Chapter 10. Uninstalling an IdM server
Follow this procedure to uninstall an Identity Management (IdM) server named server123.idm.example.com (server123). In the procedure, you first ensure that other servers are running critical services and that the topology will continue to be redundant before performing the uninstallation.
Prerequisites
-
You have
root
access to server123. - You have an IdM administrator’s credentials.
Procedure
If your IdM environment uses integrated DNS, ensure that server123 is not the only
enabled
DNS server:[root@server123 ~]# ipa server-role-find --role 'DNS server' ---------------------- 2 server roles matched ---------------------- Server name: server456.idm.example.com Role name: DNS server Role status: enabled [...] ---------------------------- Number of entries returned 2 ----------------------------
If server123 is the only remaining DNS server in the topology, add the DNS server role to another IdM server. For more information, see the
ipa-dns-install(1)
man page on your system.If your IdM environment uses an integrated certificate authority (CA):
Ensure that server123 is not the only
enabled
CA server:[root@server123 ~]# ipa server-role-find --role 'CA server' ---------------------- 2 server roles matched ---------------------- Server name: server123.idm.example.com Role name: CA server Role status: enabled Server name: r8server.idm.example.com Role name: CA server Role status: enabled ---------------------------- Number of entries returned 2 ----------------------------
If server123 is the only remaining CA server in the topology, add the CA server role to another IdM server. For more information, see the
ipa-ca-install(1)
man page on your system.If you have enabled vaults in your IdM environment, ensure that server123.idm.example.com is not the only
enabled
Key Recovery Authority (KRA) server:[root@server123 ~]# ipa server-role-find --role 'KRA server' ---------------------- 2 server roles matched ---------------------- Server name: server123.idm.example.com Role name: KRA server Role status: enabled Server name: r8server.idm.example.com Role name: KRA server Role status: enabled ---------------------------- Number of entries returned 2 ----------------------------
If server123 is the only remaining KRA server in the topology, add the KRA server role to another IdM server. For more information, see
man ipa-kra-install(1)
.Ensure that server123.idm.example.com is not the CA renewal server:
[root@server123 ~]# ipa config-show | grep 'CA renewal' IPA CA renewal master: r8server.idm.example.com
If server123 is the CA renewal server, see Changing and resetting IdM CA renewal server for more information about how to move the CA renewal server role to another server.
Ensure that server123.idm.example.com is not the current certificate revocation list (CRL) publisher:
[root@server123 ~]# ipa-crlgen-manage status CRL generation: disabled
If the output shows that CRL generation is enabled on server123, see Generating CRL on an IdM CA server for more information about how to move the CRL publisher role to another server.
Connect to another IdM server in the topology:
$ ssh idm_user@server456
On the server, obtain the IdM administrator’s credentials:
[idm_user@server456 ~]$ kinit admin
View the DNA ID ranges assigned to the servers in the topology:
[idm_user@server456 ~]$ ipa-replica-manage dnarange-show server123.idm.example.com: 1001-1500 server456.idm.example.com: 1501-2000 [...]
The output shows that a DNA ID range is assigned to both server123 and server456.
If server123 is the only IdM server in the topology with a DNA ID range assigned, create a test IdM user on server456 to ensure that the server has a DNA ID range assigned:
[idm_user@server456 ~]$ ipa user-add test_idm_user
Delete server123.idm.example.com from the topology:
[idm_user@server456 ~]$ ipa server-del server123.idm.example.com
ImportantIf deleting server123 would lead to a disconnected topology, the script warns you about it. For information about how to create a replication agreement between the remaining replicas so that the deletion can proceed, see Setting up replication between two servers using the CLI.
NoteRunning the
ipa server-del
command removes all replication data and agreements related to server123 for both thedomain
andca
suffixes. This is in contrast to Domain Level 0 IdM topologies, where you initially had to remove these data by using theipa-replica-manage del server123
command. Domain Level 0 IdM topologies are those running on RHEL 7.2 and earlier. Use theipa domainlevel-get
command to view the current domain level.Return to server123.idm.example.com and uninstall the existing IdM installation:
[root@server123 ~]# ipa-server-install --uninstall ... Are you sure you want to continue with the uninstall procedure? [no]: true
- Ensure that all name server (NS) DNS records pointing to server123.idm.example.com are deleted from your DNS zones. This applies regardless of whether you use integrated DNS managed by IdM or external DNS. For more information about how to delete DNS records from IdM, see Deleting DNS records in the IdM CLI.
Additional resources