Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 2. Migrating your IdM environment from RHEL 8 servers to RHEL 9 servers

To upgrade a RHEL 8 IdM environment to RHEL 9, you must first add new RHEL 9 IdM replicas to your RHEL 8 IdM environment, and then retire the RHEL 8 servers. The migration involves moving all Identity Management (IdM) data and configuration from a Red Hat Enterprise Linux (RHEL) 8 server to a RHEL 9 server.

Important

Migrate all servers in an IdM deployment as quickly as possible. Mixing different IdM versions in the same deployment for extended periods of time can lead to incompatibilities or possibly even unrecoverable data corruption.

Warning
  • Performing an in-place upgrade of RHEL 8 IdM servers and IdM server nodes to RHEL 9 is not supported.
  • Before migrating your IdM environment to RHEL 9, Red Hat recommends to first run ipa-healthcheck to prevent issues.
  • For more information about adding a RHEL 9 IdM replica in FIPS mode to a RHEL 8 IdM deployment in FIPS mode, see the Identity Management section in Considerations in adopting RHEL 9.

  • After upgrading your IdM replica to RHEL 9.2, the IdM Kerberos Distribution Center (KDC) might fail to issue ticket-granting tickets (TGTs) to users who do not have Security Identifiers (SIDs) assigned to their accounts. Consequently, the users cannot log in to their accounts.

    To work around the problem, generate SIDs by running # ipa config-mod --enable-sid --add-sids as an IdM administrator on another IdM replica in the topology. Afterward, if users still cannot log in, examine the Directory Server error log. You might have to adjust ID ranges to include user POSIX identities.

  • Migrating directly to RHEL 9 from RHEL 7 or earlier versions is not supported. To properly update your IdM data, you must perform incremental migrations.

    For example, to migrate a RHEL 7 IdM environment to RHEL 9:

    1. Migrate from RHEL 7 servers to RHEL 8 servers. See Migrating to Identity Management on RHEL 8.
    2. Migrate from RHEL 8 servers to RHEL 9 servers, as described in this section.

The main migration procedure includes:

  1. Configuring a RHEL 9 IdM server and adding it as a replica to your current RHEL 8 IdM environment. For details, see Installing the RHEL 9 Replica.
  2. Making the RHEL 9 server the certificate authority (CA) renewal server. For details, see Assigning the CA renewal server role to the RHEL 9 IdM server.
  3. Stopping the generation of the certificate revocation list (CRL) on the RHEL 8 server and redirecting CRL requests to RHEL 9. For details, see Stopping CRL generation on a RHEL 8 IdM CA server.
  4. Starting the generation of the CRL on the RHEL 9 server. For details, see Starting CRL generation on the new RHEL 9 IdM CA server.
  5. Stopping and decommissioning the original RHEL 8 CA renewal server. For details, see Stopping and decommissioning the RHEL 8 server.

Additional procedures for large or complex deployments

The following optional procedures are strongly recommended for large, geographically distributed, or mission-critical IdM deployments to ensure topology health and prevent service disruption:

Before beginning your migration, review the strategy guidance and consider which optional procedures apply to your deployment:

In the following procedures:

  • rhel9.example.com is the RHEL 9 system that will become the new CA renewal server.

  • rhel8.example.com is the original RHEL 8 CA renewal server.

    If your IdM deployment does not use an IdM CA, any IdM server running on RHEL 8 can be rhel8.example.com.

Migrating a large or geographically distributed Identity Management (IdM) topology requires additional planning to ensure service continuity. While the core migration steps (installing a new replica, establishing it as a CA renewal server, and decommissioning the old server) apply to all deployments, large environments benefit from stricter inventory and validation processes.

Migration workflow comparison

The following table highlights the recommended additional steps for large or complex topologies compared to a standard single-server or small-cluster migration.

Expand
StepStandard MigrationLarge/Complex Migration

1. Inventorying Topology

Optional.

Strongly Recommended. Document all server roles and replication agreements to ensure no critical service (CA, DNS, KRA, AD Trust) is lost during replica replacement.

2. Recording DNA ID Ranges

Optional.

Strongly Recommended. Record assigned ID ranges to prevent exhaustion if a server holding a large range is decommissioned without reassignment.

3. Reusing Server Hostname

Rarely needed.

Conditional. If reusing hostnames, wait for replication to fully converge before re-installing. Rapid removal and addition can cause conflicts in high-latency topologies.

4. Installing New Replica

Required.

Required. Ensure the new replica is installed with the same roles as the one it replaces. Run Healthcheck during verification to catch issues early.

5. Assigning CA Renewal Role

Required (if using integrated CA).

Required (if using integrated CA). Verify the role assignment replicates before proceeding.

6. Managing CRL Generation

Required (if using integrated CA).

Required (if using integrated CA). Stop CRL on old server, redirect requests, start on new server.

7. Updating Client Configuration

Automatic (mostly).

Manual updates may be needed. Clients pinned to specific servers in ipa.conf or sssd.conf must be updated to point to new replicas.

8. Decommissioning Old Server

Required.

Required. Verify no unique roles are lost and allow replication to converge.

Strategic considerations for large deployments

  • Maintain Redundancy: Ensure at least one other server provides critical services (CA, DNS, KRA, AD Trust) before decommissioning a replica.
  • Replication Lag: In geographically distributed deployments, allow additional time between topology changes for replication to converge. Rapid remove/add cycles can create conflicts that are difficult to resolve across high-latency links.
  • Batching: For very large topologies, migrate site-by-site, validating health after each wave. Avoid decommissioning all servers in a single site simultaneously.

2.2. Prerequisites for migrating IdM from RHEL 8 to 9
Copier lien

Note

If you want to use hardware security modules (HSMs) to store your CA and KRA keys and certificates, you cannot upgrade an existing installation where the keys were not generated on an HSM to an HSM-based install.

On rhel8.example.com:

  1. Upgrade the system to the latest RHEL 8 version.

    Important

    If you are migrating to RHEL 9.0, do not update to a newer version than RHEL 8.6. Migrating from RHEL 8.7 is only supported for RHEL 9.1.

  2. Update the ipa-* packages to their latest version: 

    [root@rhel8 ~]# dnf update ipa-*
    Copy to Clipboard Toggle word wrap
    Warning

    When upgrading multiple Identity Management (IdM) servers, wait at least 10 minutes between each upgrade.

    When two or more servers are upgraded simultaneously or with only short intervals between the upgrades, there is not enough time to replicate the post-upgrade data changes throughout the topology, which can result in conflicting replication events.

On rhel9.example.com:

  1. Install the latest version of Red Hat Enterprise Linux on the system. For more information, see Interactively installing RHEL from installation media.
  2. Ensure the system is an IdM client enrolled into the domain for which rhel8.example.com IdM server is authoritative. For more information, see Installing an IdM client: Basic scenario.
  3. Ensure the system meets the requirements for IdM server installation. See Preparing the system for IdM server installation.

  4. Ensure you know the time server rhel8.example.com is synchronized with: 

    [root@rhel8 ~]# ntpstat
synchronised to NTP server (ntp.example.com) at stratum 3
   time correct to within 42 ms
   polling server every 1024 s
    Copy to Clipboard Toggle word wrap
  5. Ensure the system is authorized for the installation of an IdM replica. See Authorizing the installation of a replica on an IdM client.

  6. Update the ipa-* packages to their latest version: 

    [root@rhel8 ~]# dnf update ipa-*
    Copy to Clipboard Toggle word wrap
Note

For large or geographically distributed deployments, consider completing the following optional but recommended procedures before beginning the migration:

These steps help ensure service continuity and prevent issues during the migration.

2.3. Performing an inventory of roles in your IdM topology
Copier lien

Use this procedure to capture the current IdM server roles and replication layout before you replace replicas. This procedure is optional but strongly recommended, especially for large or complex topologies, to prevent role coverage gaps.

Prerequisites

  • You are logged in to an IdM server as an administrator.

Procedure

  1. List the servers in the topology and the roles enabled on each server: 

    [root@rhel7 ~]# ipa server-find --all
---------------------
2 IPA servers matched
---------------------
  dn: cn=ipa1.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
  Server name: ipa1.example.com
  Managed suffixes: domain, ca
  Min domain level: 1
  Max domain level: 1
  Enabled server roles: AD trust agent, AD trust controller, CA server, DNS server, IPA master, KRA server

  dn: cn=ipa2.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
  Server name: ipa2.example.com
  Managed suffixes: domain, ca
  Min domain level: 1
  Max domain level: 1
  Enabled server roles: AD trust agent, AD trust controller, CA server, IPA master
----------------------------
Number of entries returned 2
----------------------------
    Copy to Clipboard Toggle word wrap

  2. Verify that the CA renewal master role is assigned to exactly one server: 

    [root@rhel7 ~]# ipa config-show | grep "CA renewal master"
IPA CA renewal master: ipa1.example.com
    Copy to Clipboard Toggle word wrap

  3. Verify that the DNSSEC key master role is assigned to exactly one server: 

    [root@rhel7 ~]# ipa dnsconfig-show | grep 'DNSSec key master'
IPA DNSSec key master: ipa1.example.com
    Copy to Clipboard Toggle word wrap
  4. Record which servers provide other critical roles (such as CA, DNS, KRA, AD trust agent, and AD trust controller). You will reference this list when assigning roles to new replicas or validating redundancy during migration.

  5. If your IdM deployment is in a trust with an Active Directory (AD) forest, plan to ensure that during the migration:

    1. At least one trust controller remains online at all times.
    2. Whenever possible, each replica also runs the trust agent so that clients can resolve AD users regardless of which server they contact.
  6. Review replication agreements and the site layout to confirm that each site keeps redundant connectivity throughout the migration: Replica topology examples.
  7. Ensure that the number of replication agreements per server aligns with the long-term guideline of four or fewer links: Guidelines for connecting IdM replicas in a topology.

  8. Run ipa-healthcheck to identify replication issues before you modify the topology: 

    [root@rhel8 ~]# ipa-healthcheck --source=ipahealthcheck.ds.replication --source=ipahealthcheck.ipa.topology
    Copy to Clipboard Toggle word wrap

2.4. Recording DNA ID ranges before migration
Copier lien

Use this procedure to document the Distributed Numeric Assignment (DNA) ID ranges that are currently allocated so that you can reassign them after a server is removed during migration. Recording DNA ranges is optional but strongly recommended, especially for large or complex topologies, to prevent blocking user creation.

Prerequisites

  • You are logged in to an IdM server as an administrator.

Procedure

  1. On each server that will be decommissioned, display the DNA ID ranges currently allocated: 

    [root@rhel7 ~]# ipa-replica-manage dnarange-show
    Copy to Clipboard Toggle word wrap

  2. Display the next DNA range queued for allocation so you know what will be assigned after the current sub-range is consumed: 

    [root@rhel7 ~]# ipa-replica-manage dnanextrange-show
    Copy to Clipboard Toggle word wrap
  3. Record the collected ranges in your migration notes. You will reference these values when ensuring DNA range coverage on the new replica before decommissioning the old server. Losing a server that owns an unrecorded sub-range can block the creation of new users or groups.

Additional resources

Displaying the currently assigned DNA ID ranges

Assigning DNA ID ranges manually

2.5. Reusing an IdM server hostname safely
Copier lien

Follow this procedure when you need to reuse an existing IdM server hostname for a new replica during migration. Hostname reuse is typically required when:

  • DNS or firewall rules are tightly coupled to specific hostnames
  • Client configurations explicitly reference the hostname that must be preserved
  • Network or security policies require specific server names

This procedure is optional; use it only when hostname reuse is necessary. For large or geographically distributed topologies, extra care is needed to prevent replication conflicts when reusing hostnames.

Prerequisites

  • You have administrative access to the IdM topology and to the server being replaced.
  • DNS records for the hostname can be updated if the IP address changes.
Warning

This procedure describes a specialized workflow for reusing an existing server hostname during migration. Only follow this procedure if you specifically need to preserve a hostname due to DNS, firewall rules, or client configuration requirements.

If you are performing a standard migration with new hostnames, skip this procedure and proceed directly to installing your new replica.

Procedure

  1. Run IdM Healthcheck on the server you plan to remove and resolve any issues so the topology is in a clean state before you begin: Using IdM Healthcheck to monitor your IdM environment.

  2. Remove the server from the topology on a different replica. For example, to remove rhel8.example.com: 

    [root@rhel9 ~]# ipa-replica-manage del rhel8.example.com --cleanup
    Copy to Clipboard Toggle word wrap

    Confirm the command completes successfully and that the removal is replicated to the remaining servers.

  3. On the RHEL 8 host you are decommissioning, uninstall the IdM server to clean up services and certificates: 

    [root@rhel8 ~]# ipa-server-install --uninstall
    Copy to Clipboard Toggle word wrap
  4. Allow replication to converge across all remaining servers before you reinstall a replica with the same hostname. In high-latency environments, wait for at least one full replication cycle and confirm the host no longer appears in ipa server-find output.
  5. After replication has fully converged and you have confirmed the old server no longer appears in the topology, proceed to install your new RHEL 9 replica using the reused hostname. See Installing the RHEL 9 replica.

  6. After installation completes, run IdM Healthcheck on the new RHEL 9 replica to verify that no replication conflicts were introduced: 

    [root@rhel9 ~]# ipa-healthcheck
    Copy to Clipboard Toggle word wrap

    Pay particular attention to replication-related checks to ensure the hostname reuse did not cause conflicts.

2.6. Installing the RHEL 9 replica
Copier lien

  1. List which server roles are present in your RHEL 8 environment: 

    [root@rhel8 ~]# ipa server-role-find --status enabled --server rhel8.example.com
----------------------
3 server roles matched
----------------------
  Server name: rhel8.example.com
  Role name: CA server
  Role status: enabled

  Server name: rhel8.example.com
  Role name: DNS server
  Role status: enabled
[... output truncated ...]
    Copy to Clipboard Toggle word wrap

  2. Optional: If you want to use the same per-server forwarders for rhel9.example.com that rhel8.example.com is using, view the per-server forwarders for rhel8.example.com: 

    [root@rhel8 ~]# ipa dnsserver-show rhel8.example.com
-----------------------------
1 DNS server matched
-----------------------------
  Server name: rhel8.example.com
  SOA mname: rhel8.example.com.
  Forwarders: 192.0.2.20
  Forward policy: only
--------------------------------------------------
Number of entries returned 1
--------------------------------------------------
    Copy to Clipboard Toggle word wrap
  1. Review the replication agreements topology using the steps in either Viewing replication topology using the WebUI or Viewing topology suffixes using the CLI and Viewing topology segments using the CLI.

  2. Install the IdM server software on rhel9.example.com to configure it as a replica of the RHEL 8 IdM server, including all the server roles present on rhel8.example.com. To install the roles from the example above, use these options with the ipa-replica-install command:

    • --setup-ca to set up the Certificate System component

    • --setup-dns and --forwarder to configure an integrated DNS server and set a per-server forwarder to take care of DNS queries that go outside the IdM domain

      Note

      Additionally, if your IdM deployment is in a trust relationship with Active Directory (AD), add the --setup-adtrust option to the ipa-replica-install command to configure AD trust capability on rhel9.example.com.

    • --ntp-server to specify an NTP server or --ntp-pool to specify a pool of NTP servers

      To set up an IdM server with the IP address of 192.0.2.1 that uses a per-server forwarder with the IP address of 192.0.2.20 and synchronizes with the ntp.example.com NTP server: 

      [root@rhel9 ~]# ipa-replica-install --setup-ca --ip-address 192.0.2.1 --setup-dns --forwarder 192.0.2.20 --ntp-server ntp.example.com
      Copy to Clipboard Toggle word wrap

      You do not need to specify the RHEL 8 IdM server itself because if DNS is working correctly, rhel9.example.com will find it using DNS autodiscovery.

  3. Optional: Add an _ntp._udp service (SRV) record for your external NTP time server to the DNS of the newly-installed IdM server, rhel9.example.com. The presence of the SRV record for the time server in IdM DNS ensures that future RHEL 9 replica and client installations are automatically configured to synchronize with the time server used by rhel9.example.com. This is because ipa-client-install looks for the _ntp._udp DNS entry unless --ntp-server or --ntp-pool options are provided on the install command-line interface (CLI).
  4. Create any replication agreements needed to re-create the previous topology using the steps in Setting up replication between two servers using the Web UI or Setting up replication between two servers using the CLI.

Verification

  1. Verify that the IdM services are running on rhel9.example.com: 

    [root@rhel9 ~]# ipactl status
Directory Service: RUNNING
[... output truncated ...]
ipa: INFO: The ipactl command was successful
    Copy to Clipboard Toggle word wrap

  2. Run IdM Healthcheck on rhel9.example.com to validate services, replication, and certificate health: 

    [root@rhel9 ~]# ipa-healthcheck
    Copy to Clipboard Toggle word wrap

    If Healthcheck reports warnings or errors, investigate and resolve them before decommissioning any RHEL 8 servers. For targeted replication tests, you can run: 

    [root@rhel9 ~]# ipa-healthcheck --source=ipahealthcheck.ds.replication --source=ipahealthcheck.ipa.topology
    Copy to Clipboard Toggle word wrap

  3. Verify that server roles for rhel9.example.com are the same as for rhel8.example.com: 

    [root@rhel9 ~]# kinit admin
[root@rhel9 ~]# ipa server-role-find --status enabled --server rhel9.example.com
----------------------
2 server roles matched
----------------------
  Server name: rhel9.example.com
  Role name: CA server
  Role status: enabled

  Server name: rhel9.example.com
  Role name: DNS server
  Role status: enabled
    Copy to Clipboard Toggle word wrap

  4. Optional: Display details about the replication agreement between rhel8.example.com and rhel9.example.com: 

    [root@rhel9 ~]# ipa-csreplica-manage list --verbose rhel9.example.com
Directory Manager password:

rhel8.example.com
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully: Incremental update succeeded
last update ended: 2019-02-13 13:55:13+00:00
    Copy to Clipboard Toggle word wrap

  5. Optional: If your IdM deployment is in a trust relationship with AD, verify that it is working:

    1. Verify the Kerberos configuration

    2. Attempt to resolve an AD user on rhel9.example.com: 

      [root@rhel9 ~]# id aduser@ad.domain
      Copy to Clipboard Toggle word wrap

  6. Verify that rhel9.example.com is synchronized with the NTP server: 

    [root@rhel8 ~]# chronyc tracking
Reference ID    : CB00710F (ntp.example.com)
Stratum         : 3
Ref time (UTC)  : Wed Feb 16 09:49:17 2022
[... output truncated ...]
    Copy to Clipboard Toggle word wrap

If your IdM deployment uses an embedded certificate authority (CA), assign the CA renewal server role to the Red Hat Enterprise Linux (RHEL) 9 IdM server.

On rhel9.example.com, configure rhel9.example.com as the new CA renewal server:

  1. Configure rhel9.example.com to handle CA subsystem certificate renewal: 

    [root@rhel9 ~]# ipa config-mod --ca-renewal-master-server rhel9.example.com
  ...
  IPA masters: rhel8.example.com, rhel9.example.com
  IPA CA servers: rhel8.example.com, rhel9.example.com
  IPA CA renewal master: rhel9.example.com
    Copy to Clipboard Toggle word wrap

    The output confirms that the update was successful.

  2. On rhel9.example.com, enable the certificate updater task:

    1. Open the /etc/pki/pki-tomcat/ca/CS.cfg configuration file for editing.
    2. Remove the ca.certStatusUpdateInterval entry, or set it to the desired interval in seconds. The default value is 600.
    3. Save and close the /etc/pki/pki-tomcat/ca/CS.cfg configuration file.

    4. Restart IdM services: 

      [user@rhel9 ~]$ ipactl restart
      Copy to Clipboard Toggle word wrap

  3. On rhel8.example.com, disable the certificate updater task:

    1. Open the /etc/pki/pki-tomcat/ca/CS.cfg configuration file for editing.

    2. Change ca.certStatusUpdateInterval to 0, or add the following entry if it does not exist: 

      ca.certStatusUpdateInterval=0
      Copy to Clipboard Toggle word wrap
    3. Save and close the /etc/pki/pki-tomcat/ca/CS.cfg configuration file.

    4. Restart IdM services: 

      [user@rhel8 ~]$ ipactl restart
      Copy to Clipboard Toggle word wrap

2.8. Stopping CRL generation on a RHEL 8 IdM CA server
Copier lien

If your IdM deployment uses an embedded certificate authority (CA), stop generating the Certificate Revocation List (CRL) on the IdM CRL publisher server.

Prerequisites

  • You must be logged in as root.

Procedure

  1. Optional: Verify that rhel8.example.com is generating the CRL: 

    [root@rhel8 ~]# ipa-crlgen-manage status
CRL generation: enabled
Last CRL update: 2021-10-31 12:00:00
Last CRL Number: 6
The ipa-crlgen-manage command was successful
    Copy to Clipboard Toggle word wrap

  2. Stop generating the CRL on the rhel8.example.com server: 

    [root@rhel8 ~]# ipa-crlgen-manage disable
Stopping pki-tomcatd
Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
Starting pki-tomcatd
Editing /etc/httpd/conf.d/ipa-pki-proxy.conf
Restarting httpd
CRL generation disabled on the local host. Please make sure to configure CRL generation on another master with ipa-crlgen-manage enable.
The ipa-crlgen-manage command was successful
    Copy to Clipboard Toggle word wrap

Verification

  • Check if the rhel8.example.com server stopped generating the CRL: 

    [root@rhel7 ~]# ipa-crlgen-manage status
    Copy to Clipboard Toggle word wrap

The rhel8.example.com server stopped generating the CRL. The next step is to enable generating the CRL on rhel9.example.com.

2.9. Starting CRL generation on the new RHEL 9 IdM CA server
Copier lien

If your IdM deployment uses an embedded certificate authority (CA), start Certificate Revocation List (CRL) generation on the new Red Hat Enterprise Linux (RHEL) 9 IdM CA server.

Prerequisites

  • You must be logged in as root on the rhel9.example.com machine.

Procedure

  1. To start generating the CRL on rhel9.example.com, use the ipa-crlgen-manage enable command: 

    [root@rhel9 ~]# ipa-crlgen-manage enable
Stopping pki-tomcatd
Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
Starting pki-tomcatd
Editing /etc/httpd/conf.d/ipa-pki-proxy.conf
Restarting httpd
Forcing CRL update
CRL generation enabled on the local host. Please make sure to have only a single CRL generation master.
The ipa-crlgen-manage command was successful
    Copy to Clipboard Toggle word wrap

Verification

  • To check if CRL generation is enabled, use the ipa-crlgen-manage status command: 

    [root@rhel8 ~]# ipa-crlgen-manage status
CRL generation: enabled
Last CRL update: 2021-10-31 12:10:00
Last CRL Number: 7
The ipa-crlgen-manage command was successful
    Copy to Clipboard Toggle word wrap

2.10. Updating IdM clients that are pinned to specific servers
Copier lien

Use this procedure to update clients that do not rely solely on DNS service discovery after you replace or decommission IdM replicas. Updating pinned clients is optional but strongly recommended for large or complex topologies where static configuration is common.

Prerequisites

  • You have root access to each client that requires updates.
  • Replacement IdM servers are in service and reachable.

Procedure

  1. Update the system resolvers on affected clients so they point to the current IdM DNS servers. Adjust /etc/resolv.conf or your network configuration tooling to remove references to retired servers.

  2. If the client uses the fallback enrollment server defined in /etc/ipa/default.conf, replace the hostname in both of the following parameters with an active IdM server: 

    xmlrpc_uri = https://ipa_new.example.com/ipa/xml
server = ipa_new.example.com
    Copy to Clipboard Toggle word wrap

  3. Review the ipa_server parameter in /etc/sssd/sssd.conf:

    • If it lists specific servers, update the list to include only active replicas or switch to SRV-only discovery by using srv.
    • If it references the retired hostname, replace it with the new server names.

  4. Restart SSSD to apply the updates: 

    [root@client ~]# systemctl restart sssd
    Copy to Clipboard Toggle word wrap
  5. Test authentication and lookups from the client to confirm it can reach the updated servers.

2.11. Stopping and decommissioning the RHEL 8 server
Copier lien

  1. Make sure that all data, including the latest changes, have been correctly migrated from rhel8.example.com to rhel9.example.com. For example:

    1. Add a new user on rhel8.example.com: 

      [root@rhel8 ~]# ipa user-add random_user
First name: random
Last name: user
      Copy to Clipboard Toggle word wrap

    2. Check that the user has been replicated to rhel9.example.com: 

      [root@rhel9 ~]# ipa user-find random_user
--------------
1 user matched
--------------
  User login: random_user
  First name: random
  Last name: user
      Copy to Clipboard Toggle word wrap

  2. Ensure that a Distributed Numeric Assignment (DNA) ID range is allocated to rhel9.example.com. If you recorded DNA ranges earlier (see Recording DNA ID ranges before migration), you can reference those values when reassigning ranges. Use one of the following methods:

    • Activate the DNA plug-in on rhel9.example.com directly by creating another test user: 

      [root@rhel9 ~]# ipa user-add another_random_user
First name: another
Last name: random_user
      Copy to Clipboard Toggle word wrap

    • Assign a specific DNA ID range to rhel9.example.com:

      1. On rhel8.example.com, display the IdM ID range: 

        [root@rhel8 ~]# ipa idrange-find
----------------
3 ranges matched
----------------
  Range name: EXAMPLE.COM_id_range
  First Posix ID of the range: 196600000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
        Copy to Clipboard Toggle word wrap

      2. On rhel8.example.com, display the allocated DNA ID ranges: 

        [root@rhel8 ~]# ipa-replica-manage dnarange-show
rhel8.example.com: 196600026-196799999
rhel9.example.com: No range set
        Copy to Clipboard Toggle word wrap

      3. Reduce the DNA ID range allocated to rhel8.example.com so that a section becomes available to rhel9.example.com: 

        [root@rhel8 ~]# ipa-replica-manage dnarange-set rhel8.example.com 196600026-196699999
        Copy to Clipboard Toggle word wrap

      4. Assign the remaining part of the IdM ID range to rhel9.example.com: 

        [root@rhel8 ~]# ipa-replica-manage dnarange-set rhel9.example.com 196700000-196799999
        Copy to Clipboard Toggle word wrap

  3. Stop all IdM services on rhel8.example.com to force domain discovery to the new rhel9.example.com server. 

    [root@rhel8 ~]# ipactl stop
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping DNS Service
Stopping named:                                            [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv:
    EXAMPLE-COM...                                         [  OK  ]
    PKI-IPA...                                             [  OK  ]
    Copy to Clipboard Toggle word wrap

    After this, the ipa utility will contact the new server through a remote procedure call (RPC).

  4. Remove the RHEL 8 server from the topology by executing the removal commands on the RHEL 9 server. For details, see Uninstalling an IdM server.
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat