Hi,

Are ipa1 and ipa2 configured as DNS servers? This can be checked with
kinit admin
ipa server-role-find --role 'DNS server'
(since the replication doesn't seem to be working, please check the commands on each server).

If they are configured as DNS servers, is there a forwarder configured?
kinit admin
ipa dnsconfig-show
ipa dnsserver-show ipa1.sj.bps
ipa dnsserver-show ipa2.sj.bps

If they are not DNS servers, what is their DNS client configuration?

Are there any errors related to replication in /var/log/dirsrv/slapd-<YOUR-DOMAIN>/errors?

You can find a few things to check in https://www.freeipa.org/page/Troubleshooting/Directory_Server#Replication_issues

flo


On Tue, Aug 30, 2022 at 2:42 AM Simon Matthews via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Some time back I set up an IPA replica. The initial setup was successful, but now I see that it is not syncing. It's possible that it has never successfully synced. I suspect that something related to DNS may not be working properly. Advice on debugging and fixing this would be appreciated.

# ipa-replica-manage list -v ipa2.sj.bps
ipa1.sj.bps: replica
  last update status: Error (18) Replication error acquiring replica: Incremental update transient warning.  Backing off, will retry update later. (transient warning)
  last update ended: 1970-01-01 00:00:00+00:00

I think that something related to DNS is not working correctly on my replica. My IPA domain is "ipa.<mycompany>.com". However, the DNS domain used on the network is "sj.bps" and the primary nameserver is not ether of the IPA servers.

Both the primary and replica have DNS that works for the "sj.bps" domain to an extent. I can ping using names in the "sj.bps" domain on the replica (ipa2):

[root@ipa2 ~]# ping ipa1.sj.bps.
PING ipa1.sj.bps (192.168.254.18) 56(84) bytes of data.
64 bytes from ipa1.sj.bps (192.168.254.18): icmp_seq=1 ttl=64 time=0.451 ms
^C
--- ipa1.sj.bps ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.451/0.451/0.451/0.000 ms

But a local lookup doesn't work:

[root@ipa2 ~]# dig @localhost ipa1.sj.bps.

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost ipa1.sj.bps.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34740
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipa1.sj.bps.                   IN      A

;; Query time: 5 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Aug 29 20:37:37 EDT 2022
;; MSG SIZE  rcvd: 40

A similar dig command on the primary works:
[root@ipa1 ~]#  dig @localhost ipa1.sj.bps.

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost ipa1.sj.bps.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63201
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipa1.sj.bps.                   IN      A

;; ANSWER SECTION:
ipa1.sj.bps.            2222    IN      A       192.168.254.18

;; AUTHORITY SECTION:
sj.bps.                 2222    IN      NS      ns.bps.

;; ADDITIONAL SECTION:
ns.bps.                 2222    IN      A       192.168.254.2

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Aug 29 20:38:34 EDT 2022
;; MSG SIZE  rcvd: 89




_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue