Use the procedure below to create a rhel8 IPA and to test migrating IPA from rhel8 to rhel9.
- ipa1 (rhel8)
HOSTNAME=ipa1.example.com
IP=10.255.0.101
DNS=10.255.0.201
RHEL="rhel$(rpm -E %rhel)"
# Host configuration
echo 'admin ALL=(ALL:ALL) NOPASSWD:ALL' >/etc/sudoers.d/admin
hostnamectl set-hostname ${HOSTNAME}
nmcli con add type ethernet ifname eth0 con-name eth0 \
ipv4.method manual \
ipv4.addresses ${IP}/24 \
ipv4.gateway 10.255.0.1 \
ipv4.dns ${DNS} \
ipv4.dns-search example.com \
ipv6.method disabled
# Packages
rm -rf /etc/yum.repos.d/*
curl -o /etc/yum.repos.d/rhel.repo http://10.255.0.120/repos/${RHEL}/${RHEL}.repo
dnf clean all
dnf install -y bash-completion wget
yum module enable idm:DL1 -y
yum distro-sync -y
yum module install -y idm:DL1/{server,dns}
# Firewall
firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,88/udp,464/tcp,464/udp,53/tcp,53/udp}
firewall-cmd --permanent --add-service={freeipa-4,dns}
firewall-cmd --reload
reboot
#---------------------------------------
# AFTER REBOOT
#---------------------------------------
umask 0022
ipa-server-install -U \
--realm=EXAMPLE.COM \
--domain=example.com \
--setup-dns \
--no-forwarders \
--no-ntp \
--admin-password='<password>' \
--ds-password='<password>'
# Follow the instructions to search for the missing PTR record and add it manually if needed.
ipa-dns-install
# IF there's a missing PTR, You can still add the entries manually after the enrollment.
# Ensure A and PTR records are synced
kinit admin
ipa dnsconfig-mod --allow-sync-ptr=true
# Add the record
ipa dnsrecord-add example.com hostname --a-ip-address=x.x.x.xA DNS entry is normally added under these conditions:
--enable-dns-updatesor--ip-addressor--all-ip-addressesis set The client hostname DNS lookup fails
umask 0022
ipa-client-install \
--force-join \
--mkhomedir \
--enable-dns-updates \
--no-ntp \
--principal admin \
--password '<password>'## Add the DNS record for the replica server
kinit admin
ipa dnsrecord-add example.com ipa2 --a-rec 10.255.0.102 --a-create-reverseipa-server-install --uninstall -U
pkidestroy -s CA -i pki-tomcat
rm -rf /var/log/pki/pki-tomcat
rm -rf /etc/sysconfig/pki-tomcat
rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
rm -rf /var/lib/pki/pki-tomcat
rm -rf /etc/pki/pki-tomcatipa-client-install --uninstall -U# RHEl9: Install IPA packages
dnf install ipa-server ipa-server-dns ipa-healthcheck -y
# RHEL9: Check crypt policy and set it to a supported subpolicy
update-crypto-policies --show
update-crypto-policies --set FIPS:AD-SUPPORT
# RHEl9: Setup firewall
firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,88/udp,464/tcp,464/udp,53/tcp,53/udp}
firewall-cmd --permanent --add-service={freeipa-4,dns}
firewall-cmd --reload
# RHEl9: Register as ipa client
ipa-client-install --realm example.com --domain example.com --no-ntp --ip-address=<client_ip>
# RHEl9: Add other switches that you feel are necessary, such as forwarders, --ssh-trust-dns, kra, ntp...,
kinit admin
ipa-replica-install --setup-dns --no-forwarders --setup-ca --mkhomedir
# RHEl9: Verify all services are in a RUNNING state
ipactl status
# RHEl9: Check if new server is part of CS Replica
ipa-csreplica-manage list
> Directory Manager password:
>
> ipa1.example.com: master
> ipa2.example.com: master
> ipa1-rhel9.example.com: master
# RHEl9: Check status of replica
ipa-csreplica-manage list --verbose ipa1-rhel9.example.com
> Directory Manager password:
>
> ipa1.example.com
> last update ended: 2026-03-14 01:22:01+00:00
> last update status: Error (0) Replica acquired successfully: Incremental update succeeded
# RHEl9: Check Current CA Renewal Master
ipa config-show |grep 'CA renewal'
> IPA CA renewal master: ipa1.example.com
# RHEl9: Set the CA renewal master to the new system and change the CRL settings
ipa config-mod --ca-renewal-master-server ipa1-rhel9.example.com
# RHEl9: Remove the ca.certStatusUpdateInterval entry or set it to 600 (default) on
vim /etc/pki/pki-tomcat/ca/CS.cfg
# sed -i 's/^ca.certStatusUpdateInterval=.*/ca.certStatusUpdateInterval=600/' /etc/pki/pki-tomcat/ca/CS.cfg
# RHEl9: Restart the ipa services
ipactl restart# RHEL8: Set the value of ca.certStatusUpdateInterval to 0
vim /etc/pki/pki-tomcat/ca/CS.cfg
ca.certStatusUpdateInterval=0
# sed -i 's/^ca.certStatusUpdateInterval=.*/ca.certStatusUpdateInterval=0/' /etc/pki/pki-tomcat/ca/CS.cfg
## RHEL8: Restart IPA
ipactl restart
## RHEL8: Check the status of CRL Generation
ipa-crlgen-manage status
> CRL generation: enabled
## RHEL8: Disable CRL Gen
ipa-crlgen-manage disable
> Stopping pki-tomcatd
> Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
> Starting pki-tomcatd
> Editing /etc/httpd/conf.d/ipa-pki-proxy.conf
> Restarting httpd
> CRL generation disabled on the local host. Please make sure to configure CRL generation on another master with ipa-crlgen-manage enable.
> The ipa-crlgen-manage command was successful
## RHEL8: Check crlgen status
ipa-crlgen-manage status
> CRL generation: disabled## RHEL9: Enable crlgen
ipa-crlgen-manage enable## RHEL9: Create a test user to ensure DNA range is adjusted and replication is working
## NOTE: This wiil activate the DNA plug-in on rhel9 ipa directly by creating another test user:
ipa user-add --first=testing --last=user testinguser1
# BOTH: Test on both systems
rhel9# ipa user-find testinguser1
rhel8# ipa user-find testinguser1
# Verify DNA range.
## There should be ranges for both replicas
ipa-replica-manage dnarange-show
> ipa1.example.com: 1608200002-1608300499
> ipa2.example.com: No range set
> ipa1-rhel9.example.com: 1608300501-1608399999
## Run ipa-healthcheck
ipa-healthcheck# Existing Clients, including the new RHEL9 replica uses ipa1 and ipa2 as DNS server
# Before removing the old RHEL8 ipa server, first we need to change the DNS
# to point to the new rhel9 IDM
nmcli con mod eth0 ipv4.dns 10.255.0.201
nmcli con reload
nmcli con down eth0; nmcli con up eth0
# Testing
dig +short +search ipa1
dig +short +search @10.255.0.201 ipa1-rhel9For this case, I started by removing ipa2, which was a replica from ipa1, and then I remove ipa1 next.
- RHEL8
# RHEl8: Shut down IPA2 and create a VM Snapshot and power back on
# RHEL8: Stop old IPA services
ipactl stop- RHEL9
# Remove the RHEL 8 server from the topology by executing the removal commands on the RHEL 9 server.
# RHEL9: Run this command from the newly deployed IPA
# ipa-replica-manage del ipa2.example.com --cleanup
ipa server-del ipa2.example.com --ignore-topology-disconnect --force
# Search for any DNS record for the old ipa and delete it
ipa dnsrecord-show example.com ipa2
ipa dnsrecord-del example.com ipa2
# Re-run ipa-healthcheck
ipa-healthcheck- RHEL8: Unistall ipa
# RHEL8: Uninstall and/or power down system
# Run on ipa2.example.com
ipa-server-install --uninstall
init 0- In proxmox, rename the old
ipa1andipa2toipa1-rhel8andipa2-rhel8 - Create two new VM on proxmox using RHEL9 template
- ipa1.example.com
- ipa2.example.com
- Set hostname
- Configure Networking (IP, DNS, GATEWAY) - For DNS Use the new RHEL9 DNS
- Configure Firewall
- Configure Packages
- Install ipa-server packages
- verify Client can resolve DNS (dig +search ipa1-rhel9)
- Update crypto policy (FIPS:AD-SUPPORT)
- Reboot
- Set umask 0022
- Join machine to IPA (ipa-client-install)
- Get a kerberos tiket (kinit admin)
- Run ipa-replica-install
- Run the post replica install steps (CA,DNS,CRL,...)
- Follow the same steps for adding ipa2 replica
Once both new ipa1 and ipa2 are up and running, we can remove ipa1-rhel9 or keep it running (3 replicas)
- ipa1
# Run ipa1.example.com
HOSTNAME=ipa1.example.com
IP=10.255.0.101
DNS=10.255.0.201 #DNS points to the new rhel9 ipa replica we created from rhel8
hostnamectl set-hostname $HOSTNAME
nmcli con add type ethernet ifname eth0 con-name eth0 \
ipv4.method manual \
ipv4.addresses $IP/24 \
ipv4.gateway 10.255.0.1 \
ipv4.dns $DNS \
ipv4.dns-search example.com \
ipv6.method disabled
rm -rf /etc/yum.repos.d/*
curl -o /etc/yum.repos.d/rhel.repo http://10.255.0.120/repos/rhel9/rhel9.repo
dnf clean all
dnf install -y bash-completion wget
dnf install -y ipa-server ipa-server-dns ipa-healthcheck
update-crypto-policies --show
update-crypto-policies --set FIPS:AD-SUPPORT
firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,88/udp,464/tcp,464/udp,53/tcp,53/udp}
firewall-cmd --permanent --add-service={freeipa-4,dns}
firewall-cmd --reload
#-----------------------------------
# Reboot
#-----------------------------------
# Run on ipa1.example.com (RHEl9)
umask 0022
ipa-client-install --realm example.com --domain example.com --ip-address=10.255.0.101 --no-ntp
kinit admin
ipa-replica-install --setup-dns --no-forwarders --setup-ca --mkhomedir
ipactl status
ipa-csreplica-manage list
ipa-csreplica-manage list --verbose ipa1.example.com
ipa config-show |grep 'CA renewal'
ipa config-mod --ca-renewal-master-server ipa1.example.com
sed -i 's/^ca.certStatusUpdateInterval=.*/ca.certStatusUpdateInterval=600/' /etc/pki/pki-tomcat/ca/CS.cfg
ipactl restart
ipactl status
#-----------------------------------
# Go to ipa1-rhel9.example.com (RHEL9)
#-----------------------------------
ipa-crlgen-manage disable
#-----------------------------------
# Run on ipa1.example.com (RHEL9)
#-----------------------------------
ipa-crlgen-manage enable
ipa user-add --first=test --last=user testuser2
ipa user-find testuser2
ipa-replica-manage dnarange-show
ipa-healthcheck- ipa2
HOSTNAME=ipa2.example.com
IP=10.255.0.102
DNS=10.255.0.101 #DNS points to the new ipa1
hostnamectl set-hostname $HOSTNAME
nmcli con add type ethernet ifname eth0 con-name eth0 \
ipv4.method manual \
ipv4.addresses $IP/24 \
ipv4.gateway 10.255.0.1 \
ipv4.dns $DNS \
ipv4.dns-search example.com \
ipv6.method disabled
rm -rf /etc/yum.repos.d/*
curl -o /etc/yum.repos.d/rhel.repo http://10.255.0.120/repos/rhel9/rhel9.repo
dnf clean all
dnf install -y bash-completion wget
dnf install -y ipa-server ipa-server-dns ipa-healthcheck
update-crypto-policies --show
update-crypto-policies --set FIPS:AD-SUPPORT
firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,88/udp,464/tcp,464/udp,53/tcp,53/udp}
firewall-cmd --permanent --add-service={freeipa-4,dns}
firewall-cmd --reload
#-----------------------------------
# Reboot
#-----------------------------------
# Run on ipa2.example.com (RHEl9)
umask 0022
ipa-client-install --realm example.com --domain example.com --ip-address=10.255.0.102 --no-ntp
kinit admin
ipa-replica-install --setup-dns --no-forwarders --setup-ca --mkhomedir
ipactl status
ipa-csreplica-manage list
ipa-csreplica-manage list --verbose ipa2.example.com
ipactl status
ipa-replica-manage dnarange-show
ipa user-add --first=test --last=user testuser3
ipa-replica-manage dnarange-show
ipa user-find testuser3
ipa user-del testuser3
ipa-healthcheckIf you decide to remove the intermediate ipa1-rhel9 we used to migrate from RHEL8 to 9, follow these steps
NOTE: ipa1 and ipa2 are only connected to each other through ipa1-rhel9, so removing it would split the topology.
First, I need to create a direct replication agreement between ipa1 and ipa2 first (for both the domain and ca suffixes), and then you'll be able to safely remove ipa1-rhel9.
-
Check Current Topology
# Check current domain topology ipa topologysegment-find domain # Should show a segment between ipa1-rhel9.example.com-to-ipa2.example.com and ipa1-rhel9.example.com-to-ipa1.example.com # Check current ca topology ipa topologysegment-find ca
-
Add a replication agreement between ipa1 and ipa2
ipa topologysegment-add domain \ --leftnode=ipa1.example.com \ --rightnode=ipa2.example.com \ ipa1-ipa2-domain
-
Then do the same for the CA suffix:
ipa topologysegment-add ca \ --leftnode=ipa1.example.com \ --rightnode=ipa2.example.com \ ipa1-ipa2-ca
-
Verify the segments were created
ipa topologysegment-find domain
-
Go to ipa1-rhel9
ipactl stop
-
Now remove ipa1-rhel9
ipa server-del ipa1-rhel9.example.com --ignore-topology-disconnect --force
-
Verify ipa-healthcheck
umask 0022 ipa-healthcheck