Provided by: freeipa-server_4.3.1-0ubuntu1_amd64 
NAME
ipa-replica-install - Create an IPA replica
SYNOPSIS
DOMAIN LEVEL 0
ipa-replica-install [OPTION]... replica_file
DOMAIN LEVEL 1
ipa-replica-install [OPTION]...
DESCRIPTION
Configures a new IPA server that is a replica of the server. Once it has been created it
is an exact copy of the original IPA server and is an equal master. Changes made to any
master are automatically replicated to other masters.
To create a replica in a domain at domain level 0, you need to provide an replica file.
The replica_file is created using the ipa-replica-prepare utility.
To create a replica in a domain at domain level 1, you don't have to provide a replica
file, the machine only needs to be enrolled in the FreeIPA domain first. This process of
turning the IPA client into a replica is also referred to as replica promotion.
If you're starting with an existing IPA client, simply run ipa-replica-install to have it
promoted into a replica.
To promote a blank machine into a replica, you have two options, you can either run
ipa-client-install in a separate step, or pass the enrollment related options to the
ipa-replica-install (see DOMAIN LEVEL 1 CLIENT ENROLLMENT OPTIONS). In the latter case,
ipa-replica-install will join the machine to the IPA realm automatically and will proceed
with the promotion step.
If the installation fails you may need to run ipa-server-install --uninstall and
ipa-client-install before running ipa-replica-install again.
The installation will fail if the host you are installing the replica on exists as a host
in IPA or an existing replication agreement exists (for example, from a previously failed
installation).
A replica should only be installed on the same or higher version of IPA on the remote
system.
OPTIONS
DOMAIN LEVEL 1 OPTIONS
-P, --principal
The user principal which will be used to promote the client to the replica and
enroll the client itself, if necessary.
-w, --admin-password
The Kerberos password for the given principal.
DOMAIN LEVEL 1 CLIENT ENROLLMENT OPTIONS
To install client and promote it to replica using a host keytab or One Time Password, the
host needs to be a member of ipaservers group. This requires to create a host entry and
add it to the host group prior replica installation.
--server, --domain, --realm options are autodiscovered via DNS records by default.
-p PASSWORD, --password=PASSWORD
One Time Password for joining a machine to the IPA realm.
-k, --keytab
Path to host keytab.
--server
The fully qualified domain name of the IPA server to enroll to.
-n, --domain=DOMAIN
Set the domain name to DOMAIN.
-d, --realm=REALM_NAME
Set the IPA realm name to REALM_NAME.
--hostname
The hostname of this machine (FQDN). If specified, the hostname will be set and the
system configuration will be updated to persist over reboot.
DOMAIN LEVEL 0 OPTIONS
-p PASSWORD, --password=PASSWORD
Directory Manager (existing master) password
-w, --admin-password
Admin user Kerberos password used for connection check
BASIC OPTIONS
--ip-address=IP_ADDRESS
The IP address of this server. If this address does not match the address the host
resolves to and --setup-dns is not selected the installation will fail. If the
server hostname is not resolvable, a record for the hostname and IP_ADDRESS is
added to /etc/hosts. This this option can be used multiple times to specify more
IP addresses of the server (e.g. multihomed and/or dualstacked server).
--mkhomedir
Create home directories for users on their first login
-N, --no-ntp
Do not configure NTP
--no-ui-redirect
Do not automatically redirect to the Web UI.
--ssh-trust-dns
Configure OpenSSH client to trust DNS SSHFP records.
--no-ssh
Do not configure OpenSSH client.
--no-sshd
Do not configure OpenSSH server.
--skip-conncheck
Skip connection check to remote master
-d, --debug
Enable debug logging when more verbose output is needed
-U, --unattended
An unattended installation that will never prompt for user input
--dirsrv-config-file
The path to LDIF file that will be used to modify configuration of dse.ldif during
installation of the directory server instance
CERTIFICATE SYSTEM OPTIONS
--setup-ca
Install and configure a CA on this replica. If a CA is not configured then
certificate operations will be forwarded to a master with a CA installed.
--no-pkinit
Disables pkinit setup steps
--skip-schema-check
Skip check for updated CA DS schema on the remote master
DNS OPTIONS
--setup-dns
Generate a DNS zone if it does not exist already and configure the DNS server.
This option requires that you either specify at least one DNS forwarder through the
--forwarder option or use the --no-forwarders option.
--forwarder=IP_ADDRESS
Add a DNS forwarder to the DNS configuration. You can use this option multiple
times to specify more forwarders, but at least one must be provided, unless the
--no-forwarders option is specified.
--no-forwarders
Do not add any DNS forwarders. Root DNS servers will be used instead.
--auto-forwarders
Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by
IPA DNS.
--reverse-zone=REVERSE_ZONE
The reverse DNS zone to use. This option can be used multiple times to specify
multiple reverse zones.
--no-reverse
Do not create new reverse DNS zone. If a reverse DNS zone already exists for the
subnet, it will be used.
--no-host-dns
Do not use DNS for hostname lookup during installation
--no-dns-sshfp
Do not automatically create DNS SSHFP records.
--no-dnssec-validation
Disable DNSSEC validation on this server.
EXIT STATUS
0 if the command was successful
1 if an error occurred
3 if the host exists in the IPA server or a replication agreement to the remote master
already exists