On 09/04/2015 12:00 AM, Rob Crittenden wrote: > Steven Jones wrote: >> I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I >> try and remove the last one the master? it says, >> >> "[root@vuwunicoipam001 thing]# ipa-replica-manage del >> vuwunicoipam002.xxxxxxxx >> Directory Manager password: >> >> Deleting a master is irreversible. >> To reconnect to the remote master you will need to prepare a new replica file >> and re-install. >> Continue to delete? [no]: yes >> Deleting this server will orphan 'vuwunicoipam001xxxxxxxxx and >> vuwunicoipam003.xxxxxxxxx >> You will need to reconfigure your replication topology to delete this server. >> [root@vuwunicoipam001 thing]# ipa-replica-manage list >> Directory Manager password: >> >> vuwunicoipam002.xxxxxxxx master >> vuwunicoipam003.xxxxxxxx master >> vuwunicoipam001.xxxxxxxx master >> [root@vuwunicoipam001 thing]#" >> >> So how do I re-configure? > > Every server is a master. The only differences may be the services running (CA > and/or DNS) and only one generates the CRL and manages certificate renewal. > Otherwise they are all equal masters. > > This doesn't show the topology. Were I to guess it looks like: > > 001 > / \ > 002 003 > > So you need to run ipa-replica-manage connect vuwunicoipam002 vuwunicoipam003 > > Then you should be able to delete 0001. Just be sure at least one of those > other masters has a CA, if not both of them. You may need ipa-csreplica-manage > connect to connect that topology. > > Also be aware of the DNA config. A master doesn't automatically get one. It > only gets it when it creates an entry that needs a range.
However, in this case this should not be a problem AFAIK, given that ipa-replica-manage tries to preserve the DNA range, from FreeIPA 3.2: https://fedorahosted.org/freeipa/ticket/3321 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project