk corruption. >> >> Right now, I've built another ipa server to step into the topology as a >> replica, but I keep getting strange dns errors during update >> >> Looking at it closer, it appears that when nsupdate runs, it fails >> updating >> >> looking closer, I notice that the SOA comes back with the name of the >> missing server >> >> So, it seems like I should change that. So far I've been unable to >> >> I get messages back from nsupdate like >> >> "response to SOA query was unsuccessful" >> >> I'm not sure what information I should send to help with this >> >> My main question is, is there a way to force the change of the SOA? >> >> aaron >> -- >> Aaron Young >> MarketFactory, Manager of Site Reliability Engineering >> 425 Broadway, 3FL >> New York, NY 10013 >> Office: +1 212 625 9988 >> Direct +1 646 779 3710 >> US Support: +1 (212) 625-0688 <tel:%2B1%20%28212%29%20625-0688> | UK >> Support: +44 (0) 203 695-7997 <tel:%2B44%20%280%29%20203%20695-7997> >> >> >> > Hi Aaron, > > there may be some stale NS record on other IPA masters which serve your > DNS zone. you can verify this by running: > > # ipa dnsrecord-show <DOMAIN_NAME> @ > > and check the list of nameservers returned. > > To remove the record of the old master run > > # ipa dnsrecord-del <DOMAIN_NAME> @ --ns-rec <MASTER_FQDN> > > Also, make sure you cleaned up old agreements, services, etc. of the old > master by running `ipa-replica-manage del --force --cleanup <MASTER_FQDN>` > on some other IPA master. > > You will also probably have to stand-up a new CA renewal/CRL master[1] on > one of remaining replicas if the first server died and you have CA > configured. > > [1] http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master > > Hope this helps > > -- > Martin^3 Babinsky > -- Aaron Young MarketFactory, Manager of Site Reliability Engineering 425 Broadway, 3FL New York, NY 10013 Office: +1 212 625 9988 Direct +1 646 779 3710 US Support: +1 (212) 625-0688 | UK Support: +44 (0) 203 695-7997
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
