Thank you for the response Martin.  Server1 had no flags upon install
however CA, DNS were selected during the installation.  Server2 was joined
and then the 'ipa-replica-install --skip-conn-check' used to join it.
Manual tests of the ports showed all was good but not in the installation
so I had to use the '--skip-conn-check'.
Server1 -
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain:
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=LCI.DEVDOMAIN.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order:
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: nfs:NONE, MS-PAC
  IPA masters:,
  IPA CA servers:
  IPA NTP servers:,
  IPA CA renewal master:

On Thu, Mar 2, 2017 at 12:39 AM Martin Basti <> wrote:

> On 01.03.2017 22:00, Matt Wells wrote:
> I have two new IPA 4.4 servers on CentOS7 installed in a lab.  I built the
> first, joined the second and promoted it to be a master.  Thus far all went
> well.
> I then ran the ipa-ca-install and when I log back in I see that it has
> "domain,CA" attached to it.  However when I hit the main IPA page it
> informs me I only have one server in the CA role.
>  Drilling down into server2 I see it does not have that role assigned.
> I'm certain I missed an easy step but I've been unable to locate it.
> Any guidance would be greatly appreciated.
> Hello,
> can you provide more info? How did you install servers (options used), on
> which server you ran ipa-ca-install ?
> Martin
*Matt Wells*
*Lead Systems Architect*
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to