On 6/2/20 3:28 PM, Auerbach, Steven via FreeIPA-users wrote:
Can we add the CA mastery or CA replica to an IPA v4 server that is a
replica and later promote to CA mastery? We have a IPA v3 server that
has been the only CA master for several years. We have a recent IPAv4
replica that was set up without DNS or CA or NTP at the point of
creation, so only the LDAP is in the replication agreement. We are
trying to retire the IPA v3 servers and have a new replication pair in
IPA v4 without breaking the realm and all our clients and users
records. We keep running into walls and roadblocks as we try to build a
procedure we can execute in an off-hours maintenance window.
Hi,
you can add the CA role to an existing replica that was installed
without CA, using ipa-ca-install on the replica. If you decide later on
to move the master CA to this replica, you can follow the steps from
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
Same thing for DNS, you can run ipa-dns-install on a non-DNS replica.
HTH,
flo
*Steven Auerbach*
*Assistant Director of Information Systems*
*Information Technology & Security***
**
State University System of Florida
Board of Governors
325 W. Gaines Street
Tallahassee, Florida 32399
(850) 245-9592
www.flbog.edu <
http://www.flbog.edu/>
Graphic for Email
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...