SupportConsoleDevelopersStart a trialContact

4.4. Creating the Replica

  1. On the master server, create a replica information file. This contains realm and configuration information taken from the master server which will be used to configure the replica server.
    Run the ipa-replica-prepare utility on the master IdM server. The utility requires the fully-qualified domain name of the replica machine.
    Using the --ip-address option automatically creates DNS entries for the replica, including the A and PTR records for the replica to the DNS.

    Important

    Only pass the --ip-address option if the IdM server was configured with integrated DNS. Otherwise, there is no DNS record to update, and the attempt to create the replica fails when the DNS record operation fails.

    Note

    The ipa-replica-prepare script does not validate the IP address or verify if the IP address of the replica is reachable by other servers. 
    [root@server ~]# ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 

Directory Manager (existing master) password: 
Preparing replica for ipareplica.example.com from ipaserver.example.com 
Creating SSL certificate for the Directory Server 
Creating SSL certificate for the dogtag Directory Server 
Saving dogtag Directory Server port 
Creating SSL certificate for the Web Server 
Exporting RA certificate 
Copying additional files 
Finalizing configuration 
Packaging replica information into /var/lib/ipa/replica-info-ipareplica.example.com.gpg 
Adding DNS records for ipareplica.example.com 
Using reverse zone 1.168.192.in-addr.arpa. 
The ipa-replica-prepare command was successful
    This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures. Additionally, the hostname must be all lower-case. No capital letters are allowed.
    Each replica information file is created in the /var/lib/ipa/ directory as a GPG-encrypted file. Each file is named specifically for the replica server for which it is intended, such as replica-info-ipareplica.example.com.gpg.

    Note

    A replica information file cannot be used to create multiple replicas. It can only be used for the specific replica and machine for which it was created.

    Warning

    Replica information files contain sensitive information. Take appropriate steps to ensure that they are properly protected.
    For more options with ipa-replica-prepare, see the ipa-replica-prepare(1) man page.
  2. Copy the replica information file to the replica server: 
    [root@server ~]# scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ipaserver:/var/lib/ipa/
  3. On the replica server, run the replica installation script, referencing the replication information file. There are other options for setting up DNS, much like the server installation script. Additionally, there is an option to configure a CA for the replica; while CA's are installed by default for servers, they are optional for replicas.
    Some information about DNS forwarders is required. A list can be given of configured DNS forwarders using a --forwarder option for each one, or forwarder configuration can be skipped by specifying the --no-forwarders option.
    For example: 
    [root@ipareplica ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-ipareplica.example.com.gpg

Directory Manager (existing master) password:

Warning: Hostname (ipareplica.example.com) not found in DNS
Run connection check to master
Check connection from replica to remote master 'ipareplica. example.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin@EXAMPLE.COM password:

Execute check on remote master
admin@example.com's password:
Check connection from master to remote replica 'ipareplica. example.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

Connection from master to replica is OK.

Connection check OK
    The replica installation script runs a test to ensure that the replica file being installed matches the current hostname. If they do not match, the script returns a warning message and asks for confirmation. This could occur on a multi-homed machine, for example, where mismatched hostnames may not be an issue.
    Additional options for the replica installation script are listed in the ipa-replica-install(1) man page.

    Note

    One of the options ipa-replica-install accepts is the --ip-address option. When added to ipa-replica-install, this option only accepts IP addresses associated with the local interface.
  4. Enter the Directory Manager password when prompted. The script then configures a Directory Server instance based on information in the replica information file and initiates a replication process to copy over data from the master server to the replica, a process called initialization.
  5. Verify that the proper DNS entries were created so that IdM clients can discover the new server. DNS entries are required for required domain services:
    • _ldap._tcp
    • _kerberos._tcp
    • _kerberos._udp
    • _kerberos-master._tcp
    • _kerberos-master._udp
    • _ntp._udp
    If the initial IdM server was created with DNS enabled, then the replica is created with the proper DNS entries. For example: 
    [root@ipareplica ~]# DOMAIN=example.com
[root@ipareplica ~]# NAMESERVER=ipareplica
[root@ipareplica ~]# for i in _ldap._tcp _kerberos._tcp _kerberos._udp _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do echo ""; dig @${NAMESERVER} ${i}.${DOMAIN} srv +nocmd +noquestion +nocomments +nostats +noaa +noadditional +noauthority; done | egrep -v "^;" | egrep _

_ldap._tcp.example.com. 86400   IN      SRV     0 100 389 ipaserver1.example.com.
_ldap._tcp.example.com. 86400   IN      SRV     0 100 389 ipaserver2.example.com.
_kerberos._tcp.example.com. 86400 IN    SRV     0 100 88  ipaserver1.example.com.
...8<...
    If the initial IdM server was created without DNS enabled, then each DNS entry, including both TCP and UDP entries for some services, should be added manually. For example: 
    [root@ipareplica ~]# kinit admin
[root@ipareplica ~]# ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 100 389 ipareplica.example.com."
  6. Optional. Set up DNS services for the replica. These are not configured by the setup script, even if the master server uses DNS.
    Use the ipa-dns-install command to install the DNS manually, then use the ipa dnsrecord-add command to add the required DNS records. For example: 
    [root@ipareplica ~]# ipa-dns-install

[root@ipareplica ~]# ipa dnsrecord-add example.com @ --ns-rec ipareplica.example.com.

    Important

    Use the fully-qualified domain name of the replica, including the final period (.), otherwise BIND will treat the hostname as relative to the domain.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.