[Freeipa-users] ipa sync agreement to AD DC is taking a very long time

[Alexander Bokovoy]

On Mon, 14 Oct 2013, janice.psyop wrote:

>Hi,
>
>I've been setting up an IPA server (centos 6.4) with AD trust (2008R2
>domain) following the FC18 freeipa guide.
AD trusts is different from AD sync agreement.

What you describe below is use of passsync/winsync (AD sync), not AD
trusts. Just to make sure we are on the same level here.
>
>Everything has gone smoothly until I ran the ipa-replica-manage connect
>command to the AD DC and it seems to be running (no errors on std out and
>ps says it is still running), but it has been running for six hours!  We do
>have ~2000 user entries,  but I didn't think it would take this long to
>sync up.
>
>The command I ran was this (see below) and the screen now just displays
>repeating "Update in progress".  I'm very tempted to kill it in case
>something is going horribly wrong (with the AD user accounts...)
>
>/usr/sbin/ipa-replica-manage connect --winsync
>--passsync=MySecretPass
>--binddn=CN=myipasyncuser,CN=Users,DC=domain,DC=com
>--bindpw=MySecretPass
>--cacert=/etc/openldap/cacerts/DC-CA.cer
>-v dc.domain.com
>
>
>Update in progress
>Update in progress
>Update in progress
>Update in progress
>Update in progress
>Update in progress
>Update in progress
>
>
>Is there any way to check the progress of this in case it is in fact hung
>up?  The last few entries in the ipa/default.log is from six hours ago:
>
>
>2013-10-14T21:32:45Z    2706    MainThread      ipa     INFO    Added new
>sync agreement, waiting for it to become ready . . .
>2013-10-14T21:32:46Z    2706    MainThread      ipa     INFO    Replication
>Update in progress: FALSE: status: 0 Replica acquired successfully:
>Incremental update started: start: 0: end: 0
>2013-10-14T21:32:46Z    2706    MainThread      ipa     INFO    Agreement
>is ready, starting replication . . .
Try to change some user data on AD side, it would trigger update of the
IPA side.

-- 
/ Alexander Bokovoy