<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css" style="display:none"></style> </head> <body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;"> I'm trying to create a new replica and i receive the following message: onfiguring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/8]: adding sasl mappings to the directory [2/8]: configuring KDC [3/8]: creating a keytab for the directory [4/8]: creating a keytab for the machine [5/8]: adding the password extension to the directory [6/8]: enable GSSAPI for replication [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. Replication error message: Can't acquire busy replica I have done a multiple time: ipa-replica-manage del new-ipa.domain.local --force --cleanup I have validated that my ports are open: nmap -Pn -p53,80,88,443,389,464,636 existing-ipa Starting Nmap 6.40 ( http://nmap.org ) at 2016-05-05 13:46 UTC Nmap scan report for existing-ipa (xxx.xxx.xxx.xxx) Host is up (0.29s latency). rDNS record for xxx.xxx.xxx.xxx: existing-ipa.domain.local PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 389/tcp open ldap 443/tcp open https 464/tcp open kpasswd5 636/tcp open ldapssl Nmap done: 1 IP address (1 host up) scanned in 0.97 seconds nmap -Pn -p53,80,88,443,389,464,636 xxx.xxx.xxx.xxx (this is after the failed install - closed means nothing is listening) Starting Nmap 6.40 ( http://nmap.org ) at 2016-05-05 13:50 UTC Nmap scan report for new-ipa.domain.local (xxx.xxx.xxx.xxx) Host is up (0.21s latency). PORT STATE SERVICE 53/tcp closed domain 80/tcp closed http 88/tcp closed kerberos-sec 389/tcp open ldap 443/tcp closed https 464/tcp closed kpasswd5 636/tcp open ldapssl Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds I am running on Centos 7 with: ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 python-libipa_hbac-1.13.0-40.el7_2.2.x86_64 ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 sssd-ipa-1.13.0-40.el7_2.2.x86_64 libipa_hbac-1.13.0-40.el7_2.2.x86_64 ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 The other strange thing i notice at the beginning of the install is: ipa : ERROR Could not resolve hostname new-ipa.domain.local using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) But i can find it from the command line with dig/nslookup. With more debug info, i find it is trying to reach another ipa that he has no access to (geo is too far and ports are closed instead of using resolv.conf). What am i missing here? BTW i have multiples replicas installed already. Thanks Louis <div id="Signature"><style type="text/css" style="display:none">  </style> <div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif"> data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAATAAAABMCAIAAABlDnyqAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAUkZJREFUeNrUvQdgZNV5L37PrdNHZdT7Slptb7C7bKEsHQMG3BLABvL8DLgmL3aaE/s9J3HiVOefZzsOTmzAQBwbbAzGGDALC9t71RZJq941o+kzt7/v3DNzdTVNo7Jr/y/a4c6dc/v5nd/XDxL+5j+pPIuu69RSLEt1nKU9lHXRNK1wA5ReyHrGRo7j4KuqqnR6gY2yLMNhdWMhV24u5o3M2gh/6VPku4acG2nLwhgLuRg4Jrkvcnz41TyIeS/kUsl6vsvL9+StW/K9l3zXXOTGYn4tvGMxDZawzWJuhCw0dYWXKwShpV3mfEzZndXcqBkL6e4mBgg8rF3fiuEMYKCCOMy4hvk+7QKIyrivnI/COvr8dnaJBTyThSFtSa5nzouhr+iFLjkal/bZLeB2MjBpEixsgWsjK4SdgKlM/skg2JyYhDWqiMeVceoCTzgfAvP9ah0X5vucF0B6V3PgXpKDXx1qoa/cFVyhG7gSmCySoPLhkyDQFPwAlqb4mkGDc2CyuIeWjclsostun1P+zLnjwmD5mx0r51Q3rmbHWwxJ0v//EjWLEduuKCbzKYGAQKsmRqjSxGS2dJoTk9RV6dPZ+Cz8uvM9mWLk/KvWKxYv0y5e9L3iDPlbiMbfkhEh+0qI6kikVvIVFgIzIrjmVCNzYHLRnaxIXbFI+GVc+W+KFa+CsHaVNcl8DdgrKios4DkiXWMpjUMarcp2pP</div> </div> </body> </html>