[Freeipa-users] Replacing the primary IPA server
Simo Sorce
simo at redhat.com
Mon Feb 13 20:43:19 UTC 2012
On Mon, 2012-02-13 at 21:37 +0100, Sigbjorn Lie wrote:
> On 02/13/2012 08:55 PM, Simo Sorce wrote:
> > On Mon, 2012-02-13 at 20:43 +0100, Sigbjorn Lie wrote:
> >> On 02/13/2012 08:16 PM, Rob Crittenden wrote:
> >>> Sigbjorn Lie wrote:
> >>>> Hi,
> >>>>
> >>>> What precautions need to be taken when replacing the primary/first IPA
> >>>> server?
> >>>>
> >>>> Is it enough to reinstall the server and run a ipa-replica-install from
> >>>> one of the other replicas?
> >>> It depends on what type of CA installation you have. Did you install
> >>> with dogtag or with a selfsign CA?
> >>>
> >>> rob
> >>>
> >> Dogtag
> > If you installed the CA on more than one replica, then you can remove
> > the first master, all the info is replicated on the other replicas that
> > have a clone of the CA. Note that the CA is not replicated by default
> > see the --setup-ca option or ipa-ca-install
>
> Excellent. Yes, I've used --setup-ca when I created the replicas. :)
>
> What if I have 3 IPA servers. 2 being replicated off the first master.
> The master is re-installed and re-setup using ipa-replica-install from
> one of the 2 other IPA servers.
>
> Will not the 3rd server be left without a sync agreement? Does the 3rd
> server need to be manually added back in with a sync agreement?
Before removing any server you should make sure it will not break the
topology.
You can use ipa-replica-manage and ipa-ca-replica-manage to create links
between the 2 other servers before you retire the hub.
You have to use both the commands as CA replication agreements are
distinct from IPA replication agreements.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list