[Freeipa-users] freeipa master server disaster recovery
Rob Crittenden
rcritten at redhat.com
Thu Apr 8 17:28:08 UTC 2010
James Roman wrote:
>
>> The bug outlines how to promote a replica to be the primary "master".
>> You basically just need to import the CA and setup the serial number
>> file.
>>
>> So lets say you had a master and 2 replicas. In reality the only thing
>> that differentiates the first master is that it was installed first so
>> has the CA. As far as data replication goes there is no distinction,
>> they are all equal.
>>
> Along these lines, does this mean if I have imported certificates signed
> by a third party CA on all my freeipa servers, that all I would need to
> do is update the replication agreements (in my case for freeIPA and AD)?
For IPA servers yes.
If the IPA server that dies is running the AD connection then yes, you'd
have to set that up again as well. AD replication is not MMR-safe so you
should have only one IPA server set up with AD replication.
rob
More information about the Freeipa-users
mailing list