[Freeipa-users] Simple question about replication promotion
Rob Crittenden
rcritten at redhat.com
Thu Aug 9 12:31:04 UTC 2012
Rolf Brusletto wrote:
> Yeah, that probably wasn't very clear...
>
> Original - IPA instance w/ DNS, and no Dogtag
> Replica - IPA instance w/ DNS, and no Dogtag
The devil is always in the details. For user data yes, there is no
difference between the initially installed master and any others. It is
the CA where things get problematic.
In your case, where you used --selfsign when installing, your CA is only
on the initial master. You might want to take a look at section 18.8.2
here:
http://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/promoting-replica.html
If you try to run ipa-replica-prepare on your second master it will
refuse to do so because it lacks a CA. You need to fetch it from the
current master, or restore the PKCS#12 file you were warned to back up
after the initial installation. In your case you a lso need to create a
serial number file (if you don't have this you can always pick a new
starting value).
rob
>
>
> On 8/8/12 3:34 PM, Rob Crittenden wrote:
>> Rolf Brusletto wrote:
>>> We had a rather severe issue last night on our primary IPA server(ver
>>> 2.2.0), but the replica is still happily plugging along, which very
>>> nice. My question is, there is very, very little I can do with the
>>> 'master'. From what I've read, there ins't any replicaton, and I just
>>> want to verify that a replica is just another master, assuming you're
>>> not using the CA option. If so, when I rebuild the primary server, do I
>>> just configure it to be a replica to what was the secondary?
>>
>> Just to be clear, you installed the original server with a dogtag CA
>> installed? And then you created a replica but didn't configure a CA on
>> it?
>>
>> rob
>
More information about the Freeipa-users
mailing list