diff --git a/files/replicate.sh b/files/replicate.sh
new file mode 100644
index 0000000..959ef49
--- /dev/null
+++ b/files/replicate.sh
@@ -0,0 +1,12 @@
+read -s -p "Admin Password:" ADMIN_PASSWORD
+echo ""
+read -p "Server to replicate (default ipa.actcur.com):" SERVER
+
+if [ -z $SERVER ]
+then
+    SERVER="ipa.actcur.com"
+fi
+
+ipa-client-install -U -p admin -w $ADMIN_PASSWORD --server=ipa-replica2.actcur.com --domain actcur.com  --mkhomedir  --force-join
+
+ipa-replica-install --skip-mem-check
\ No newline at end of file
diff --git a/handlers/main.yml b/handlers/main.yml
index 7dc8980..53071c3 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,3 +1,7 @@
 #SPDX-License-Identifier: MIT-0
 ---
 # handlers file for role-ipa-server
+- name: restart ipactl
+  service:
+    name: ipactl
+    state: restarted
diff --git a/tasks/main.yml b/tasks/main.yml
index c5f3690..419fb1d 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,3 +1,55 @@
 #SPDX-License-Identifier: MIT-0
 ---
-# tasks file for role-ipa-server
\ No newline at end of file
+# tasks file for role-ipa-server
+- name: install freeipa-server
+  ansible.builtin.package:
+    name: freeipa-server
+    state: present
+
+- name: install ipa-server-dns
+  ansible.builtin.package:
+    name: ipa-server-dns
+    state: present
+
+#this should be moved to a dedicated firewall role down the road
+- name: permit ipa-server traffic through firewall
+  ansible.builtin.package:
+    service: freeipa-4
+    state: enabled
+    permanent: true
+    immediate: true
+    offline: true
+
+- name: deploy replication script
+  ansible.builtin.copy:
+    src: files/replicate.sh
+    dest: /scripts/replicate.sh
+
+# create symlink for certs if letsencrypt is set up
+- name: check if letsencrypt is set up
+  ansible.builtin.command: '[ -d "/etc/letsencrypt/" ]'
+  register: result
+  ignore_errors: true
+
+- name: check if ipaserver is ready
+  ansible.builtin.command: '[ -d "/var/lib/ipa/certs/" ]'
+  register: result2
+  ignore_errors: true
+
+- name: create symlink for certificate
+  ansible.builtin.file:
+    src: /etc/letsencrypt/live
+    dest: /var/lib/ipa/certs/httpd.crt
+    state: link
+    force: yes
+  when: (result is succeeded) and (result2 is succeeded)
+  notify: restart ipactl
+
+- name: create symlink for private key
+  ansible.builtin.file:
+    src: /etc/letsencrypt/live
+    dest: /var/lib/ipa/private/httpd.key
+    state: link
+    force: yes
+  when: (result is succeeded) and (result2 is succeeded)
+  notify: restart ipactl