Questo contenuto non è disponibile nella lingua selezionata.

Chapter 10. Uninstalling an IdM server

Follow this procedure to uninstall an Identity Management (IdM) server named server123.idm.example.com (server123). In the procedure, you first ensure that other servers are running critical services and that the topology will continue to be redundant before performing the uninstallation.

Prerequisites

You have root access to server123.
You have an IdM administrator’s credentials.

Procedure

If your IdM environment uses integrated DNS, ensure that server123 is not the only enabled DNS server:

[root@server123 ~]# ipa server-role-find --role 'DNS server'
----------------------
2 server roles matched
----------------------
  Server name: server456.idm.example.com
  Role name: DNS server
  Role status: enabled
[...]
----------------------------
Number of entries returned 2
----------------------------

If server123 is the only remaining DNS server in the topology, add the DNS server role to another IdM server. For more information, see the ipa-dns-install(1) man page on your system.

If your IdM environment uses an integrated certificate authority (CA):
1. Ensure that server123 is not the only enabled CA server:
```
[root@server123 ~]# ipa server-role-find --role 'CA server'
----------------------
2 server roles matched
----------------------
  Server name: server123.idm.example.com
  Role name: CA server
  Role status: enabled

  Server name: r8server.idm.example.com
  Role name: CA server
  Role status: enabled
----------------------------
Number of entries returned 2
----------------------------
```
  If server123 is the only remaining CA server in the topology, add the CA server role to another IdM server. For more information, see the ipa-ca-install(1) man page on your system.
2. If you have enabled vaults in your IdM environment, ensure that server123.idm.example.com is not the only enabled Key Recovery Authority (KRA) server:
```
[root@server123 ~]# ipa server-role-find --role 'KRA server'
----------------------
2 server roles matched
----------------------
  Server name: server123.idm.example.com
  Role name: KRA server
  Role status: enabled

  Server name: r8server.idm.example.com
  Role name: KRA server
  Role status: enabled
----------------------------
Number of entries returned 2
----------------------------
```
  If server123 is the only remaining KRA server in the topology, add the KRA server role to another IdM server. For more information, see man ipa-kra-install(1).
3. Ensure that server123.idm.example.com is not the CA renewal server:
```
[root@server123 ~]# ipa config-show | grep 'CA renewal'
  IPA CA renewal master: r8server.idm.example.com
```
  If server123 is the CA renewal server, see Changing and resetting IdM CA renewal server for more information about how to move the CA renewal server role to another server.
4. Ensure that server123.idm.example.com is not the current certificate revocation list (CRL) publisher:
```
[root@server123 ~]# ipa-crlgen-manage status
CRL generation: disabled
```
  If the output shows that CRL generation is enabled on server123, see Generating CRL on an IdM CA server for more information about how to move the CRL publisher role to another server.
Connect to another IdM server in the topology:
```
$ ssh idm_user@server456
```
On the server, obtain the IdM administrator’s credentials:
```
[idm_user@server456 ~]$ kinit admin
```
View the DNA ID ranges assigned to the servers in the topology:
```
[idm_user@server456 ~]$ ipa-replica-manage dnarange-show
server123.idm.example.com: 1001-1500
server456.idm.example.com: 1501-2000
[...]
```
The output shows that a DNA ID range is assigned to both server123 and server456.
If server123 is the only IdM server in the topology with a DNA ID range assigned, create a test IdM user on server456 to ensure that the server has a DNA ID range assigned:
```
[idm_user@server456 ~]$ ipa user-add test_idm_user
```
Delete server123.idm.example.com from the topology:
```
[idm_user@server456 ~]$ ipa server-del server123.idm.example.com
```
Important
If deleting server123 would lead to a disconnected topology, the script warns you about it. For information about how to create a replication agreement between the remaining replicas so that the deletion can proceed, see Setting up replication between two servers using the CLI.
Note
Running the ipa server-del command removes all replication data and agreements related to server123 for both the domain and ca suffixes. This is in contrast to Domain Level 0 IdM topologies, where you initially had to remove these data by using the ipa-replica-manage del server123 command. Domain Level 0 IdM topologies are those running on RHEL 7.2 and earlier. Use the ipa domainlevel-get command to view the current domain level.

Return to server123.idm.example.com and uninstall the existing IdM installation:

[root@server123 ~]# ipa-server-install --uninstall
...
Are you sure you want to continue with the uninstall procedure? [no]: true

Ensure that all name server (NS) DNS records pointing to server123.idm.example.com are deleted from your DNS zones. This applies regardless of whether you use integrated DNS managed by IdM or external DNS. For more information about how to delete DNS records from IdM, see Deleting DNS records in the IdM CLI.

Additional resources

Displaying and raising the domain level in RHEL 7 documentation
Planning the replica topology
Explanation of IdM CA renewal server
Generating CRL on an IdM CA server

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 10. Uninstalling an IdM server

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Rendiamo l’open source più inclusivo

Informazioni su Red Hat

Red Hat legal and privacy links

Red Hat legal and privacy links