Thanks for your reply.
]# ldapsearch -Y GSSAPI -h ipa1.sj.bps -b "" -s base
SASL/GSSAPI authentication started
SASL username: ldap/ipa2.sj.bps(a)IPA.<MY
COMPANY>.COM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
objectClass: top
namingContexts: cn=changelog
namingContexts: dc=ipa,dc=<my company>,dc=com
namingContexts: o=ipaca
defaultnamingcontext: dc=ipa,dc=<my company>,dc=com
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 2.16.840.1.113730.3.5.10
supportedExtension: 2.16.840.1.113730.3.8.10.3
supportedExtension: 2.16.840.1.113730.3.8.10.4
supportedExtension: 2.16.840.1.113730.3.8.10.4.1
supportedExtension: 2.16.840.1.113730.3.8.10.4.2
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 2.16.840.1.113730.3.8.10.1
supportedExtension: 2.16.840.1.113730.3.8.10.5
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.12
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.9
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 2.16.840.1.113730.3.6.5
supportedExtension: 2.16.840.1.113730.3.6.6
supportedExtension: 2.16.840.1.113730.3.6.7
supportedExtension: 2.16.840.1.113730.3.6.8
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 1.3.6.1.4.1.4203.666.5.16
supportedControl: 2.16.840.1.113730.3.8.10.6
supportedControl: 2.16.840.1.113730.3.8.10.7
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 2.16.840.1.113730.3.4.20
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: 389 Project
vendorVersion: 389-Directory/1.3.10.2 B2022.179.1527
dataversion: 020220830001452020220830001452020220830001452
netscapemdsuffix: cn=ldap://dc=ipa1,dc=sj,dc=bps:389
lastusn: 1222591
changeLog: cn=changelog
firstchangenumber: 151
lastchangenumber: 153
ipatopologypluginversion: 1.0
ipatopologyismanaged: on
ipaDomainLevel: 1
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
>> If they are configured as DNS servers, is there a forwarder
configured?
Yes:
]# ipa dnsserver-show ipa1.sj.bps
Server name: ipa1.sj.bps
SOA mname override: ipa1.sj.bps.
Forwarders: 192.168.254.10, 192.168.254.2
Forward policy: only
[root@ipa1 ~]# ipa dnsserver-show ipa2.sj.bps
Server name: ipa2.sj.bps
SOA mname override: ipa2.sj.bps.
Forwarders: 192.168.254.2
Forward policy: only
The lack of 192.168.254.10 for ipa2 should not matter since this is a secondary/slave
nameserver on the network.
>> Are there any errors related to replication in
>> /var/log/dirsrv/slapd-<YOUR-DOMAIN>/errors?
I see these errors.
[29/Aug/2022:19:12:53.869825394 -0400] - ERR - schema-compat-plugin - scheduled
schema-compat-plugin tree scan in about 5 seconds after the server startup!
[29/Aug/2022:19:12:54.686756883 -0400] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS
Definition cn=Password Policy,cn=accounts,dc=ipa,dc=<my company>,dc=com--no CoS
Templates found, which should be added before the CoS Definition.
[29/Aug/2022:19:12:54.870607368 -0400] - ERR - set_krb5_creds - Could not get initial
credentials for principal [ldap/ipa2.sj.bps(a)IPA.<MY
COMPANY>.COM] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[29/Aug/2022:19:12:55.002346083 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp
- agmt="cn=meToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth
failed: LDAP error -1 (Can't contact LDAP server) ()
[29/Aug/2022:19:12:55.058525909 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp
- agmt="cn=caToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth
failed: LDAP error -1 (Can't contact LDAP server) ()
[29/Aug/2022:19:12:55.116643453 -0400] - ERR - schema-compat-plugin - schema-compat-plugin
tree scan will start in about 5 seconds!
[29/Aug/2022:19:13:00.254585526 -0400] - ERR - schema-compat-plugin - warning: no entries
set up under ou=sudoers,dc=ipa,dc=<my company>,dc=com
[29/Aug/2022:19:13:00.325746557 -0400] - ERR - schema-compat-plugin - warning: no entries
set up under cn=ng, cn=compat,dc=ipa,dc=<my company>,dc=com
[29/Aug/2022:19:13:00.625350394 -0400] - ERR - schema-compat-plugin - warning: no entries
set up under cn=computers, cn=compat,dc=ipa,dc=<my company>,dc=com
[29/Aug/2022:19:13:00.747736017 -0400] - ERR - schema-compat-plugin - Finished plugin
initialization.
[29/Aug/2022:19:19:26.447086663 -0400] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS
Definition cn=Password Policy,cn=accounts,dc=ipa,dc=<my company>,dc=com--no CoS
Templates found, which should be added before the CoS Definition.
[29/Aug/2022:19:19:26.616760756 -0400] - ERR - set_krb5_creds - Could not get initial
credentials for principal [ldap/ipa2.sj.bps(a)IPA.<MY
COMPANY>.COM] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
[29/Aug/2022:19:19:26.652053902 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp
- agmt="cn=meToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth
failed: LDAP error -1 (Can't contact LDAP server) ()
[29/Aug/2022:19:19:26.705855975 -0400] - ERR - set_krb5_creds - Could not get initial
credentials for principal [ldap/ipa2.sj.bps(a)IPA.<MY
COMPANY>.COM] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
[29/Aug/2022:19:19:26.732413212 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp
- agmt="cn=caToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth
failed: LDAP error -1 (Can't contact LDAP server) ()
[29/Aug/2022:19:19:29.093106968 -0400] - ERR - set_krb5_creds - Could not get initial
credentials for principal [ldap/ipa2.sj.bps(a)IPA.<MY
COMPANY>.COM] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
....
[30/Aug/2022:13:14:58.254029634 -0400] - ERR - agmt="cn=meToipa1.sj.bps"
(ipa1:389) - clcache_load_buffer - Can't locate CSN 620693cb000200050000 in the
changelog (DB rc=-30988). If replication stops, the consumer may need to be
reinitialized.
[30/Aug/2022:13:14:58.285772035 -0400] - ERR - NSMMReplicationPlugin - changelog program -
repl_plugin_name_cl - agmt="cn=meToipa1.sj.bps" (ipa1:389): CSN
620693cb000200050000 not found, we aren't as up to date, or we purged
[30/Aug/2022:13:14:58.302465482 -0400] - ERR - NSMMReplicationPlugin - send_updates -
agmt="cn=meToipa1.sj.bps" (ipa1:389): Data required to update replica has been
purged from the changelog. If the error persists the replica must be reinitialized.
[30/Aug/2022:13:15:01.355096020 -0400] - ERR - agmt="cn=meToipa1.sj.bps"
(ipa1:389) - clcache_load_buffer - Can't locate CSN 620693cb000200050000 in the
changelog (DB rc=-30988). If replication stops, the consumer may need to be
reinitialized.
[30/Aug/2022:13:15:01.393991242 -0400] - ERR - NSMMReplicationPlugin - changelog program -
repl_plugin_name_cl - agmt="cn=meToipa1.sj.bps" (ipa1:389): CSN
620693cb000200050000 not found, we aren't as up to date, or we purged
[30/Aug/2022:13:15:01.410581481 -0400] - ERR - NSMMReplicationPlugin - send_updates -
agmt="cn=meToipa1.sj.bps" (ipa1:389): Data required to update replica has been
purged from the changelog. If the error persists the replica must be reinitialized.