Este contenido no está disponible en el idioma seleccionado.

Chapter 9. Uninstalling an IdM server


Follow this procedure to uninstall an Identity Management (IdM) server named server123.idm.example.com (server123). In the procedure, you first ensure that other servers are running critical services and that the topology will continue to be redundant before performing the uninstallation.

Prerequisites

  • You have root access to server123.
  • You have an IdM administrator’s credentials.

Procedure

  1. If your IdM environment uses integrated DNS, ensure that server123 is not the only enabled DNS server:

    [root@server123 ~]# ipa server-role-find --role 'DNS server'
    ----------------------
    2 server roles matched
    ----------------------
      Server name: server456.idm.example.com
      Role name: DNS server
      Role status: enabled
    [...]
    ----------------------------
    Number of entries returned 2
    ----------------------------

    If server123 is the only remaining DNS server in the topology, add the DNS server role to another IdM server. For more information, see the ipa-dns-install(1) man page on your system.

  2. If your IdM environment uses an integrated certificate authority (CA):

    1. Ensure that server123 is not the only enabled CA server:

      [root@server123 ~]# ipa server-role-find --role 'CA server'
      ----------------------
      2 server roles matched
      ----------------------
        Server name: server123.idm.example.com
        Role name: CA server
        Role status: enabled
      
        Server name: r8server.idm.example.com
        Role name: CA server
        Role status: enabled
      ----------------------------
      Number of entries returned 2
      ----------------------------

      If server123 is the only remaining CA server in the topology, add the CA server role to another IdM server. For more information, see the ipa-ca-install(1) man page on your system.

    2. If you have enabled vaults in your IdM environment, ensure that server123.idm.example.com is not the only enabled Key Recovery Authority (KRA) server:

      [root@server123 ~]# ipa server-role-find --role 'KRA server'
      ----------------------
      2 server roles matched
      ----------------------
        Server name: server123.idm.example.com
        Role name: KRA server
        Role status: enabled
      
        Server name: r8server.idm.example.com
        Role name: KRA server
        Role status: enabled
      ----------------------------
      Number of entries returned 2
      ----------------------------

      If server123 is the only remaining KRA server in the topology, add the KRA server role to another IdM server. For more information, see man ipa-kra-install(1).

    3. Ensure that server123.idm.example.com is not the CA renewal server:

      [root@server123 ~]# ipa config-show | grep 'CA renewal'
        IPA CA renewal master: r8server.idm.example.com

      If server123 is the CA renewal server, see Changing and resetting IdM CA renewal server for more information about how to move the CA renewal server role to another server.

    4. Ensure that server123.idm.example.com is not the current certificate revocation list (CRL) publisher:

      [root@server123 ~]# ipa-crlgen-manage status
      CRL generation: disabled

      If the output shows that CRL generation is enabled on server123, see Generating CRL on an IdM CA server for more information about how to move the CRL publisher role to another server.

  3. Connect to another IdM server in the topology:

    $ ssh idm_user@server456
  4. On the server, obtain the IdM administrator’s credentials:

    [idm_user@server456 ~]$ kinit admin
  5. View the DNA ID ranges assigned to the servers in the topology:

    [idm_user@server456 ~]$ ipa-replica-manage dnarange-show
    server123.idm.example.com: 1001-1500
    server456.idm.example.com: 1501-2000
    [...]

    The output shows that a DNA ID range is assigned to both server123 and server456.

  6. If server123 is the only IdM server in the topology with a DNA ID range assigned, create a test IdM user on server456 to ensure that the server has a DNA ID range assigned:

    [idm_user@server456 ~]$ ipa user-add test_idm_user
  7. Delete server123.idm.example.com from the topology:

    [idm_user@server456 ~]$ ipa server-del server123.idm.example.com
    Important

    If deleting server123 would lead to a disconnected topology, the script warns you about it. For information about how to create a replication agreement between the remaining replicas so that the deletion can proceed, see Setting up replication between two servers using the CLI.

    Note

    Running the ipa server-del command removes all replication data and agreements related to server123 for both the domain and ca suffixes. This is in contrast to Domain Level 0 IdM topologies, where you initially had to remove these data by using the ipa-replica-manage del server123 command. Domain Level 0 IdM topologies are those running on RHEL 7.2 and earlier. Use the ipa domainlevel-get command to view the current domain level.

  8. Return to server123.idm.example.com and uninstall the existing IdM installation:

    [root@server123 ~]# ipa-server-install --uninstall
    ...
    Are you sure you want to continue with the uninstall procedure? [no]: true
  9. Ensure that all name server (NS) DNS records pointing to server123.idm.example.com are deleted from your DNS zones. This applies regardless of whether you use integrated DNS managed by IdM or external DNS. For more information about how to delete DNS records from IdM, see Deleting DNS records in the IdM CLI.
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

© 2024 Red Hat, Inc.