[Freeipa-users] lost master master and soa
Martin Babinsky
mbabinsk at redhat.com
Tue Feb 14 07:18:49 UTC 2017
On 02/13/2017 10:12 PM, Aaron Young wrote:
> hello
>
> So, I recently took over this site and a couple days into it, the first
> ipa server died because of disk corruption.
>
> Right now, I've built another ipa server to step into the topology as a
> replica, but I keep getting strange dns errors during update
>
> Looking at it closer, it appears that when nsupdate runs, it fails updating
>
> looking closer, I notice that the SOA comes back with the name of the
> missing server
>
> So, it seems like I should change that. So far I've been unable to
>
> I get messages back from nsupdate like
>
> "response to SOA query was unsuccessful"
>
> I'm not sure what information I should send to help with this
>
> My main question is, is there a way to force the change of the SOA?
>
> aaron
> --
> Aaron Young
> MarketFactory, Manager of Site Reliability Engineering
> 425 Broadway, 3FL
> New York, NY 10013
> Office: +1 212 625 9988
> Direct +1 646 779 3710
> US Support: +1 (212) 625-0688 <tel:%2B1%20%28212%29%20625-0688> | UK
> Support: +44 (0) 203 695-7997 <tel:%2B44%20%280%29%20203%20695-7997>
>
>
Hi Aaron,
there may be some stale NS record on other IPA masters which serve your
DNS zone. you can verify this by running:
# ipa dnsrecord-show <DOMAIN_NAME> @
and check the list of nameservers returned.
To remove the record of the old master run
# ipa dnsrecord-del <DOMAIN_NAME> @ --ns-rec <MASTER_FQDN>
Also, make sure you cleaned up old agreements, services, etc. of the old
master by running `ipa-replica-manage del --force --cleanup
<MASTER_FQDN>` on some other IPA master.
You will also probably have to stand-up a new CA renewal/CRL master[1]
on one of remaining replicas if the first server died and you have CA
configured.
[1] http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
Hope this helps
--
Martin^3 Babinsky
More information about the Freeipa-users
mailing list