Chapter 10. Uninstalling an IdM server


Follow this procedure to uninstall an Identity Management (IdM) server named server123.idm.example.com (server123). In the procedure, you first ensure that other servers are running critical services and that the topology will continue to be redundant before performing the uninstallation.

Prerequisites

  • You have root access to server123.
  • You have an IdM administrator’s credentials.

Procedure

  1. If your IdM environment uses integrated DNS, ensure that server123 is not the only enabled DNS server:

    [root@server123 ~]# ipa server-role-find --role 'DNS server'
    ----------------------
    2 server roles matched
    ----------------------
      Server name: server456.idm.example.com
      Role name: DNS server
      Role status: enabled
    [...]
    ----------------------------
    Number of entries returned 2
    ----------------------------

    If server123 is the only remaining DNS server in the topology, add the DNS server role to another IdM server. For more information, see the ipa-dns-install(1) man page on your system.

  2. If your IdM environment uses an integrated certificate authority (CA):

    1. Ensure that server123 is not the only enabled CA server:

      [root@server123 ~]# ipa server-role-find --role 'CA server'
      ----------------------
      2 server roles matched
      ----------------------
        Server name: server123.idm.example.com
        Role name: CA server
        Role status: enabled
      
        Server name: r8server.idm.example.com
        Role name: CA server
        Role status: enabled
      ----------------------------
      Number of entries returned 2
      ----------------------------

      If server123 is the only remaining CA server in the topology, add the CA server role to another IdM server. For more information, see the ipa-ca-install(1) man page on your system.

    2. If you have enabled vaults in your IdM environment, ensure that server123.idm.example.com is not the only enabled Key Recovery Authority (KRA) server:

      [root@server123 ~]# ipa server-role-find --role 'KRA server'
      ----------------------
      2 server roles matched
      ----------------------
        Server name: server123.idm.example.com
        Role name: KRA server
        Role status: enabled
      
        Server name: r8server.idm.example.com
        Role name: KRA server
        Role status: enabled
      ----------------------------
      Number of entries returned 2
      ----------------------------

      If server123 is the only remaining KRA server in the topology, add the KRA server role to another IdM server. For more information, see man ipa-kra-install(1).

    3. Ensure that server123.idm.example.com is not the CA renewal server:

      [root@server123 ~]# ipa config-show | grep 'CA renewal'
        IPA CA renewal master: r8server.idm.example.com

      If server123 is the CA renewal server, see Changing and resetting IdM CA renewal server for more information about how to move the CA renewal server role to another server.

    4. Ensure that server123.idm.example.com is not the current certificate revocation list (CRL) publisher:

      [root@server123 ~]# ipa-crlgen-manage status
      CRL generation: disabled

      If the output shows that CRL generation is enabled on server123, see Generating CRL on an IdM CA server for more information about how to move the CRL publisher role to another server.

  3. Connect to another IdM server in the topology:

    $ ssh idm_user@server456
  4. On the server, obtain the IdM administrator’s credentials:

    [idm_user@server456 ~]$ kinit admin
  5. View the DNA ID ranges assigned to the servers in the topology:

    [idm_user@server456 ~]$ ipa-replica-manage dnarange-show
    server123.idm.example.com: 1001-1500
    server456.idm.example.com: 1501-2000
    [...]

    The output shows that a DNA ID range is assigned to both server123 and server456.

  6. If server123 is the only IdM server in the topology with a DNA ID range assigned, create a test IdM user on server456 to ensure that the server has a DNA ID range assigned:

    [idm_user@server456 ~]$ ipa user-add test_idm_user
  7. Delete server123.idm.example.com from the topology:

    [idm_user@server456 ~]$ ipa server-del server123.idm.example.com
    Important

    If deleting server123 would lead to a disconnected topology, the script warns you about it. For information about how to create a replication agreement between the remaining replicas so that the deletion can proceed, see Setting up replication between two servers using the CLI.

    Note

    Running the ipa server-del command removes all replication data and agreements related to server123 for both the domain and ca suffixes. This is in contrast to Domain Level 0 IdM topologies, where you initially had to remove these data by using the ipa-replica-manage del server123 command. Domain Level 0 IdM topologies are those running on RHEL 7.2 and earlier. Use the ipa domainlevel-get command to view the current domain level.

  8. Return to server123.idm.example.com and uninstall the existing IdM installation:

    [root@server123 ~]# ipa-server-install --uninstall
    ...
    Are you sure you want to continue with the uninstall procedure? [no]: true
  9. Ensure that all name server (NS) DNS records pointing to server123.idm.example.com are deleted from your DNS zones. This applies regardless of whether you use integrated DNS managed by IdM or external DNS. For more information about how to delete DNS records from IdM, see Deleting DNS records in the IdM CLI.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.