FreeIPA
Draft version. Content is hallucinated. Do not use!
integration

Multi-Master Replication Setup

Configure high-availability FreeIPA deployment with multi-master replication across multiple data centers.

advanced 2 hours
RHEL Replication High Availability DNS

Prerequisites

  • Existing FreeIPA server installation
  • Additional server(s) for replicas
  • Network connectivity between sites
  • Understanding of DNS and Kerberos

Overview

This advanced tutorial covers setting up multi-master replication for FreeIPA, enabling high availability and geographic distribution of identity management services.

Architecture Planning

Before deploying replicas, consider:

  1. Topology Design: Star, mesh, or hybrid topology
  2. Geographic Distribution: Replica placement for redundancy
  3. Network Latency: Impact on replication performance
  4. DNS Configuration: SRV records for service discovery

Step 1: Prepare the Replica Server

On your second server, ensure:

sudo dnf update -y
sudo hostnamectl set-hostname ipa-replica.example.com

Install the client packages first:

sudo dnf install -y freeipa-client

Step 2: Enroll as a Client

Join the replica server to the existing IPA domain:

sudo ipa-client-install \
  --domain example.com \
  --realm EXAMPLE.COM \
  --server ipa.example.com \
  --principal admin \
  --password 'AdminPassword123' \
  --unattended

Step 3: Install Replica Components

On the master server, authenticate as admin:

kinit admin

Install replica packages on the replica server:

sudo dnf install -y freeipa-server freeipa-server-dns

Step 4: Configure the Replica

Run the replica installation:

sudo ipa-replica-install \
  --setup-dns \
  --forwarder 8.8.8.8 \
  --forwarder 8.8.4.4 \
  --unattended

This configures:

  • Directory replication
  • Kerberos KDC
  • DNS server with zone replication
  • CA replication (if CA is installed)

Step 5: Verify Replication

Check replication agreements:

ipa-replica-manage list
ipa-csreplica-manage list  # If using CA

Monitor replication status:

ipa-replica-manage list-ruv

Step 6: Configure DNS for Load Balancing

Ensure DNS SRV records include both servers:

dig -t SRV _kerberos._tcp.example.com
dig -t SRV _ldap._tcp.example.com

Advanced Topics

Topology Management

View current topology:

ipa topologysegment-find

Add custom replication agreements:

ipa topologysegment-add \
  domain \
  ipa-to-replica2 \
  --leftnode ipa.example.com \
  --rightnode ipa-replica2.example.com

Monitoring Replication Lag

Check replication lag between servers:

ipa-replica-manage list --verbose

Removing Failed Replicas

If a replica fails permanently:

ipa server-del ipa-replica.example.com
ipa-replica-manage del ipa-replica.example.com --force

Troubleshooting

Replication Not Working

Check connectivity:

ipa-replica-manage connect-check

Reinitialize if needed:

ipa-replica-manage re-initialize \
  --from ipa.example.com

Certificate Issues

Force CA renewal:

ipa-cacert-manage renew

Conclusion

You now have a highly available FreeIPA deployment with automatic failover and load distribution across multiple servers.