Peter Tselios via FreeIPA-users wrote:
I had setup on 2 CentOS 7.5 boxes a FreeIPA Master and a Replica.
Currently the master has all services (DNS, CA, KRA) and it's prepared for one-way
trust with AD.
Unfortunately, I have a lot of issues with the replica!
The replica setup was:
ipa-replica-install --setup-ca --setup-dns --setup-kra --no-forwarder
Although the installation was successful, when I tried to create a Trust with our AD, the
AD administrator told me that the replica did not responded to DNS and truly, the DNS was
down. Actually, the named-pks11 service was not even enabled on the replica. So, the
ipactl restart told me to run the ipa-server-upgrade which I did.
The upgrade failed in the KRA section because it could not connect to the MASTER server
on port 8443.
I didn't have time to investigate further, so, I just removed the replica and
re-installed it (with another issue, that will be posted in another thread later), this
time without the KRA.
If I run the ipa-kra-install, will it REPLICATE the master, or will it create a new KRA
Unfortunately, I cannot take a backup and test it and I cannot install a second replica
(don't ask plz).
It will create a clone of the existing KRA.