17.6 Moving the EBA CA Role to a New Server

If the server acting as EBA CA is down, eDirectory provides the flexibility of moving the EBA CA role to a different EBA-enabled server in the tree. Before moving the EBA CA role to new server, ensure that the new server:

  • Is EBA-enabled.

  • Has a writable replica of the tree-root partition where the replica was already created when the EBA CA went down.

To transfer the role of EBA CA to the new server on Linux operating systems, run the following command from your bash shell on the new server:

ndstrace -c "config ebassl_srv seize_ebaca"

eDirectory displays a success message indicating that the EBA CA role is transferred to the new server. If you try this operation while the original server is still functional, the operation fails.

On Windows, perform the following steps:

  1. Open ndscons.exe.

  2. Click Start > Settings > Control Panel > NetIQ eDirectory Services.

  3. On the Services tab, scroll to ebassl_srv.dlm, then enter seize_ebaca in the Startup Parameters field.

  4. Click Configure.

To view messages about the EBA CA role transfer, run dstrace.dlm with EBA tag enabled when the EBA CA role transfer operation is running. DSTrace displays the appropriate message depending on the success or failure of the operation. If you try this operation while the original server is still functional, the operation fails.


  • To determine whether the EBA CA role was successfully seized or not, run ndscheck on the new server. If the ndscheck output shows EBACA=true, the new server is now the EBA CA of the tree.

  • If the server hosting EBA CA is down, designate some other server in the replica ring of the tree-root partition as EBA CA. If the server that went down had a master replica of the tree-root partition, it is recommended to transfer the master role to the new server acting as EBA CA. To transfer the master role, follow the instructions from Repairing Replicas.