4.3. Recovering from a VM snapshot to establish a new IdM environment

Procedure

1. Boot the desired snapshot of the CA replica VM.

2. Isolate the restored server from the rest of the current deployment by removing all of its replication topology segments.

   1. First, display all domain replication topology segments.

      [root@restored-CA-replica ~]# ipa topologysegment-find
      Suffix name: domain
      ------------------
      8 segments matched
      ------------------
        Segment name: new_segment
        Left node: restored-CA-replica.example.com
        Right node: server2.example.com
        Connectivity: both
      
      ...
      
      ----------------------------
      Number of entries returned 8
      ----------------------------

   2. Next, delete every domain topology segment involving the restored server.

      [root@restored-CA-replica ~]# ipa topologysegment-del
      Suffix name: domain
      Segment name: new_segment
      -----------------------------
      Deleted segment "new_segment"
      -----------------------------

   3. Finally, perform the same actions with any ca topology segments.

      [root@restored-CA-replica ~]# ipa topologysegment-find
      Suffix name: ca
      ------------------
      1 segments matched
      ------------------
        Segment name: ca_segment
        Left node: restored-CA-replica.example.com
        Right node: server4.example.com
        Connectivity: both
      ----------------------------
      Number of entries returned 1
      ----------------------------
      
      [root@restored-CA-replica ~]# ipa topologysegment-del
      Suffix name: ca
      Segment name: ca_segment
      -----------------------------
      Deleted segment "ca_segment"
      -----------------------------

3. Install a sufficient number of IdM replicas from the restored server to handle the deployment load. There are now two disconnected IdM deployments running in parallel.
4. Switch the IdM clients to use the new deployment by hard-coding references to the new IdM replicas. See Adjusting IdM clients during recovery.
5. Stop and uninstall IdM servers from the previous deployment. See Uninstalling an IdM server.

Verification

1. Test the Kerberos server on every new replica by successfully retrieving a Kerberos ticket-granting ticket as an IdM user.

   [root@server ~]# kinit admin
   Password for admin@EXAMPLE.COM:
   
   [root@server ~]# klist
   Ticket cache: KCM:0
   Default principal: admin@EXAMPLE.COM
   
   Valid starting       Expires              Service principal
   10/31/2019 15:51:37  11/01/2019 15:51:02  HTTP/server.example.com@EXAMPLE.COM
   10/31/2019 15:51:08  11/01/2019 15:51:02  krbtgt/EXAMPLE.COM@EXAMPLE.COM

2. Test the Directory Server and SSSD configuration on every new replica by retrieving user information.

   [root@server ~]# ipa user-show admin
     User login: admin
     Last name: Administrator
     Home directory: /home/admin
     Login shell: /bin/bash
     Principal alias: admin@EXAMPLE.COM
     UID: 1965200000
     GID: 1965200000
     Account disabled: False
     Password: True
     Member of groups: admins, trust admins
     Kerberos keys available: True

3. Test the CA server on every new CA replica with the ipa cert-show command.

   [root@server ~]# ipa cert-show 1
     Issuing CA: ipa
     Certificate: MIIEgjCCAuqgAwIBAgIjoSIP...
     Subject: CN=Certificate Authority,O=EXAMPLE.COM
     Issuer: CN=Certificate Authority,O=EXAMPLE.COM
     Not Before: Thu Oct 31 19:43:29 2019 UTC
     Not After: Mon Oct 31 19:43:29 2039 UTC
     Serial number: 1
     Serial number (hex): 0x1
     Revoked: False