[Freeipa-users] Replacing the primary IPA server
Sigbjorn Lie
sigbjorn at nixtra.com
Tue Feb 14 21:28:45 UTC 2012
On 02/14/2012 12:31 AM, Simo Sorce wrote:
> On Tue, 2012-02-14 at 00:14 +0100, Sigbjorn Lie wrote:
>> On 02/13/2012 09:43 PM, Simo Sorce wrote:
>>> On Mon, 2012-02-13 at 21:37 +0100, Sigbjorn Lie wrote:
>>>> On 02/13/2012 08:55 PM, Simo Sorce wrote:
>>>>> On Mon, 2012-02-13 at 20:43 +0100, Sigbjorn Lie wrote:
>>>>>> On 02/13/2012 08:16 PM, Rob Crittenden wrote:
>>>>>>> Sigbjorn Lie wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> What precautions need to be taken when replacing the primary/first IPA
>>>>>>>> server?
>>>>>>>>
>>>>>>>> Is it enough to reinstall the server and run a ipa-replica-install from
>>>>>>>> one of the other replicas?
>>>>>>> It depends on what type of CA installation you have. Did you install
>>>>>>> with dogtag or with a selfsign CA?
>>>>>>>
>>>>>>> rob
>>>>>>>
>>>>>> Dogtag
>>>>> If you installed the CA on more than one replica, then you can remove
>>>>> the first master, all the info is replicated on the other replicas that
>>>>> have a clone of the CA. Note that the CA is not replicated by default
>>>>> see the --setup-ca option or ipa-ca-install
>>>> Excellent. Yes, I've used --setup-ca when I created the replicas. :)
>>>>
>>>> What if I have 3 IPA servers. 2 being replicated off the first master.
>>>> The master is re-installed and re-setup using ipa-replica-install from
>>>> one of the 2 other IPA servers.
>>>>
>>>> Will not the 3rd server be left without a sync agreement? Does the 3rd
>>>> server need to be manually added back in with a sync agreement?
>>> Before removing any server you should make sure it will not break the
>>> topology.
>>>
>>> You can use ipa-replica-manage and ipa-ca-replica-manage to create links
>>> between the 2 other servers before you retire the hub.
>>>
>>> You have to use both the commands as CA replication agreements are
>>> distinct from IPA replication agreements.
>>>
>>>
>> 1. Let's say the server has crashed. Unrecoverable. Can new replication
>> agreements still be set up between the remaining hosts?
> Yes, you should be able to change the agreements, as all the principals
> already exists so there is no need to replicate through the old hub just
> to set the m up.
>
>> 2. I do not see a way for displaying relationships between the IPA hosts
>> when viewing the replicas with ipa-replica-manage list. I see the same
>> output on all the IPA hosts.
> ipa-replica-manage list shows all servers
> ipa-replica-manage list servername shows the replication agreements that
> server uses
>
> If they all look the same it means you have a full mesh :)
>
>> 3. Perhaps this was discussed earlier: Can there be configured a ring of
>> replicas with IPA?
> If by ring you mean A<-> B<-> C<-> A then yes. In general we
> recommend to not have more than 4 replication agreements per server, but
> that's more of a rule of thumb than a hard limit.
>
Thank you. :)
For anyone else reading this thread and looking for more information,
see the link below. I see some of my questions we're already documented
there.
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ipa-replica-manage.html
More information about the Freeipa-users
mailing list