I have recently added a replica to my existing setup. Everything seems to work except for 2 issues that I have noted: #1 IPA health check generates a warning from the replica only (master is ok) similar to this: { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustCatalogCheck", "result": "WARNING", "uuid": "my_uuid", "when": "20191121135331Z", "duration": "2.128808", "kw": { "key": "my_key", "error": "returned nothing", "msg": "Look up of {key} {error}" } }, #2 id some_user returns: id: 'some_user': no such user I have also noted that: ipa trust-fetch-domains "gsil.smil" return an error - Fetching domains from trusted forest failed ipa trustdomain-find is able to find the domain ipa idrange-find returns the same set of results for both the master and the replica ipa-replica-manage dnarange-show shows that the dna ranges are not overlapping (my understanding is this is a good thing) My environment: Rocky 8.7 FreeIPA 4.9.10 Master: gsil-ipa01 Replica: gsil-ipa02 Both master and replica are configured with server roles: AD trust agent, AD trust controller, CA server, DNS server, KRA server. Are issues #1 and #2 related? ie- fix one and the other will work as expected? I am still reviewing possible solutions for why ldap lookup using the id command is not working. But maybe it will never work unless I fix the healthcheck issue... Your input is greatly appreciated!