[Freeipa-users] Deleted Replica Problems

[Petr Vobornik]

On 08/03/2016 08:06 PM, Ian Harding wrote:
> I deleted a replica that had a corrupted ldap database and it caused
> some problems.  I'm now getting the dreaded

What do you mean by "deleted"? Ran `ipa-replica-mange del $server`?
Removed the machine completely? Or something else?

> 
> [root at edinburghnfs ianh]# ipa-replica-manage connect freeipa-sea.bpt.rocks
> Connection unsuccessful: freeipa-sea.bpt.rocks is an IPA Server, but it
> might be unknown, foreign or previously deleted one.
> 
> I had to go around and remove old replication agreements from the other
> replicas, but then they could connect again.  This one, and another, I
> am not able to do that with.  They were initially created with
> freeipa-sea as their master.

Which replica is the deleted one? freeipa-sea.bpt.rocks  or edinburghnfs ?

> 
> I assume I run ipa-server-install --uninstall on edinburghnis, then
> reinstall to fix?
> 
> There's always an error about having to "Manually remove" the ldap
> database.  What's the best way to do that?

Where is the error shown and what is the exact text?

In general
- if replica is removed/uninstall then it cannot be added back
- incorrectly removed repliacase might
 - have still dangling replication agreements
 - various ldap entries in LDAP db which are normally removed by
`ipa-replica-manage del $replica`
 - suffer from dangling ruvs

Most of the issues above can be fixed by `ipa-(cs)replica-manage del
$replica --clean --force commands`. And then clean ruvs commands of the
same tool.

Correct order of IPA replica is:
- transfer CA CRL and CA renewal roles to different replica if this one
is the master which handles it
- make sure you have other relica with CA
- run `ipa-csreplica-manage del $tobedeleted` on different replica
- run `ipa-replica-manage del $tobedeleted` on different replica
- run `ipa-server-install --uninstall` on the to-be-delete-replica

-- 
Petr Vobornik