On ti, 29 loka 2019, lejeczek via FreeIPA-users wrote: You really need to show what you have rather than assume we know what you have. For three masters, there are several ways of connecting them so that there are two segments. Or may be you connected all three in a triangle. For example: A <-> B <-> C, B <-> A <-> C, A <-> B <-> C <-> A Without knowing your topology it is not possible to say what is correct and what is not. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

Just some user notes I really like the IPA server topology graph through the web front end, visualising the agreements between servers is really useful. You can add or remove agreements here too, for both domain and CA (for servers that have CA enabled) I've deployed 6 IPA servers equally across our three main sites and enabled CA on all of them, this seems to work fine and I've succefully moved the CA renewal master twice (due to external reasons.) Check the red hat documentation on replication agreements, I recall there are some useful notes there on planning. Regards Angus ________________________________ From: lejeczek via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org&gt; Sent: Tuesday, 29 October 2019, 14:24 To: FreeIPA users list Cc: lejeczek Subject: [Freeipa-users] Re: number of topology segments for 3 servers clean setup? On 29/10/2019 08:51, Alexander Bokovoy wrote: sorry was being vague. Question was not about correct or not but rather I sought to confirm that what IPA replicas (3 masters in total) installers created in topology - which was two segments - was what IPA does by default (and not seek to create every every possible chain in topology, in my case it'd be that triangle) and not a result of some error/problem. I now assume that it simply is - each replica installation process creates just one segment: new-replica <-> used_master ? many thanks, L.

I followed the thread, and I’m not sure you ever got an answer. Generally ipa replica install seems to create one replication agreement. The exact relationships for 3 servers depends upon which master the replica was created from. It could be 2 replicas talking to the original, or 3 in a line. But either way there’s two replication agreements. The obvious thing for 3 servers is a complete triangle. Without that, failure of the wrong node could cause the other two to become disconnected from each other, which is probably not desirable. So you’d want to add the third node. Whichever one is missing. I assume the reason they don’t add more replicas by default is that in larger configurations you probably don’t want a fully-connected mesh. ipa-replica-install has no way of knowing what your final topology is going to be, and no way to guess what replication agreements you really need. So it does the minimal necessary to maintain connectivity.