Ah got it! Wonderful.
The trick as to run the topologysegement-del on the same server it was on.
It seems i am moving forward with this now - thanks.
#
# To remove the topology segment, which removed the replica agreement
#
#
# Show the bad replication agreement
#
# ipa-replica-manage list -v `hostname`
Directory Manager password:
bad_server.ad.companyx.fm: replica
last update status: Error (-1) Problem connecting to replica - LDAP error: Can't
contact LDAP server (connection error)
last update ended: 1970-01-01 00:00:00+00:00
ipa003dc.ad.companyx.fm: replica
last update status: Error (0) Replica acquired successfully: Incremental update
succeeded
last update ended: 2023-04-26 06:43:07+00:00
ipa005.ad.companyx.fm: replica
last update status: Error (0) Replica acquired successfully: Incremental update
succeeded
last update ended: 2023-04-26 06:43:14+00:00
ipa007.ad.companyx.fm: replica
last update status: Error (0) Replica acquired successfully: Incremental update
succeeded
last update ended: 2023-04-26 06:43:02+00:00
#
# find the segment (domain or ca)
#
$ ipa topologysegment-find domain | grep etcd
Segment name: ipa006.ad.companyx.fm-to-bad_server.ad.companyx.fm
Right node: bad_server.ad.companyx.fm
#
# delete that segment
#
$ ipa topologysegment-del domain ipa006.ad.companyx.fm-to-bad_server.ad.companyx.fm
---------------------------------------------------------
Deleted segment "ipa006.ad.companyx.fm-to-bad_server.ad.companyx.fm"
---------------------------------------------------------
#
# check it has gone - tada!
#
$ ipa-replica-manage list -v `hostname`
ipa: ERROR: Cannot open log file '/var/log/ipa/cli.log': [Errno 13] Permission
denied: '/var/log/ipa/cli.log'
ipa003dc.ad.companyx.fm: replica
last update status: Error (0) Replica acquired successfully: Incremental update started
last update ended: 1970-01-01 00:00:00+00:00
ipa005.ad.companyx.fm: replica
last update status: Error (0) Replica acquired successfully: Incremental update started
last update ended: 1970-01-01 00:00:00+00:00
ipa007.ad.companyx.fm: replica
last update status: Error (0) Replica acquired successfully: Incremental update
succeeded
last update ended: 2023-04-26 06:46:08+00:00
#
# Next up, removing the "LDAP Conflicts" but - "Removal of Segment
disconnects topology.Deletion not allowed."
#
$ ldapdelete
cn=bad_server.ad.companyx.fm-to-ipa006.ad.companyx.fm+nsuniqueid=34b26c01-ceee11ed-9d1d82de-03f3a8a3,cn=ca,cn=topology,cn=ipa,cn=etc,dc=ad,dc=companyx,dc=fm
SASL/GSSAPI authentication started
SASL username: nicholas.cross(a)AD.companyx.FM
SASL SSF: 256
SASL data security layer installed.
ldap_delete: Server is unwilling to perform (53)
additional info: Removal of Segment disconnects topology.Deletion not allowed.
#
# I think this is the solution:
https://access.redhat.com/solutions/5507711
#
# Question1: during running the above RedHat solution, does this only disable the topology
replication? and leaves all other dirsrv components running?
#
#
# After that - finally remove the Ghost Replicas - which was the original question.
#
$ ldapsearch -D "cn=Directory Manager" -w $pass -Q -o ldif-wrap=no -LLL -b
"dc=ad,dc=companyx,dc=fm"
'(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))'
dn: cn=replica,cn=dc\3Dad\2Cdc\3Dcompanyx\2Cdc\3Dfm,cn=mapping tree,cn=config
cn: replica
nsDS5Flags: 1
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDNGroup: cn=replication
managers,cn=sysaccounts,cn=etc,dc=ad,dc=companyx,dc=fm
nsDS5ReplicaBindDnGroupCheckInterval: 60
nsDS5ReplicaId: 56
nsDS5ReplicaName: a6b5640c-ad3911ed-a50980fb-6203228c
nsDS5ReplicaRoot: dc=ad,dc=companyx,dc=fm
nsDS5ReplicaType: 3
nsState:: OAAAAAAAAABf0EhkAAAAAAAAAAAAAAAA7AAAAAAAAAAFAAAAAAAAAA==
nsds5ReplicaBackoffMax: 300
nsds5ReplicaLegacyConsumer: off
nsds5ReplicaReleaseTimeout: 60
objectClass: top
objectClass: nsds5replica
objectClass: extensibleobject
nsds5ReplicaCleanRUV: 15:no:0:dc=ad,dc=companyx,dc=fm
nsds5ReplicaCleanRUV: 24:no:0:dc=ad,dc=companyx,dc=fm
nsds50ruv: {replicageneration} 5d9e2076000000040000
nsds50ruv: {replica 56 ldap://ipa006.ad.companyx.fm:389} 63ece66f000000380000
6448d15d000400380000
nsds50ruv: {replica 46 ldap://ipa005.ad.companyx.fm:389} 63dbcc200001002e0000
6448d115000e002e0000
nsds50ruv: {replica 48 ldap://ipa007.ad.companyx.fm:389} 63ea4e54000100300000
6448d115000700300000
nsds50ruv: {replica 58 ldap://ipa001dc.ad.companyx.fm:389} 643d03280001003a0000
6448ca410000003a0000
nsds50ruv: {replica 60 ldap://ipa002dc.ad.companyx.fm:389} 643d19680001003c0000
6448c9e40009003c0000
nsds50ruv: {replica 62 ldap://ipa003dc.ad.companyx.fm:389} 643d491e0001003e0000
6448cab40000003e0000
nsds5agmtmaxcsn:
dc=ad,dc=companyx,dc=fm;ipa006.ad.companyx.fm-to-ipa003dc.ad.companyx.fm;ipa003dc.ad.companyx.fm;389;62;6448cf8e000800380000
nsds5agmtmaxcsn:
dc=ad,dc=companyx,dc=fm;ipa006.ad.companyx.fm-to-ipa005.ad.companyx.fm;ipa005.ad.companyx.fm;389;46;6448cf8e000800380000
nsds5agmtmaxcsn:
dc=ad,dc=companyx,dc=fm;ipa006.ad.companyx.fm-to-ipa007.ad.companyx.fm;ipa007.ad.companyx.fm;389;48;6448cf8e000800380000
nsruvReplicaLastModified: {replica 56 ldap://ipa006.ad.companyx.fm:389} 6448d071
nsruvReplicaLastModified: {replica 46 ldap://ipa005.ad.companyx.fm:389} 6448d02b
nsruvReplicaLastModified: {replica 48 ldap://ipa007.ad.companyx.fm:389} 6448d02b
nsruvReplicaLastModified: {replica 58 ldap://ipa001dc.ad.companyx.fm:389} 6448c956
nsruvReplicaLastModified: {replica 60 ldap://ipa002dc.ad.companyx.fm:389} 6448c8fb
nsruvReplicaLastModified: {replica 62 ldap://ipa003dc.ad.companyx.fm:389} 6448c9c9
nsruvReplicaLastModified: {replica 25} 00000000
nsruvReplicaLastModified: {replica 23} 00000000
nsruvReplicaLastModified: {replica 40} 00000000
nsruvReplicaLastModified: {replica 12} 00000000
nsruvReplicaLastModified: {replica 21} 00000000
nsds5ReplicaChangeCount: 790081
nsds5replicareapactive: 0
#
# Question2: How to remove these? from the above
#
nsruvReplicaLastModified: {replica 25} 00000000
nsruvReplicaLastModified: {replica 23} 00000000
nsruvReplicaLastModified: {replica 40} 00000000
nsruvReplicaLastModified: {replica 12} 00000000
nsruvReplicaLastModified: {replica 21} 00000000
# this sort of thing doesn't seem to work.
dn: cn=clean 12,cn=cleanallruv,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
replica-base-dn: dc=ad,dc=companyx,dc=fm
replica-id: 12
cn: clean 12
Many thanks.