Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 10. Uninstalling an IdM server


Follow this procedure to uninstall an Identity Management (IdM) server named server123.idm.example.com (server123). In the procedure, you first ensure that other servers are running critical services and that the topology will continue to be redundant before performing the uninstallation.

Prerequisites

  • You have root access to server123.
  • You have an IdM administrator’s credentials.

Procedure

  1. If your IdM environment uses integrated DNS, ensure that server123 is not the only enabled DNS server:

    [root@server123 ~]# ipa server-role-find --role 'DNS server'
    ----------------------
    2 server roles matched
    ----------------------
      Server name: server456.idm.example.com
      Role name: DNS server
      Role status: enabled
    [...]
    ----------------------------
    Number of entries returned 2
    ----------------------------

    If server123 is the only remaining DNS server in the topology, add the DNS server role to another IdM server. For more information, see the ipa-dns-install(1) man page on your system.

  2. If your IdM environment uses an integrated certificate authority (CA):

    1. Ensure that server123 is not the only enabled CA server:

      [root@server123 ~]# ipa server-role-find --role 'CA server'
      ----------------------
      2 server roles matched
      ----------------------
        Server name: server123.idm.example.com
        Role name: CA server
        Role status: enabled
      
        Server name: r8server.idm.example.com
        Role name: CA server
        Role status: enabled
      ----------------------------
      Number of entries returned 2
      ----------------------------

      If server123 is the only remaining CA server in the topology, add the CA server role to another IdM server. For more information, see the ipa-ca-install(1) man page on your system.

    2. If you have enabled vaults in your IdM environment, ensure that server123.idm.example.com is not the only enabled Key Recovery Authority (KRA) server:

      [root@server123 ~]# ipa server-role-find --role 'KRA server'
      ----------------------
      2 server roles matched
      ----------------------
        Server name: server123.idm.example.com
        Role name: KRA server
        Role status: enabled
      
        Server name: r8server.idm.example.com
        Role name: KRA server
        Role status: enabled
      ----------------------------
      Number of entries returned 2
      ----------------------------

      If server123 is the only remaining KRA server in the topology, add the KRA server role to another IdM server. For more information, see man ipa-kra-install(1).

    3. Ensure that server123.idm.example.com is not the CA renewal server:

      [root@server123 ~]# ipa config-show | grep 'CA renewal'
        IPA CA renewal master: r8server.idm.example.com

      If server123 is the CA renewal server, see Changing and resetting IdM CA renewal server for more information about how to move the CA renewal server role to another server.

    4. Ensure that server123.idm.example.com is not the current certificate revocation list (CRL) publisher:

      [root@server123 ~]# ipa-crlgen-manage status
      CRL generation: disabled

      If the output shows that CRL generation is enabled on server123, see Generating CRL on an IdM CA server for more information about how to move the CRL publisher role to another server.

  3. Connect to another IdM server in the topology:

    $ ssh idm_user@server456
  4. On the server, obtain the IdM administrator’s credentials:

    [idm_user@server456 ~]$ kinit admin
  5. View the DNA ID ranges assigned to the servers in the topology:

    [idm_user@server456 ~]$ ipa-replica-manage dnarange-show
    server123.idm.example.com: 1001-1500
    server456.idm.example.com: 1501-2000
    [...]

    The output shows that a DNA ID range is assigned to both server123 and server456.

  6. If server123 is the only IdM server in the topology with a DNA ID range assigned, create a test IdM user on server456 to ensure that the server has a DNA ID range assigned:

    [idm_user@server456 ~]$ ipa user-add test_idm_user
  7. Delete server123.idm.example.com from the topology:

    [idm_user@server456 ~]$ ipa server-del server123.idm.example.com
    Important

    If deleting server123 would lead to a disconnected topology, the script warns you about it. For information about how to create a replication agreement between the remaining replicas so that the deletion can proceed, see Setting up replication between two servers using the CLI.

    Note

    Running the ipa server-del command removes all replication data and agreements related to server123 for both the domain and ca suffixes. This is in contrast to Domain Level 0 IdM topologies, where you initially had to remove these data by using the ipa-replica-manage del server123 command. Domain Level 0 IdM topologies are those running on RHEL 7.2 and earlier. Use the ipa domainlevel-get command to view the current domain level.

  8. Return to server123.idm.example.com and uninstall the existing IdM installation:

    [root@server123 ~]# ipa-server-install --uninstall
    ...
    Are you sure you want to continue with the uninstall procedure? [no]: true
  9. Ensure that all name server (NS) DNS records pointing to server123.idm.example.com are deleted from your DNS zones. This applies regardless of whether you use integrated DNS managed by IdM or external DNS. For more information about how to delete DNS records from IdM, see Deleting DNS records in the IdM CLI.
Red Hat logoGithubRedditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

© 2024 Red Hat, Inc.