New subject: Dead master, replica with no CA dying, need to migration to new machine.

25 Aug 2017


      Hello all...
FreeIPA newbie here.
I have inherited a freeipa infrastructure. It consists of 12 servers all authign to freeipa fro ssh and some ftp. My problem is as follows;
Original master(Dunlop) is dead, there remains a replica(freeipa) that barley works on a VM  in virtualbox on a linux server.
I am trying to setup a new freeipa server(Auth-1) to replace both of the current freeipa servers in vmware. 
SO in the current working serve(freeipa)  i run this in debug mode....
[root@freeipa /]# ipa-replica-prepare --debug auth-1.domain.com
ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipa: DEBUG: importing all plugin modules in ipaserver.plugins...
ipa: DEBUG: importing plugin module ipaserver.plugins.aci
ipa: DEBUG: importing plugin module ipaserver.plugins.automember
ipa: DEBUG: importing plugin module ipaserver.plugins.automount
ipa: DEBUG: importing plugin module ipaserver.plugins.baseldap
ipa: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.baseuser
ipa: DEBUG: importing plugin module ipaserver.plugins.batch
ipa: DEBUG: importing plugin module ipaserver.plugins.ca
ipa: DEBUG: importing plugin module ipaserver.plugins.caacl
ipa: DEBUG: importing plugin module ipaserver.plugins.cert
ipa: DEBUG: importing plugin module ipaserver.plugins.certprofile
ipa: DEBUG: importing plugin module ipaserver.plugins.config
ipa: DEBUG: importing plugin module ipaserver.plugins.delegation
ipa: DEBUG: importing plugin module ipaserver.plugins.dns
ipa: DEBUG: importing plugin module ipaserver.plugins.dnsserver
ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag
ipa: DEBUG: importing plugin module ipaserver.plugins.domainlevel
ipa: DEBUG: importing plugin module ipaserver.plugins.group
ipa: DEBUG: importing plugin module ipaserver.plugins.hbac
ipa: DEBUG: ipaserver.plugins.hbac is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvc
ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.hbactest
ipa: DEBUG: importing plugin module ipaserver.plugins.host
ipa: DEBUG: importing plugin module ipaserver.plugins.hostgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.idrange
ipa: DEBUG: importing plugin module ipaserver.plugins.idviews
ipa: DEBUG: importing plugin module ipaserver.plugins.internal
ipa: DEBUG: importing plugin module ipaserver.plugins.join
ipa: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy
ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2
ipa: DEBUG: importing plugin module ipaserver.plugins.location
ipa: DEBUG: importing plugin module ipaserver.plugins.migration
ipa: DEBUG: importing plugin module ipaserver.plugins.misc
ipa: DEBUG: importing plugin module ipaserver.plugins.netgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.otp
ipa: DEBUG: ipaserver.plugins.otp is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.otpconfig
ipa: DEBUG: importing plugin module ipaserver.plugins.otptoken
ipa: DEBUG: importing plugin module ipaserver.plugins.passwd
ipa: DEBUG: importing plugin module ipaserver.plugins.permission
ipa: DEBUG: importing plugin module ipaserver.plugins.ping
ipa: DEBUG: importing plugin module ipaserver.plugins.pkinit
ipa: DEBUG: ipaserver.plugins.pkinit is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.privilege
ipa: DEBUG: importing plugin module ipaserver.plugins.pwpolicy
ipa: DEBUG: Starting external process
ipa: DEBUG: args=klist -V
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=Kerberos 5 version 1.14.1
ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module ipaserver.plugins.rabase
ipa: DEBUG: ipaserver.plugins.rabase is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.radiusproxy
ipa: DEBUG: importing plugin module ipaserver.plugins.realmdomains
ipa: DEBUG: importing plugin module ipaserver.plugins.role
ipa: DEBUG: importing plugin module ipaserver.plugins.schema
ipa: DEBUG: importing plugin module ipaserver.plugins.selfservice
ipa: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap
ipa: DEBUG: importing plugin module ipaserver.plugins.server
ipa: DEBUG: importing plugin module ipaserver.plugins.serverrole
ipa: DEBUG: importing plugin module ipaserver.plugins.serverroles
ipa: DEBUG: importing plugin module ipaserver.plugins.service
ipa: DEBUG: importing plugin module ipaserver.plugins.servicedelegation
ipa: DEBUG: importing plugin module ipaserver.plugins.session
ipa: DEBUG: importing plugin module ipaserver.plugins.stageuser
ipa: DEBUG: importing plugin module ipaserver.plugins.sudo
ipa: DEBUG: ipaserver.plugins.sudo is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmd
ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.sudorule
ipa: DEBUG: importing plugin module ipaserver.plugins.topology
ipa: DEBUG: importing plugin module ipaserver.plugins.trust
ipa: DEBUG: importing plugin module ipaserver.plugins.user
ipa: DEBUG: importing plugin module ipaserver.plugins.vault
ipa: DEBUG: importing plugin module ipaserver.plugins.virtual
ipa: DEBUG: ipaserver.plugins.virtual is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket from SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4c178c0>
Directory Manager (existing master) password:
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection context.ldap2_49561488
ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: raw: ca_is_enabled(version=u'2.213')
ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: ca_is_enabled(version=u'2.213')
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection context.ldap2_49561488
ipa: DEBUG: Search DNS for auth-1.domain.com
ipa: DEBUG: Check if auth-1.domain.com is not a CNAME
ipa: DEBUG: Check reverse address of 192.168.2.251
ipa: DEBUG: Found reverse name: auth-1.domain.com
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO: If you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in execute
    self.ask_for_options()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 342, in ask_for_options
    raise admintool.ScriptError("The replica must be created on the "
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: ScriptError: The replica must be created on the primary IPA server.
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The replica must be created on the primary IPA server.
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The ipa-replica-prepare command failed.
So if i cannot create a replica prepare file i cannot create a new replica and hence not migrate the current dying vm server(freeipa) to the new vmware vm.
What can i do?? I am running freeipa v4 on current replica.
I have too many servers and user to start from scratch..
Any help appreciated...
Thanks to all!