Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Migrating your IdM environment from RHEL 9 servers to RHEL 10 servers

Upgrading an IdM environment from RHEL 9 to RHEL 10 requires adding new RHEL 10 replicas to the existing deployment, transferring CA and CRL roles, and then retiring the RHEL 9 servers. In-place upgrades of IdM servers are not supported.

Migration involves moving all Identity Management (IdM) data and configuration from a Red Hat Enterprise Linux (RHEL) 9 server to a RHEL 10 server.

2.1. Overview of the IdM migration procedure
Copy link

Understand the main procedure steps, optional procedures for complex deployments, and migration constraints to help you plan your IdM migration from RHEL 9 to RHEL 10.

Important

Migrate all servers in an IdM deployment as quickly as possible. Mixing different IdM versions in the same deployment for extended periods of time can lead to incompatibilities or possibly even unrecoverable data corruption.

Warning
  • Performing an in-place upgrade of RHEL 9 IdM servers and IdM server nodes to RHEL 10 is not supported.
  • Before migrating your IdM environment to RHEL 10, Red Hat recommends to first run ipa-healthcheck to prevent issues.
  • For more information about adding a RHEL 10 IdM replica in FIPS mode to a RHEL 9 IdM deployment in FIPS mode, see the Identity Management section in Considerations in adopting RHEL 10.

  • Migrating directly to RHEL 10 from RHEL 8 or earlier versions is not supported. To properly update your IdM data, you must perform incremental migrations.

    For example, to migrate a RHEL 8 IdM environment to RHEL 10:

    1. Migrate from RHEL 8 servers to RHEL 9 servers. See Migrating to Identity Management on RHEL 9.
    2. Migrate from RHEL 9 servers to RHEL 10 servers, as described in this section.

The main migration procedure includes:

  1. Configuring a RHEL 10 IdM server and adding it as a replica to your current RHEL 9 IdM environment. For details, see Installing the RHEL 10 replica.
  2. Making the RHEL 10 server the certificate authority (CA) renewal server. For details, see Assigning the CA renewal server role to the RHEL 10 IdM server.
  3. Stopping the generation of the certificate revocation list (CRL) on the RHEL 9 server and redirecting CRL requests to RHEL 10. For details, see Stopping CRL generation on a RHEL 9 IdM CA server.
  4. Starting the generation of the CRL on the RHEL 10 server. For details, see Starting CRL generation on the new RHEL 10 IdM CA server.
  5. Stopping and decommissioning the original RHEL 9 CA renewal server. For details, see Stopping and decommissioning the RHEL 9 server.

Additional procedures for large or complex deployments

The following optional procedures are strongly recommended for large, geographically distributed, or mission-critical IdM deployments to ensure topology health and prevent service disruption:

Before beginning your migration, review the strategy guidance and consider which optional procedures apply to your deployment:

In the following procedures:

  • rhel10.example.com is the RHEL 10 system that will become the new CA renewal server.

  • rhel9.example.com is the original RHEL 9 CA renewal server.

    If your IdM deployment does not use an IdM CA, any IdM server running on RHEL 9 can be rhel9.example.com.

Learn about the additional inventory and validation steps needed when migrating large or complex Identity Management (IdM) deployments.

While the core migration steps (installing a new replica, establishing it as a CA renewal server, and decommissioning the old server) apply to all deployments, large environments benefit from stricter inventory and validation processes. The following table highlights the recommended additional steps for large or complex topologies compared to a standard single-server or small-cluster migration.

Expand
StepStandard MigrationLarge/Complex Migration

1. Inventorying Topology

Optional.

Strongly Recommended. Document all server roles and replication agreements to ensure no critical service (CA, DNS, KRA, AD Trust) is lost during replica replacement.

2. Recording DNA ID Ranges

Optional.

Strongly Recommended. Record assigned ID ranges to prevent exhaustion if a server holding a large range is decommissioned without reassignment.

3. Reusing Server Hostname

Rarely needed.

Conditional. If reusing hostnames, wait for replication to fully converge before re-installing. Rapid removal and addition can cause conflicts in high-latency topologies.

4. Installing New Replica

Required.

Required. Ensure the new replica is installed with the same roles as the one it replaces. Run Healthcheck during verification to catch issues early.

5. Assigning CA Renewal Role

Required (if using integrated CA).

Required (if using integrated CA). Verify the role assignment replicates before proceeding.

6. Managing CRL Generation

Required (if using integrated CA).

Required (if using integrated CA). Stop CRL on old server, redirect requests, start on new server.

7. Updating Client Configuration

Automatic (mostly).

Manual updates may be needed. Clients pinned to specific servers in ipa.conf or sssd.conf must be updated to point to new replicas.

8. Decommissioning Old Server

Required.

Required. Verify no unique roles are lost and allow replication to converge.

When planning migrations for large deployments, consider the following strategic factors:

  • Maintain Redundancy: Ensure at least one other server provides critical services (CA, DNS, KRA, AD Trust) before decommissioning a replica.
  • Replication Lag: In geographically distributed deployments, allow additional time between topology changes for replication to converge. Rapid remove/add cycles can create conflicts that are difficult to resolve across high-latency links.
  • Batching: For very large topologies, migrate site-by-site, validating health after each wave. Avoid decommissioning all servers in a single site simultaneously.

2.3. Preparing for migrating IdM from RHEL 9 to 10
Copy link

Review all prerequisites for both hosts, including software updates, client enrollment, and server requirements, to ensure a successful and conflict-free transfer of your IdM environment.

Note

If you want to use hardware security modules (HSMs) to store your CA and KRA keys and certificates, you cannot upgrade an existing installation where the keys were not generated on an HSM to an HSM-based install.

Procedure

  • On rhel9.example.com:

    1. Upgrade the system to the latest RHEL 9 version.

    2. Update the ipa-* packages to their latest version: 

      [root@rhel9 ~]# dnf update ipa-*
    Warning

    When upgrading multiple Identity Management (IdM) servers, wait at least 10 minutes between each upgrade.

    When two or more servers are upgraded simultaneously or with only short intervals between the upgrades, there is not enough time to replicate the post-upgrade data changes throughout the topology, which can result in conflicting replication events.

  • On rhel10.example.com:

    1. Install the latest version of Red Hat Enterprise Linux on the system. For more information, see Interactively installing RHEL from installation media.
    2. Ensure the system is an IdM client enrolled into the domain for which rhel9.example.com IdM server is authoritative. For more information, see Installing an IdM client: Basic scenario.
    3. Ensure the system meets the requirements for IdM server installation. See Preparing the system for IdM server installation.

    4. Ensure you know the time server rhel9.example.com is synchronized with: 

      [root@rhel9 ~]# ntpstat
synchronised to NTP server (ntp.example.com) at stratum 3
   time correct to within 42 ms
   polling server every 1024 s
    5. Ensure the system is authorized for the installation of an IdM replica. See Authorizing the installation of a replica on an IdM client.

    6. Update the ipa-* packages to their latest version: 

      [root@rhel9 ~]# dnf update ipa-*
      Note

      For large or geographically distributed deployments, consider completing the following optional but recommended procedures before beginning the migration:

      These steps help ensure service continuity and prevent issues during the migration.

Use this procedure to capture the current IdM server roles and replication layout before you replace replicas. This procedure is optional but strongly recommended, especially for large or complex topologies, to prevent role coverage gaps.

Prerequisites

  • You are logged in to an IdM server as an administrator.

Procedure

  1. List the servers in the topology and the roles enabled on each server: 

    [root@rhel9 ~]# ipa server-find --all
---------------------
2 IPA servers matched
---------------------
  dn: cn=rhel9-1.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
  Server name: rhel9-1.example.com
  Managed suffixes: domain, ca
  Min domain level: 1
  Max domain level: 1
  Enabled server roles: AD trust agent, AD trust controller, CA server, DNS server, IPA master, KRA server

  dn: cn=rhel9-2.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
  Server name: rhel9-2.example.com
  Managed suffixes: domain, ca
  Min domain level: 1
  Max domain level: 1
  Enabled server roles: AD trust agent, AD trust controller, CA server, IPA master
----------------------------
Number of entries returned 2
----------------------------

  2. Verify that the CA renewal master role is assigned to exactly one server: 

    [root@rhel9 ~]# ipa config-show | grep "CA renewal master"
IPA CA renewal master: rhel9-1.example.com

  3. Verify that the DNSSEC key master role is assigned to exactly one server: 

    [root@rhel9 ~]# ipa dnsconfig-show | grep 'DNSSec key master'
IPA DNSSec key master: rhel9-1.example.com
  4. Record which servers provide other critical roles (such as CA, DNS, KRA, AD trust agent, and AD trust controller). You will reference this list when assigning roles to new replicas or validating redundancy during migration.

  5. If your IdM deployment is in a trust with an Active Directory (AD) forest, plan to ensure that during the migration:

    1. At least one trust controller remains online at all times.
    2. Whenever possible, each replica also runs the trust agent so that clients can resolve AD users regardless of which server they contact.
  6. Review replication agreements and the site layout to confirm that each site keeps redundant connectivity throughout the migration: Replica topology examples.
  7. Ensure that the number of replication agreements per server aligns with the long-term guideline of four or fewer links: Guidelines for connecting IdM replicas in a topology.

  8. Run ipa-healthcheck to identify replication issues before you modify the topology: 

    [root@rhel9 ~]# ipa-healthcheck --source=ipahealthcheck.ds.replication --source=ipahealthcheck.ipa.topology

2.5. Recording DNA ID ranges before migration
Copy link

Document the Distributed Numeric Assignment (DNA) ID ranges that are currently allocated so that you can reassign them after a server is removed during migration. Recording DNA ranges is optional but strongly recommended, especially for large or complex topologies, to prevent blocking user creation.

Prerequisites

  • You are logged in to an IdM server as an administrator.

Procedure

  1. On each server that will be decommissioned, display the DNA ID ranges currently allocated: 

    [root@rhel9 ~]# ipa-replica-manage dnarange-show

  2. Display the next DNA range queued for allocation so you know what will be assigned after the current sub-range is consumed: 

    [root@rhel9 ~]# ipa-replica-manage dnanextrange-show
  3. Record the collected ranges in your migration notes. You will reference these values when ensuring DNA range coverage on the new replica before decommissioning the old server. Losing a server that owns an unrecorded sub-range can block the creation of new users or groups.

2.6. Reusing an IdM server hostname safely
Copy link

Follow this procedure when you need to reuse an existing IdM server hostname for a new replica during migration. Hostname reuse is typically required when:

  • DNS or firewall rules are tightly coupled to specific hostnames
  • Client configurations explicitly reference the hostname that must be preserved
  • Network or security policies require specific server names

This procedure is optional; use it only when hostname reuse is necessary. For large or geographically distributed topologies, extra care is needed to prevent replication conflicts when reusing hostnames.

Prerequisites

  • You have administrative access to the IdM topology and to the server being replaced.
  • DNS records for the hostname can be updated if the IP address changes.
Warning

This procedure describes a specialized workflow for reusing an existing server hostname during migration. Only follow this procedure if you specifically need to preserve a hostname due to DNS, firewall rules, or client configuration requirements.

If you are performing a standard migration with new hostnames, skip this procedure and proceed directly to installing your new replica.

Procedure

  1. Run IdM Healthcheck on the server you plan to remove and resolve any issues so the topology is in a clean state before you begin: Using IdM Healthcheck to monitor your IdM environment.

  2. Remove the server from the topology on a different replica. For example, to remove rhel9.example.com: 

    [root@rhel10-replica ~]# ipa-replica-manage del rhel9.example.com --cleanup

    Confirm the command completes successfully and that the removal is replicated to the remaining servers.

  3. On the RHEL 9 host you are decommissioning, uninstall the IdM server to clean up services and certificates: 

    [root@rhel9 ~]# ipa-server-install --uninstall
  4. Allow replication to converge across all remaining servers before you reinstall a replica with the same hostname. In high-latency environments, wait for at least one full replication cycle and confirm the host no longer appears in ipa server-find output.
  5. After replication has fully converged and you have confirmed the old server no longer appears in the topology, proceed to install your new RHEL 10 replica using the reused hostname. See Installing the RHEL 10 replica.

  6. After installation completes, run IdM Healthcheck on the new RHEL 10 replica to verify that no replication conflicts were introduced: 

    [root@rhel9 ~]# ipa-healthcheck

    Pay particular attention to replication-related checks to ensure the hostname reuse did not cause conflicts.

2.7. Installing the RHEL 10 replica
Copy link

You must install the RHEL 10 IdM server and configure it as a replica within your existing RHEL 9 topology. This begins the migration process by transferring the complete IdM data and duplicating all existing server roles to the new host.

Procedure

  1. List which server roles are present in your RHEL 9 environment: 

    [root@rhel9 ~]# ipa server-role-find --status enabled --server rhel9.example.com
----------------------
3 server roles matched
----------------------
  Server name: rhel9.example.com
  Role name: CA server
  Role status: enabled

  Server name: rhel9.example.com
  Role name: DNS server
  Role status: enabled
[... output truncated ...]

  2. Optional: If you want to use the same per-server forwarders for rhel10.example.com that rhel9.example.com is using, view the per-server forwarders for rhel9.example.com: 

    [root@rhel9 ~]# ipa dnsserver-show rhel9.example.com
-----------------------------
1 DNS server matched
-----------------------------
  Server name: rhel9.example.com
  SOA mname: rhel9.example.com.
  Forwarders: 192.0.2.20
  Forward policy: only
--------------------------------------------------
Number of entries returned 1
--------------------------------------------------
  1. Review the replication agreements topology using the steps in either Viewing replication topology using the WebUI or Viewing topology suffixes using the CLI and Viewing topology segments using the CLI.

  2. Install the IdM server software on rhel10.example.com to configure it as a replica of the RHEL 9 IdM server, including all the server roles present on rhel9.example.com. To install the roles from the example above, use these options with the ipa-replica-install command:

    • --setup-ca to set up the Certificate System component

    • --setup-dns and --forwarder to configure an integrated DNS server and set a per-server forwarder to take care of DNS queries that go outside the IdM domain

      Note

      Additionally, if your IdM deployment is in a trust relationship with Active Directory (AD), add the --setup-adtrust option to the ipa-replica-install command to configure AD trust capability on rhel10.example.com.

    • --ntp-server to specify an NTP server or --ntp-pool to specify a pool of NTP servers

      To set up an IdM server with the IP address of 192.0.2.1 that uses a per-server forwarder with the IP address of 192.0.2.20 and synchronizes with the ntp.example.com NTP server: 

      [root@rhel10 ~]# ipa-replica-install --setup-ca --ip-address 192.0.2.1 --setup-dns --forwarder 192.0.2.20 --ntp-server ntp.example.com

      You do not need to specify the RHEL 9 IdM server itself because if DNS is working correctly, rhel10.example.com will find it using DNS autodiscovery.

  3. Optional: Add an _ntp._udp service (SRV) record for your external NTP time server to the DNS of the newly-installed IdM server, rhel10.example.com. The presence of the SRV record for the time server in IdM DNS ensures that future RHEL 10 replica and client installations are automatically configured to synchronize with the time server used by rhel10.example.com. This is because ipa-client-install looks for the _ntp._udp DNS entry unless --ntp-server or --ntp-pool options are provided on the install command-line interface (CLI).
  4. Create any replication agreements needed to re-create the previous topology using the steps in Setting up replication between two servers using the Web UI or Setting up replication between two servers using the CLI.

Verification

  1. Verify that the IdM services are running on rhel10.example.com: 

    [root@rhel10 ~]# ipactl status
Directory Service: RUNNING
[... output truncated ...]
ipa: INFO: The ipactl command was successful

  2. Run ipa-healthcheck to identify any issues with the new replica: 

    [root@rhel10 ~]# ipa-healthcheck

  3. Verify that server roles for rhel10.example.com are the same as for rhel9.example.com: 

    [root@rhel10 ~]# kinit admin
[root@rhel10 ~]# ipa server-role-find --status enabled --server rhel10.example.com
----------------------
2 server roles matched
----------------------
  Server name: rhel10.example.com
  Role name: CA server
  Role status: enabled

  Server name: rhel10.example.com
  Role name: DNS server
  Role status: enabled

  4. Optional: Display details about the replication agreement between rhel9.example.com and rhel10.example.com: 

    [root@rhel10 ~]# ipa-csreplica-manage list --verbose rhel10.example.com
Directory Manager password:

rhel9.example.com
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully: Incremental update succeeded
last update ended: 2019-02-13 13:55:13+00:00

  5. Optional: If your IdM deployment is in a trust relationship with AD, verify that it is working:

    1. Verify the Kerberos configuration

    2. Attempt to resolve an AD user on rhel10.example.com: 

      [root@rhel10 ~]# id aduser@ad.domain

  6. Verify that rhel10.example.com is synchronized with the NTP server: 

    [root@rhel9 ~]# chronyc tracking
Reference ID    : CB00710F (ntp.example.com)
Stratum         : 3
Ref time (UTC)  : Wed Feb 16 09:49:17 2022
[... output truncated ...]

If your IdM deployment uses an embedded certificate authority (CA), assign the CA renewal server role to the Red Hat Enterprise Linux (RHEL) 10 IdM server to ensure continued certificate management after migration.

Procedure

  1. On rhel10.example.com, configure rhel10.example.com as the new CA renewal server: 

    [root@rhel10 ~]# ipa config-mod --ca-renewal-master-server rhel10.example.com
  ...
  IPA masters: rhel9.example.com, rhel10.example.com
  IPA CA servers: rhel9.example.com, rhel10.example.com
  IPA CA renewal master: rhel10.example.com

    The output confirms that the update was successful.

  2. On rhel10.example.com, enable the certificate updater task:

    1. Open the /etc/pki/pki-tomcat/ca/CS.cfg configuration file for editing.
    2. Remove the ca.certStatusUpdateInterval entry, or set it to the desired interval in seconds. The default value is 600.
    3. Save and close the /etc/pki/pki-tomcat/ca/CS.cfg configuration file.

    4. Restart IdM services: 

      [user@rhel10 ~]$ ipactl restart

  3. On rhel9.example.com, disable the certificate updater task:

    1. Open the /etc/pki/pki-tomcat/ca/CS.cfg configuration file for editing.

    2. Change ca.certStatusUpdateInterval to 0, or add the following entry if it does not exist: 

      ca.certStatusUpdateInterval=0
    3. Save and close the /etc/pki/pki-tomcat/ca/CS.cfg configuration file.

    4. Restart IdM services: 

      [user@rhel9 ~]$ ipactl restart

2.9. Stopping CRL generation on an IdM server
Copy link

Use the ipa-crlgen-manage command to stop generating the Certificate Revocation List (CRL) on the IdM CRL publisher server. You must disable CRL generation on the current server before enabling it on a new server, because only one server should generate the CRL at a time.

Prerequisites

  • You must be logged in as root.

Procedure

  1. Check if your server is generating the CRL: 

    [root@server ~]# ipa-crlgen-manage status
     
    CRL generation: enabled
Last CRL update: 2019-10-31 12:00:00
Last CRL Number: 6
The ipa-crlgen-manage command was successful

  2. Stop generating the CRL on the server: 

    [root@server ~]# ipa-crlgen-manage disable
     
    Stopping pki-tomcatd
Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
Starting pki-tomcatd
Editing /etc/httpd/conf.d/ipa-pki-proxy.conf
Restarting httpd
CRL generation disabled on the local host. Please make sure to configure CRL generation on another master with ipa-crlgen-manage enable.
The ipa-crlgen-manage command was successful

  3. Check if the server stopped generating CRL: 

    [root@server ~]# ipa-crlgen-manage status

    The server stopped generating the CRL. The next step is to enable CRL generation on the IdM replica.

If your IdM deployment uses an embedded certificate authority (CA), start Certificate Revocation List (CRL) generation on the new Red Hat Enterprise Linux (RHEL) 10 IdM CA server after stopping it on the old server to maintain certificate revocation services.

Prerequisites

  • You must be logged in as root on the rhel10.example.com machine.

Procedure

  1. To start generating the CRL on rhel10.example.com, use the ipa-crlgen-manage enable command: 

    [root@rhel10 ~]# ipa-crlgen-manage enable
Stopping pki-tomcatd
Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
Starting pki-tomcatd
Editing /etc/httpd/conf.d/ipa-pki-proxy.conf
Restarting httpd
Forcing CRL update
CRL generation enabled on the local host. Please make sure to have only a single CRL generation master.
The ipa-crlgen-manage command was successful

Verification

  • To check if CRL generation is enabled, use the ipa-crlgen-manage status command: 

    [root@rhel10 ~]# ipa-crlgen-manage status
CRL generation: enabled
Last CRL update: 2021-10-31 12:10:00
Last CRL Number: 7
The ipa-crlgen-manage command was successful

Use this procedure to update clients that do not rely solely on DNS service discovery after you replace or decommission IdM replicas. Updating pinned clients is optional but strongly recommended for large or complex topologies where static configuration is common.

Prerequisites

  • You have root access to each client that requires updates.
  • Replacement IdM servers are in service and reachable.

Procedure

  1. Update the system resolvers on affected clients so they point to the current IdM DNS servers. Adjust /etc/resolv.conf or your network configuration tooling to remove references to retired servers.

  2. If the client uses the fallback enrollment server defined in /etc/ipa/default.conf, replace the hostname in both of the following parameters with an active IdM server: 

    xmlrpc_uri = https://ipa_new.example.com/ipa/xml
server = ipa_new.example.com

  3. Review the ipa_server parameter in /etc/sssd/sssd.conf:

    • If it lists specific servers, update the list to include only active replicas or switch to SRV-only discovery by using srv.
    • If it references the retired hostname, replace it with the new server names.

  4. Restart SSSD to apply the updates: 

    [root@client ~]# systemctl restart sssd
  5. Test authentication and lookups from the client to confirm it can reach the updated servers.

After setting up the RHEL 10 replica and transferring all critical Identity Management (IdM) roles, you must safely decommission the RHEL 9 IdM server. This final step ensures that all identity roles and data are cleanly transferred to the RHEL 10 replica before permanently removing the old server from the topology.

Procedure

  1. Make sure that all data, including the latest changes, have been correctly migrated from rhel9.example.com to rhel10.example.com. For example:

    1. Add a new user on rhel9.example.com: 

      [root@rhel9 ~]# ipa user-add random_user
First name: random
Last name: user

    2. Check that the user has been replicated to rhel10.example.com: 

      [root@rhel10 ~]# ipa user-find random_user
--------------
1 user matched
--------------
  User login: random_user
  First name: random
  Last name: user

  2. Ensure that a Distributed Numeric Assignment (DNA) ID range is allocated to rhel10.example.com. If you recorded DNA ranges earlier (see Recording DNA ID ranges before migration), you can reference those values when reassigning ranges. Use one of the following methods:

    • Activate the DNA plug-in on rhel10.example.com directly by creating another test user: 

      [root@rhel10 ~]# ipa user-add another_random_user
First name: another
Last name: random_user

    • Assign a specific DNA ID range to rhel10.example.com:

      1. On rhel9.example.com, display the IdM ID range: 

        [root@rhel9 ~]# ipa idrange-find
----------------
3 ranges matched
----------------
  Range name: EXAMPLE.COM_id_range
  First Posix ID of the range: 196600000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range

      2. On rhel9.example.com, display the allocated DNA ID ranges: 

        [root@rhel9 ~]# ipa-replica-manage dnarange-show
rhel9.example.com: 196600026-196799999
rhel10.example.com: No range set

      3. Reduce the DNA ID range allocated to rhel9.example.com so that a section becomes available to rhel10.example.com: 

        [root@rhel9 ~]# ipa-replica-manage dnarange-set rhel9.example.com 196600026-196699999

      4. Assign the remaining part of the IdM ID range to rhel10.example.com: 

        [root@rhel9 ~]# ipa-replica-manage dnarange-set rhel10.example.com 196700000-196799999

  3. Stop all IdM services on rhel9.example.com to force domain discovery to the new rhel10.example.com server. 

    [root@rhel9 ~]# ipactl stop
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping DNS Service
Stopping named:                                            [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv:
    EXAMPLE-COM...                                         [  OK  ]
    PKI-IPA...                                             [  OK  ]

    After this, the ipa utility contacts the new server through a remote procedure call (RPC).

  4. Remove the RHEL 9 server from the topology by executing the removal commands on the RHEL 10 server. For details, see Uninstalling an IdM server.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top