---
title: Read-only replicas
description: By default, all directory servers in a replication topology are read-write.
component: pingds
version: 8.1
page_id: pingds:config-guide:repl-read-only
canonical_url: https://docs.pingidentity.com/pingds/8.1/config-guide/repl-read-only.html
revdate: 2025-10-22T14:42:39Z
keywords: ["Features", "LDAP", "Replication", "Setup &amp; Configuration", "Troubleshooting"]
section_ids:
  read_only: Read-only
  read_write: Read-write
---

# Read-only replicas

By default, all directory servers in a replication topology are read-write.

## Read-only

The following command causes the replica to accept only internal updates and refuse updates from client applications:

```console
$ dsconfig \
 set-global-configuration-prop \
 --set writability-mode:internal-only \
 --hostname replica.example.com \
 --port 4444 \
 --bindDN uid=admin \
 --bindPassword password \
 --trustStorePath /path/to/opendj/config/keystore \
 --trustStoreType PKCS12 \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --no-prompt
```

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Changing to `writability-mode:internal-only` prevents updates from external directory client applications. For example, it allows all internal updates, meaning the replica receives replication changes.To prevent replication from replaying any updates from a read-only replica, configure the replication servers to [trust *the other* replicas](repl-trusted.html) in the deployment.Don't trust the read-only replica, and replication servers ignore its changes. |

## Read-write

The following command resets `writability-mode` to the default setting:

```console
$ dsconfig \
 set-global-configuration-prop \
 --set writability-mode:enabled \
 --hostname replica.example.com \
 --port 4444 \
 --bindDN uid=admin \
 --bindPassword password \
 --trustStorePath /path/to/opendj/config/keystore \
 --trustStoreType PKCS12 \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --no-prompt
```