Hi Rafael,
Once I had to setup an IPA master and a few clients on AWS, and have issues with its DNS,
since the external name do not match the internal name, hence, clients could not enroll
(which I believe is similar to what you are facing with replicas).
What I did, using Ansible (and ansible-freeipa), was to retrieve the server name with
`dig -x`, and using this name for the master FQDN.
Possibly this is the case. I will try to create a fresh IPA as the
realm will change and will update the list on the result. Then figure
out how to migrate the data manually.
I'm not sure it is the same issue you are having, but looks
similar.
Something different. For example, I setup an IPA client, with the
server on the co-location - over VPN. The ipa-client enrol fine, and
I can even ssh in. Cool, 4 days later, no change, we can't
authenticate. When debugging, all looks like a DNS issue, but oddly,
it had worked a couple of day earlier. Was assuming AWS
infrastructure are hijacking DNS traffic as the rest - ssh using IP
address still works from AWS to co-location over VPN.
Thanks again Rafael.
William