D.2. Creating Replicas
- The procedures and examples are not mutually exclusive; it is possible to use the CA, DNS, and other command-line options simultaneously. Examples in the following sections are called out separately to make it clearer what each configuration area requires.
ipa-replica-installutility accepts a number of other options as well. For a complete list, the ipa-replica-install(1) man page.
D.2.1. Installing a Replica without DNS
- On the master IdM server, run the
ipa-replica-prepareutility and add the fully qualified domain name (FQDN) of the replica machine. Note that the
ipa-replica-preparescript does not validate the IP address or verify if the IP address of the replica is reachable by other servers.
ImportantThe fully qualified domain name must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the host name cause DNS failures. Additionally, the host name must be all lower-case; no capital letters are allowed.For other recommended naming practices, see the Red Hat Enterprise Linux Security Guide.If the master server is configured with integrated DNS, specify the IP address of the replica machine using the
--ip-addressoption. The installation script then asks if you want to configure the reverse zone for the replica. Only pass
--ip-addressif the IdM server was configured with integrated DNS. Otherwise, there is no DNS record to update, and the attempt to create the replica fails when the DNS record operation fails.Enter the initial master server's Directory Manager (DM) password when prompted. The output of
ipa-replica-preparedisplays the location of the replica information file. For example:
[root@server ~]# ipa-replica-prepare replica.example.com --ip-address 192.0.2.2 Directory Manager (existing master) password: Do you want to configure the reverse zone? [yes]: no Preparing replica for replica.example.com from server.example.com Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Saving dogtag Directory Server port Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-replica.example.com.gpg Adding DNS records for replica.example.com Waiting for replica.example.com. A or AAAA record to be resolvable This can be safely interrupted (Ctrl+C) The ipa-replica-prepare command was successful
WarningReplica information files contain sensitive information. Take appropriate steps to ensure that they are properly protected.For other options that can be added to
ipa-replica-prepare, see the ipa-replica-prepare(1) man page.
- On the replica machine, install the ipa-server package.
[root@replica ~]# yum install ipa-server
- Copy the replica information file from the initial server to the replica machine:
[root@server ~]# scp /var/lib/ipa/replica-info-replica.example.com.gpg root@replica:/var/lib/ipa/
- On the replica machine, run the
ipa-replica-installutility and add the location of the replication information file to start the replica initialization process. Enter the original master server's Directory Manager and admin passwords when prompted, and wait for the replica installation script to complete.
[root@replica ~]# ipa-replica-install /var/lib/ipa/replica-info-replica.example.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'server.example.com': ... Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin@MASTER.EXAMPLE.COM password: Check SSH connection to remote master ... Connection from master to replica is OK. ... Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration ... Restarting Directory server to apply updates [1/2]: stopping directory server [2/2]: starting directory server Done. Restarting the directory server Restarting the KDC Restarting the web server
NoteIf the replica file being installed does not match the current host name, the replica installation script displays a warning message and asks for confirmation. In some cases, such as on multi-homed machines, you can confirm to continue with the mismatched host names.For command-line options that can be added to
ipa-replica-install, see the ipa-replica-prepare(1) man page. Note that one of the options
ipa-replica-installaccepts is the
--ip-addressoption. When added to
--ip-addressonly accepts IP addresses associated with the local interface.
D.2.2. Installing a Replica with DNS
[root@replica ~]# ipa-replica-install /var/lib/ipa/replica-info-replica.example.com.gpg --setup-dns --forwarder 198.51.100.0
ipa-replica-install, make sure proper DNS entries were created, and optionally add other DNS servers as backup servers. See Section 4.5.3, “Installing a Replica with DNS” for details.
D.2.3. Installing a Replica with Various CA Configurations
Installing a Replica from a Server with a Certificate System CA Installed
--setup-caoption to the
--setup-caoption copies the CA configuration from the initial server's configuration.
[root@replica ~]# ipa-replica-install /var/lib/ipa/replica-info-replica.example.com.gpg --setup-ca
Installing a Replica from a Server without a Certificate System CA Installed
ipa-replica-prepareutility on the initial server:
[root@server ~]# ipa-replica-prepare replica.example.com --dirsrv-cert-file /tmp/server.key --dirsrv-pin secret --http-cert-file /tmp/server.crt --http-cert-file /tmp/server.key --http-pin secret --dirsrv-cert-file /tmp/server.crt
D.2.4. Adding Additional Replication Agreements
ipa-replica-installcreates an initial replication agreement between the master server and the replica. To connect the replica to other servers or replicas, add additional agreements using the