4.2. Deployment Considerations for Replicas
4.2.1. Distribution of Server Services in the Topology

Figure 4.2. Replicas with Different Services
CA Services on Replicas
Warning
- For example, if the server includes an integrated IdM CA as the root CA, the replica must also be installed with an integrated CA as the root CA.
- See Section 2.3.2, “Determining What CA Configuration to Use” for the supported CA configuration options.
4.2.2. Replica Topology Recommendations
- Configure no more than 60 replicas in a single IdM domain
- Red Hat guarantees to support environments with 60 replicas or less.
- Configure at least two, but no more than four replication agreements per each replica
- Configuring additional replication agreements ensures that information is replicated not just between the initial replica and the master server, but between other replicas as well.
- If you create replica B from server A and then replica C from server A, replicas B and C are not directly joined, so data from replica B must first be replicated to server A before propagating to replica C.
Figure 4.3. Replicas B and C Are Not Joined in a Replication Agreement
Setting up an additional replication agreement between replica B and replica C ensures the data is replicated directly, which improves data availability, consistency, failover tolerance, and performance.Figure 4.4. Replicas B and C Are Joined in a Replication Agreement
See Chapter 6, Managing Replication Topology for details on managing replication agreements.
Configuring more than four replication agreements per replica is unnecessary. A large number of replication agreements per server does not bring significant additional benefits, because one consumer server can only be updated by one master at a time, so the other agreements are meanwhile idle and waiting. Additionally, configuring too many replication agreements can have a negative impact on overall performance.Note
Theipa topologysuffix-verify
command checks if your topology meets the most important recommendations. Runipa topologysuffix-verify --help
for details.The command requires you to specify the topology suffix. See Section 6.1, “Explaining Replication Agreements, Topology Suffixes, and Topology Segments” for details.

Figure 4.5. Topology Example
4.2.2.1. Tight Cell Topology
- Each of the cells is a tight cell, where all servers have replication agreements with each other.
- Each server has one replication agreement with another server outside the cell. This ensures that every cell is loosely coupled to every other cell in the domain.
- Have at least one IdM server in each main office, data center, or locality. Preferably, have two IdM servers.
- Do not have more than four servers per data center.
- In small offices, rather than using a replica, use SSSD to cache credentials and an off-site IdM server as the data back end.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.