2.5. Setting up IPA Replicas

In the IPA domain, there are three types of machines:

Servers, which manage all of the services used by domain members
Replicas, which are essentially clones of servers
Clients, which belong to the Kerberos domains, receive certificates and tickets issued by the servers, and use other centralized services for authentication and authorization

A replica is a clone of a specific IPA server. The server and replica share the same internal information about users, machines, certificates, and configured policies. These data are copied from the server to the replica in a process called replication. The two Directory Server instances used by an IPA server — the Directory Server instance used by the IPA server as a data store and the Directory Server instance used by the Dogtag Certificate System to store certificate information — are replicated over to corresponding consumer Directory Server instances used by the IPA replica.

TIP

If you are using the integrated Dogtag Certificate System instance as the CA for the IPA domain, then it is possible to make a replica of a replica. It is not possible to make a replica of a replica if you use the --selfsign option for the original IPA server.

2.5.1. Prepping and Installing the Replica Server

Replicas are functionally the same as IPA servers, so they have the same installation requirements and packages.

Make sure that the machine meets all of the prerequisites listed in Section 2.2, “Preparing to Install the IPA Server”.
Install the server packages as in Section 2.3, “Installing the IPA Server Packages”. For example:
```
# yum install ipa-server bind bind-dyndb-ldap
```
IMPORTANT
Do not run the ipa-server-install script.
The replica and the master server must be running the same version of IPA.
If there is an existing Dogtag Certificate System or Red Hat Certificate System instance on the replica machine, make sure that port 7389 is free. This port is used by the master IPA server to communicate with the replica.
Make sure the appropriate ports are open on both the server and the replica machine during and after the replica configuration. Servers and replicas connect to each other over ports 9443, 9444, 9445, and 7389 during the replica configuration. Once the replica is set up, the server and replica communicate over port 7389.

2.5.2. Creating the Replica

NOTE

Make sure that the replica machine exists in the server's DNS before beginning to configure the replica. If the server cannot contact the replica machine during the configuration process, then the replica configuration fails. If necessary, add a DNS entry, as in Section 8.9, “Adding Records to DNS Zones”.

On the master server, create a replica information file. This contains realm and configuration information taken from the master server which will be used to configure the replica server.
Run the ipa-replica-prepare command on the master IPA server. The command requires the fully-qualified domain name of the replica machine. Using the --ip-address option automatically creates DNS entries for the replica, including the A and PTR records for the replica to the DNS.
```
# ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2

Determining current realm name
Getting domain name from LDAP
Preparing replica for ipareplica.example.com from ipaserver.example.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the Web Server
Copying additional files
Finalizing configuration
Packaging the replica into replica-info-ipareplica.example.com
```
IMPORTANT
This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures.
For more options with ipa-replica-prepare, see Section B.5.2, “ipa-replica-prepare”.
Each replica information file is created in the /var/lib/ipa/ directory as a GPG-encrypted file. Each file is named specifically for the replica server for which it is intended, such as replica-info-ipareplica.example.com.gpg.
NOTE
A replica information file cannot be used to create multiple replicas. It can only be used for the specific replica and machine for which it was created.
WARNING
Replica information files contain sensitive information. Take appropriate steps to ensure that they are properly protected.

Copy the replica information file to the replica server:

# scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ipareplica:/var/lib/ipa/

On the replica server, run the replica installation script, referencing the replication information file. There are other options for setting up DNS, much like the server installation script. For example:
```
# ipa-replica-install --setup-dns /var/lib/ipa/replica-info-ipareplica.example.com.gpg
```
Additional options for the replica installation script are listed in Section B.5.1, “ipa-replica-install”.
The replica installation script runs a test to ensure that the replica file being installed matches the current hostname. If they do not match, the script returns a warning message and asks for confirmation. This could occur on a multi-homed machine, for example, where mismatched hostnames may not be an issue.
Enter the Directory Manager password when prompted. The script then configures a Directory Server instance based on information in the replica information file and initiates a replication process to copy over data from the master server to the replica, a process called initialization.

Once the installation process completes, update the DNS entries so that IPA clients can discover the new server. For example, for an IPA replica with a hostname of ipareplica.example.com:

_ldap._tcp             IN SRV 0 100 389	ipareplica.example.com
_kerberos._tcp         IN SRV 0 100 88 ipareplica.example.com
_kerberos._udp         IN SRV 0 100 88 ipareplica.example.com
_kerberos-master._tcp  IN SRV 0 100 88 ipareplica.example.com
_kerberos-master._udp  IN SRV 0 100 88 ipareplica.example.com
_kpasswd._tcp          IN SRV 0 100 464 ipareplica.example.com
_kpasswd._udp          IN SRV 0 100 464 ipareplica.example.com
_ntp._udp              IN SRV 0 100 123 ipareplica.example.com

Optional. Set up DNS services for the replica. These are not configured by the setup script, even if the master server uses DNS.
Use the ipa-dns-install command to install the DNS manually, then use the ipa dnsrecord-add command to add the required DNS records. For example:
```
# ipa-dns-install

# ipa dnsrecord-add example.com @ --ns-rec ipareplica.example.com.
```
IMPORTANT
Use the fully-qualified domain name of the replica, including the final period (.), otherwise BIND will treat the hostname as relative to the domain.

2.5.3. Troubleshooting Replica Installation

If the replica installation fails on step 3 ([3/11]: configuring certificate server instance), that usually means that the required port is not available. This can be verified by checking the debug logs for the CA, /var/log/pki-ca/debug, which may show error messages about being unable to find certain entries. For example:

[04/Feb/2011:22:29:03][http-9445-Processor25]: DatabasePanel
comparetAndWaitEntries ou=people,o=ipaca not found, let's wait

The only resolution is to uninstall the replica:

# ipa-server-install --uninstall

After uninstalling the replica, ensure that port 7389 on the replica is available, and retry the replica installation.