Scroll to navigation

ipa-replica-manage(1) IPA Manual Pages ipa-replica-manage(1)


ipa-replica-manage - Manage an IPA replica


ipa-replica-manage [OPTION]... [COMMAND]


Manages the replication agreements of an IPA server.

To manage IPA replication agreements in a domain, use IPA CLI or Web UI, see `ipa help topology` for additional information.

The available commands are:

- Adds a new replication agreement between SERVER_A/localhost and SERVER_B. Applicable only for winsync agreements.
- Removes a replication agreement between SERVER_A/localhost and SERVER_B. Applicable only for winsync agreements.
- Removes all replication agreements and data about SERVER. Removes data and agreements for both suffixes - domain and ca.
- Lists all the servers or the list of agreements of SERVER
- Forces a full re-initialization of the IPA server retrieving data from the server specified with the --from option
- Immediately flush any data to be replicated from a server specified with the --from option
- List the replication IDs on this server.
- Run the CLEANALLRUV task to remove a replication ID.
- Cleans all RUVs and CS-RUVs that are left in the system from uninstalled replicas.
- Abort a running CLEANALLRUV task. With --force option the task does not wait for all the replica servers to have been sent the abort task, or be online, before completing.
- List all running CLEANALLRUV and abort CLEANALLRUV tasks.
- List the DNA ranges
- Set the DNA range on a master
- List the next DNA ranges
- Set the DNA next range on a master


The IPA server to manage. The default is the machine on which the command is run Not honoured by the re-initialize command.
The Directory Manager password to use for authentication
Provide additional information
Ignore some types of errors, don't prompt when deleting a master
When deleting a master with the --force flag, remove leftover references to an already deleted master.
Do not perform DNS lookup checks.
Bind DN to use with remote server (default is cn=Directory Manager) - Be careful to quote this value on the command line
Password for Bind DN to use with remote server (default is the DM_PASSWORD above)
Specifies to create/use a Windows Sync Agreement
Full path and filename of CA certificate to use with TLS/SSL to the remote server - this CA certificate will be installed in the directory server's certificate database
DN of Windows subtree containing the users you want to sync (default cn=Users,<domain suffix> - this is typically what Windows AD uses as the default value) - Be careful to quote this value on the command line
Password for the IPA system user used by the Windows PassSync plugin to synchronize passwords. Required when using --winsync. This does not mean you have to use the PassSync service.
The server to pull the data from, used by the re-initialize and force-sync commands.


IPA uses the 389-ds Distributed Numeric Assignment (DNA) Plugin to allocate POSIX ids for users and groups. A range is created when IPA is installed and half the range is assigned to the first IPA master for the purposes of allocation.

- The range must be completely contained within a local range as defined by the ipa idrange command.

- The range cannot overlap the DNA range or on-deck range on another IPA master.

- The range cannot overlap the ID range of an AD Trust.

- The primary DNA range cannot be removed.

- An on-deck range range can be removed by setting it to 0-0. The assumption is that the range will be manually moved or merged elsewhere.


# ipa-replica-manage list master master master master

# ipa-replica-manage list replica replica

# ipa-replica-manage re-initialize --from

This will re-initialize the data on the server where you execute the command, retrieving the data from the replica

# ipa-replica-manage connect

# ipa-replica-manage disconnect

# ipa-replica-manage del

# ipa-replica-manage list-ruv
Replica Update Vectors: 7 4
Certificate Server Replica Update Vectors: 9

# ipa-replica-manage del --force --cleanup


Creating a Windows AD Synchronization agreement is similar to creating an IPA replication agreement, there are just a couple of extra steps.

A special user entry is created for the PassSync service. The DN of this entry is uid=passsync,cn=sysaccounts,cn=etc,<basedn>. You are not required to use PassSync to use a Windows synchronization agreement but setting a password for the user is required.

The following examples use the AD administrator account as the synchronization user. This is not mandatory but the user must have read-access to the subtree.

1. Transfer the base64-encoded Windows AD CA Certificate to your IPA Server
2. Remove any existing kerberos credentials

# kdestroy
3. Add the winsync replication agreement

# ipa-replica-manage connect --winsync --passsync=<bindpwd_for_syncuser_that will_be_used_for_agreement> --cacert=/path/to/adscacert/WIN-CA.cer --binddn "cn=administrator,cn=users,dc=ad,dc=example,dc=com" --bindpw <ads_administrator_password> -v <adserver.fqdn>

# ipa-replica-manage connect --winsync --passsync=MySecret --cacert=/root/WIN-CA.cer --binddn "cn=administrator,cn=users,dc=ad,dc=example,dc=com" --bindpw MySecret -v

# ipa-replica-manage disconnect


PassSync is a Windows service that runs on AD Domain Controllers to intercept password changes. It sends these password changes to the IPA LDAP server over TLS. These password changes bypass normal IPA password policy settings and the password is not set to immediately expire. This is because by the time IPA receives the password change it has already been accepted by AD so it is too late to reject it.


0 if the command was successful

1 if an error occurred

Jul 12 2016 IPA