Hi Rob and Flo, thanks for your reply, yes I am using external CA certificate, we have separate Apache server as proxy of ipa server, and we are using external CA certificate for Apache server, version of ipa server is 4.6.8, and I don’t know how to upgrade domain level to 1, I tried to manually set it to 1 but failed with error message ‘server doesn’t support the domain level’, if I ant to reuse existing ipa server, how can I promote it to be replica? Or would you pls advise me how to rebuild all of deployment? Thanks a lot! Bryan