[Freeipa-users] steps to debug SOA serial being out of sync?
Petr Spacek
pspacek at redhat.com
Mon Jul 11 07:33:40 UTC 2016
On 8.7.2016 19:13, Anthony Clark wrote:
> Hello All,
>
> I have two FreeIPA servers set up as follows:
>
> ns01: ipa-server-install --realm=DEV.REDACTED.NET --mkhomedir --setup-dns
> --ssh-trust-dns --forwarder=1.2.3.4
>
> ns02: ipa-replica-install
> /var/lib/ipa/replica-info-ns02.dev.redacted.net.gpg --setup-ca --mkhomedir
> --ssh-trust-dns --setup-dns --forwarder=1.2.3.4
>
>
> Now, after being in use for a few months, my SOA serial numbers are
> different as reported by the two servers:
>
> ns01 reports 1467996578
> ns02 reports 1467996455
>
> [root at ns02 ~]# ipa dnszone-show dev.redacted.net
> ...
> SOA serial: 1467996455
> ...
>
> Same result on ns01, 1467996455
>
> ipa-replica-conncheck is fine.
>
> After an "ipactl restart" on ns02 (thinking that I needed to refresh the
> ns02 FreeIPA instance somehow) the SOA serial on ns02 increments *beyond*
> that of ns01:
>
> ns01: 1467996578
> ns02: 1467997519
>
> Another "ipactl restart" on ns02 results in:
>
> ns01: 1467996578
> ns02: 1467997595
>
> running "ipactl restart" on ns01 results in:
>
> ns01: 1467997873
> ns02: 1467997595
>
> ns02 doesn't seem to be getting its serial number from ns01 at all.
>
> Did I set up ns02 incorrectly? Should I have skipped the "--setup-dns" on
> the replica?
>
> Does anyone have any suggestions on how to debug this further?
Hello,
this is in fact expected. IPA has multi-master DNS so serials are not synced.
This is documented in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-master-dns-zones.html#zone-transfers
I hope it helps.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list