I have finally been able to create an RHEL7/IPAv4 server using ipa-replica-prepare on a
RHEL6/IPA v3 server (ipa01)(added the needed schema) and running ipa-replica-install on
the RHEL7/IPAv4 server (ipa03). I followed a number of steps to stop CA and CA Renewal on
ipa01 and make ipa03 the CA and CA Renewal master as well as the DNS master. I then
created another RHEL7 server (ipa04) and ran the ipa-replica-prepare on ipa03 and ran
ipa-replica-install in ipa04.
In the IPA Administrative GUI I am exploring the topology because I need to ultimately get
rid of ipa01 and ipa-r02 - both RHEL6/IPAv3 servers. I have 2 suffixes: ca and domain.
The four servers show up in the IPA Servers pane. Only ipa03 and ipa04 have Managed
Suffixes. Both have domain and ca. Both have Min Domain Level 0 and Max Domain Level 1.
Is this as it should be?
Server Roles pane shows that ipa01, ipa03, and ipa04 are CA servers. Eventually I need to
remove ipa01. DNS servers are only ipa03 and ipa04. This is okay, I think.
Domain Level pane show Level 0
Topology Graph pane says "Managed topology requires minimum level 1". The Add
and Delete buttons are greyed out.
IPA Locations pane has No entries.
When I tried to run ipa-server-install -uninstall -U on ipa-r02 I received a number of
errors:
Shutting down all IPA services
Removing IPA client configuration
Unconfiguring ntpd
Unconfiguring named
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa_memcached
ipa : ERROR Some certificates may still be tracked by certmonger.
This will cause re-installation to fail.
Start the certmonger service and list the certificates being tracked
# getcert list
These may be untracked by executing
# getcert stop-tracking -i <request_id>
for each id in: 20150127222017
In the CLI on ipa03 when I ran "ipa-replica-manage list" and the result is
ipa01: master, ipa-r02: master, ipa03: master, ipa04: master.
In the CLI on ipa03 when I ran "ipa-csreplica-manage list" and the result is
ipa01: master, ipa-r02: CA not configured, ipa03: master, ipa04: master.
So ipa-r02 still shows up....How do I clean this up properly in the system? And how do I
properly remove ipa01 when the time comes?
All the documentation I find refers to replicas. It seems I do not have any replicas, I
have all masters.
There is something fundamental I continue to miss in administering this environment.
Steven Auerbach
Assistant Director of Information Systems
Information Technology & Security
State University System of Florida
Board of Governors
325 W. Gaines Street
Tallahassee, Florida 32399
(850) 245-9592
www.flbog.edu<http://www.flbog.edu/>
[Graphic for Email]