Hello, I had setup on 2 CentOS 7.5 boxes a FreeIPA Master and a Replica. Currently the master has all services (DNS, CA, KRA) and it's prepared for one-way trust with AD. Unfortunately, I have a lot of issues with the replica! The replica setup was: ipa-replica-install --setup-ca --setup-dns --setup-kra --no-forwarder Although the installation was successful, when I tried to create a Trust with our AD, the AD administrator told me that the replica did not responded to DNS and truly, the DNS was down. Actually, the named-pks11 service was not even enabled on the replica. So, the ipactl restart told me to run the ipa-server-upgrade which I did. The upgrade failed in the KRA section because it could not connect to the MASTER server on port 8443. I didn't have time to investigate further, so, I just removed the replica and re-installed it (with another issue, that will be posted in another thread later), this time without the KRA. My question: If I run the ipa-kra-install, will it REPLICATE the master, or will it create a new KRA server? Unfortunately, I cannot take a backup and test it and I cannot install a second replica (don't ask plz).