Tested this again making sure that dirsrv is not running and the replica record is back.
I am obviously doing something wrong. My steps are below. I appreciate your time on this.
# # check dirsrv is currently running # [root@ipa006 ~]# ps aux | grep dirsrv dirsrv 3221639 31.4 5.4 2418488 883856 ? Ssl Apr24 322:04 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-AD-companyx-FM -i /run/dirsrv/slapd-AD-companyx-FM.pid root 3281205 0.0 0.0 6412 2204 pts/2 S+ 09:11 0:00 grep --color=auto dirsrv
# # shutdown dirsrv # [root@ipa006 ~]# time systemctl stop dirsrv@AD-companyx-FM.service
real 10m0.130s user 0m0.009s sys 0m0.012s
# # check dirsrv is not running 1 # [root@ipa006 ~]# ps aux | grep dirsrv root 3282962 0.0 0.0 6412 2244 pts/2 S+ 09:47 0:00 grep --color=auto dirsrv
# # check dirsrv is not running 2 # [root@ipa006 slapd-AD-companyx-FM]# ipactl status Directory Service: STOPPED krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 1 service(s) are not running
# # go to right folder # [root@ipa006 ~]# cd /etc/dirsrv/slapd-AD-companyx-FM/
# # make a backup just incase # [root@ipa006 slapd-AD-companyx-FM]# cp dse.ldif dse.ldif.nickx-25apr23
# # edit ldif # [root@ipa006 slapd-AD-companyx-FM]# vi dse.ldif
# # remove this record. Hoping its the right thing to do. # dn: cn=ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm,cn=replica,cn=dc\3Dad\2Cdc\3Ddi ce\2Cdc\3Dfm,cn=mapping tree,cn=config objectClass: nsds5replicationagreement objectClass: ipaReplTopoManagedAgreement objectClass: top cn: ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm nsDS5ReplicaHost: bad_serverdc.ad.companyx.fm nsDS5ReplicaPort: 389 nsds5replicaTimeout: 300 nsDS5ReplicaRoot: dc=ad,dc=companyx,dc=fm description: ipa006.ad.companyx.fm to bad_serverdc.ad.companyx.fm ipaReplTopoManagedAgreementState: managed agreement - generated by topology pl ugin nsDS5ReplicaTransportInfo: LDAP nsDS5ReplicaBindMethod: SASL/GSSAPI nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in ternalModifyTimestamp nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts uccessfulauth krblastfailedauth krbloginfailedcount creatorsName: cn=IPA Topology Configuration,cn=plugins,cn=config modifiersName: cn=IPA Topology Configuration,cn=plugins,cn=config createTimestamp: 20230425095140Z modifyTimestamp: 20230425095140Z
# # check no records exist in dse.ldif # [root@ipa006 slapd-AD-companyx-FM]# grep bad_server dse.ldif [root@ipa006 slapd-AD-companyx-FM]#
[root@ipa006 slapd-AD-companyx-FM]# time systemctl start dirsrv@AD-companyx-FM.service
real 0m12.343s user 0m0.006s sys 0m0.007s
# # Look in logs # Apr 25 09:51:51 ipa006.ad.companyx.fm ns-slapd[3283119]: [25/Apr/2023:09:51:51.484197325 +0000] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm" (bad_serverdc:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
# # check dse.ldif again - find entry is back ! # [root@ipa006 slapd-AD-companyx-FM]# grep bad_server dse.ldif dn: cn=ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm,cn=replica,cn=dc\3Dad\2Cdc\3Ddi cn: ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm nsDS5ReplicaHost: bad_serverdc.ad.companyx.fm description: ipa006.ad.companyx.fm to bad_serverdc.ad.companyx.fm
# # scratch head and ponder life, the universe and everything #