I've followed the procedure in this thread: https://www.redhat.com/archives/freeipa-users/2016-May/msg00043.html
and found my list of RUV that don't have an existing replica id. I've tried to remove them like so: [root@seattlenfs ianh]# ldapmodify -D "cn=directory manager" -W -a Enter LDAP Password: dn: cn=clean 97, cn=cleanallruv, cn=tasks, cn=config objectclass: top objectclass: extensibleObject replica-base-dn: dc=bpt,dc=rocks replica-id: 97 replica-force-cleaning: yes cn: clean 97 adding new entry "cn=clean 97, cn=cleanallruv, cn=tasks, cn=config" [root@seattlenfs ianh]# ipa-replica-manage list-clean-ruv CLEANALLRUV tasks RID 9: Waiting to process all the updates from the deleted replica... RID 96: Successfully cleaned rid(96). RID 97: Successfully cleaned rid(97). No abort CLEANALLRUV tasks running and yet, they are still there... [root@seattlenfs ianh]# ldapsearch -ZZ -h seattlenfs.bpt.rocks -D "cn=Directory Manager" -W -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" | grep "nsds50ruv\|nsDS5ReplicaId" Enter LDAP Password: nsDS5ReplicaId: 81 nsds50ruv: {replicageneration} 55c8f3ae000000600000 nsds50ruv: {replica 81 ldap://seattlenfs.bpt.rocks:389} 568ac431000000510000 5 nsds50ruv: {replica 1065 ldap://freeipa-sea.bpt.rocks:389} 57b103d400000429000 nsds50ruv: {replica 1070 ldap://bellevuenfs.bpt.rocks:389} 57a4f2700000042e000 nsds50ruv: {replica 1075 ldap://bpt-nyc1-nfs.bpt.rocks:389} 57a478650000043300 nsds50ruv: {replica 1080 ldap://bellevuenfs.bpt.rocks:389} 57a4176700000438000 nsds50ruv: {replica 1085 ldap://fremontnis.bpt.rocks:389} 57a403e60000043d0000 nsds50ruv: {replica 1090 ldap://freeipa-dal.bpt.rocks:389} 57a2dd3500000442000 nsds50ruv: {replica 1095 ldap://freeipa-sea.bpt.rocks:389} 579a963c00000447000 nsds50ruv: {replica 96 ldap://freeipa-sea.bpt.rocks:389} 55c8f3bd000000600000 nsds50ruv: {replica 86 ldap://fremontnis.bpt.rocks:389} 5685b24e000000560000 5 nsds50ruv: {replica 91 ldap://seattlenis.bpt.rocks:389} 567ad6180001005b0000 5 nsds50ruv: {replica 97 ldap://freeipa-dal.bpt.rocks:389} 55c8f3ce000000610000 nsds50ruv: {replica 76 ldap://bellevuenis.bpt.rocks:389} 56f385eb0007004c0000 nsds50ruv: {replica 71 ldap://bellevuenfs.bpt.rocks:389} 57048560000900470000 nsds50ruv: {replica 66 ldap://bpt-nyc1-nfs.bpt.rocks:389} 5733e594000a00420000 nsds50ruv: {replica 61 ldap://edinburghnfs.bpt.rocks:389} 574421250000003d0000 nsds50ruv: {replica 1195 ldap://edinburghnfs.bpt.rocks:389} 57a42390000004ab00 What have I done wrong? The problem I am trying to solve is that seattlenfs.bpt.rocks sends updates to all its children, but their changes don't come back because of these errors: [23/Aug/2016:00:02:16 -0700] attrlist_replace - attr_replace (nsslapd-referral, ldap://seattlenfs.bpt.rocks:389/dc%3Dbpt%2Cdc%3Drocks) failed. in effect, the replication agreements are one-way. Any ideas? - Ian -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project