I'm also seeing this.  I've been trying to add another replica to our topology (this would be on a different subnet than the current pair); the ipa-replica-install command has been failing for various reasons that I've been fixing or circumventing and I've just been re-spinning the new server between each attempt to keep the environment clean.  The latest death was apparently because of an issue with /etc/openldap/ldap.conf which I was debugging and was about to remove the server from IPA and reset it.

However, I'm not able to do so.  All attempts are met with "ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled" - in fact, even poking around trying to do an ipa config-show  (on either of the current masters) just generates that error.  I've also tried uninstalling the replica and client on the new host, and it seems to have completed successfully, but I can't re-enroll it either, so it's "dead to the other masters", except...   

There is nothing I want to do at this point other than another iteration on my problem adding another replica.  There's no data on replica, nothing is relying on it, and I've tried as hard as possible to make the installation entirely vanilla.  I haven't manually enabled PKINIT; ipa-pkinit-manage status on the current masters says it's enabled.  As for the server roles, server-role-find shows the two current servers and the new one; the latter's "role status" for CA Server is "absent".  I've had issues before where I've had to enumerate the RUVs and remove them (done that).  Just want the references to this to go away, so that I can keep working towards the most minimal and concise installation.

Any ideas on where I can go to get out of this situation?  Many thanks!

(Everything completely updated to *4.6.4-10.el7.centos, initial installation was about one year ago, domain level 1; tried all the ipa server del and ipa-replica-manage del suggestions which aren't working for me this time, no AD integration...)