I've had success going from RHEL6 to RHEL7 and IPA 3.0 to 4.4, without losing any data/objects/clients. It is as you found though, through replication.
I've followed this guide for IPA upgrade: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc And this guide for in-situ RHEL6 to 7 upgrade, not sure if/how applicable that is to CentOS, but if you can get away doing fresh OS installs, that's always better (I couldn't, very limited access to hardware/BIOS): https://access.redhat.com/solutions/637583 For IPA upgrade, you definitely want a replica. Well, just another machine on the same network really to help you migrate and you can later go back to using just the one IPA server. As suggested by Rob, you could nominate one of your IPA clients as a replica temporarily (though if that's CentOS 6, it'd need OS upgrade too). In my case I already had two replicas, and I had done the following (deviating slightly from Redhat's guide, that says use 3rd/fresh machine, then decomm old ones): - Removed one RHEL6 replica, uninstalled IPA 3.0 on it, trashed the config etc, made it into as clean RHEL 6 as possible (even yum remove ipa-server etc). - Upgraded that cleaned up RHEL6 ex-replica to RHEL7 in-situ, and installed IPA 4.4 server. - Joined the freshly upgraded and empty RHEL7/IPA4.4 to existing realm and moved CA renewal service to it (important). - Repeated the steps on the other replica (remove from replication, uninstall/trash everything to have as clean RHEL6 as possible, upgraded to RHEL7, install IPA 4.4, re-join). In a way your steps would be even easier, cause you can ignore step 1, and just use a fresh machine. If you still want to end up with just 1 IPA server, then you'd introduce new CentOS 7 / IPA 4.4 replica (new machine on the same network, or existing client nominated to be a server for duration of migration), make sure clients can connect to it / are aware of it, move CA renewal to it, remove existing/old IPA from replication, clean it, upgrade to CentOS 7 / IPA 4.4 (or re-install OS from scratch), re-introduce into replication, move CA renewal back to it, and finally remove the new machine replica, so that you're left with your original machine in an upgraded state. Hope that makes sense. If you can avoid in-situ 6 to7 OS upgrade and do fresh OS installs between the replica migrations, all the better, as it can be a bit of an added nuisance (trawling all the *.rpmnew config files and making sure everything is correct). -- Thanks, Greg Kubok. On 26 February 2017 at 11:08, Rob Verduijn <rob.verdu...@gmail.com> wrote: > Upgrading centos6 to 7 is not a smart thing, unless you like to suffer a > lot of issues. > > Then there are many comaptibility issues regarding the upgrade from ipa3.3 > to 4.4 > > You should consider setting up a temporary vm to migrate from. > On one of your client systems, I assume you got at least 1 ipa client > > Try looking at http://libguestfs.org/virt-p2v.1.html to migrate your > current system to a vm (side effect : instant full backup) > > When you got the vm up and running you can reinstall your main system with > the new os and ipa. > Then replicate the old ipa to the new one. > > Rob Verduijn > > > > 2017-02-26 0:45 GMT+01:00 Ian Pilcher <arequip...@gmail.com>: > >> Is there any way to migrate an IPA server from 6 -> 7 without losing all >> of the IPA configuration and data? All of the documentation I can find >> involves setting up a replica, replicating the data over, and then >> decommissioning the old system; not exactly an option with a single >> system. >> >> -- >> ======================================================================== >> Ian Pilcher arequip...@gmail.com >> -------- "I grew up before Mark Zuckerberg invented friendship" -------- >> ======================================================================== >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Thanks, Greg.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project