<div dir="ltr">Thank you very much for the straight forward items. <div><br></div><div>I will continue use of these archives (impressed with this group). </div><div>Also improving my use of <a href="https://fedorahosted.org/freeipa/wiki">https://fedorahosted.org/freeipa/wiki</a> </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 18, 2015 at 12:46 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">
<div>On 02/18/2015 12:17 PM, Cory Carlton
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hey all.
<div><br>
</div>
<div> We are in the process of essentially moving data centers
while additionally changing to new OS(rhel from centos) - so
we are building replica with master option servers to the new
networks. version 3.0.. its up and is working as any of our
instances.</div>
<div><br>
</div>
<div>Question is how or what do I need to bring over on the new
install -replica master(s) to ensure we have all the Original
master server information, keys, crt's, CA etc. before we can
shut it down for ever (+ a snapshot ;) )</div>
<div><br>
</div>
<div>we have struggled understanding exactly what to back up
since the 3.0 version is lacking backup scripts.</div>
<div><br>
</div>
<div><br>
</div>
<div>a thought, but not timely present would be to upgrade
everything in place then migrate, again not timed right for
us. </div>
<div><br>
</div>
<div>Thanks in advance.</div>
<div><br>
</div>
<div>Cory</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br></div></div>
You need to make sure that at least one of the new replicas (better
two) acts as an IPA CA.<br>
You need to move CRL generation to one of the new replicas that are
CAs<br>
You need to move the certificate tracking from the old master to the
new replica with CA.<br>
<br>
After that you can decommission old master.<br>
<br>
All these procedures are documented on the wiki and RHEL docs. You
can also find some hints in these archives.<br>
<br>
Martin, do you think we need a combined wiki page that covers this
use case or we already have something like this?<span class="HOEnZb"><font color="#888888"><br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</font></span></div>
<br>--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div>