[Freeipa-users] lost master master and soa

Wed Feb 22 22:01:19 UTC 2017

sorry for the late response, yes, this was helpful

I ended up realizing that each IPA server is a kind of SOA and that I
needed to get rid of the old master and much of it resolved itself...until
the next problem surfaced that is keeping me from creating a new master (at
least, with my limited knowledge)

i'll start a new message about this to help the web searchers in the future

On Tue, Feb 14, 2017 at 2:18 AM, Martin Babinsky <mbabinsk at redhat.com>
wrote:

> On 02/13/2017 10:12 PM, Aaron Young wrote:
>
>> hello
>>
>> So, I recently took over this site and a couple days into it, the first
>> ipa server died because of disk corruption.
>>
>> Right now, I've built another ipa server to step into the topology as a
>> replica, but I keep getting strange dns errors during update
>>
>> Looking at it closer, it appears that when nsupdate runs, it fails
>> updating
>>
>> looking closer, I notice that the SOA comes back with the name of the
>> missing server
>>
>> So, it seems like I should change that. So far I've been unable to
>>
>> I get messages back from nsupdate like
>>
>> "response to SOA query was unsuccessful"
>>
>> I'm not sure what information I should send to help with this
>>
>> My main question is, is there a way to force the change of the SOA?
>>
>> aaron
>> --
>> Aaron Young
>> MarketFactory, Manager of Site Reliability Engineering
>> 425 Broadway, 3FL
>> New  York, NY 10013
>> Office: +1 212 625 9988
>> Direct +1 646 779 3710
>> US Support: +1 (212) 625-0688 <tel:%2B1%20%28212%29%20625-0688> | UK
>> Support: +44 (0) 203 695-7997 <tel:%2B44%20%280%29%20203%20695-7997>
>>
>>
>>
> Hi Aaron,
>
> there may be some stale NS record on other IPA masters which serve your
> DNS zone. you can verify this by running:
>
> # ipa dnsrecord-show <DOMAIN_NAME> @
>
> and check the list of nameservers returned.
>
> To remove the record of the old master run
>
> # ipa dnsrecord-del  <DOMAIN_NAME> @ --ns-rec <MASTER_FQDN>
>
> Also, make sure you cleaned up old agreements, services, etc. of the old
> master by running `ipa-replica-manage del --force --cleanup <MASTER_FQDN>`
> on some other IPA master.
>
> You will also probably have to stand-up a new CA renewal/CRL master[1] on
> one of remaining replicas if the first server died and you have CA
> configured.
>
> [1] http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
>
> Hope this helps
>
> --
> Martin^3 Babinsky
>

-- 
Aaron Young
MarketFactory, Manager of Site Reliability Engineering
425 Broadway, 3FL
New  York, NY 10013
Office: +1 212 625 9988
Direct +1 646 779 3710
US Support: +1 (212) 625-0688 | UK Support: +44 (0) 203 695-7997
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170222/a2c1335d/attachment.htm>