[Freeipa-users] backup procedure : procedure for a lost of primary master
Rob Crittenden
rcritten at redhat.com
Tue Nov 25 20:43:58 UTC 2014
Nicolas Zin wrote:
>
> Hi,
>
> I read the backup procedure on http://www.freeipa.org/page/Backup_and_Restore. If I lose my first master, it is stated than:
> - Clean deployment from the lost server by removing all replication agreements with it.
> - Choose another FreeIPA Server with CA installed to become the first master
> - Nominate this master to be the one in charge or renewing certs and publishing CRLS. This is a manual procedure at the moment.
> - Follow standard installation procedure to deploy a new master on a hardware/VM of your choice
Yes, that's right. If the master is gone you'll need to use the --force
command to remove the agreements. You may also need to do additional
replication topology work to ensure that every master has at least one
valid agreement.
For example, if you have A <-> B <-> C and B dies, you'll need to
connect A to C as well otherwise you may get complaints about leaving C
orphaned.
> How do I nominate this master to be the one in charge of renews certs and publishing CRLS? I didn't found the procedure.
http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
> Also do I care to differentiate between the first master and other replica, if my IPA installation use an external root CA certificate (Windows AD in that case)?
All masters are equal in IPA with the exception of optional services
(CA, DNS) and which one generates the CRL and is the initiator of
certificate renewal.
rob
More information about the Freeipa-users
mailing list