Managing FreeIPA replication agreements

This guide will walk you through manually setting up a new replication agreement on an existing FreeIPA server that is already replicating to a host.

For this guide, I will be using the below details

Directory Server #1 : (
Directory Server #2 : (
Directory Server #2 : (

I will be following the FreeIPA scenario above as if it were a real world situation. with the server’s stated.


I will assume that if you are following my previous guides, that you already have the freeipa packages installed on as well as have the correct ports open via iptables.


Step 1. Prepare FreeIPA domain for new replica server on host

Lets prepare FreeIPA so it knows to expect to jump in and become a replica.
Note: You should already know what this looks like from my previous articles.

[root@ds02 ~]# ipa-replica-prepare
Directory Manager (existing master) password:

Preparing replica for from
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/
[root@ds02 ~]#


Copy your new gpg file to


Step 2. Start replica install

From, start the replica installation.

[root@ds03 ~]# ipa-replica-install --setup-dns --setup-ca --forwarder= /var/lib/ipa/
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master '':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
PKI-CA: Directory Service port (7389): OK

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>