Pierre Froelicher1

Q: access server within domain not working

When I am within my domain I want to access my server.

However its hostname server.mydomain.com does not work.

 

In Terminal hostname gives server.mydomain.com

 

nslookup server.mydomain.com

give the right IP

 

nslookup 10.0.xxx.xx ..the IP number reverses to server.mydomain.com.

 

But if I put in afp://server.mydomain.com

it does not work.

 

I have to put in the ip number..

 

This worries me because it is not expected behavior.

 

WHY?

Pierre

Mac mini Server (Mid 2010), OS X Server

Posted on Feb 3, 2016 4:18 PM

Close

Q: access server within domain not working

  • All replies
  • Helpful answers

Previous Page 2
  • by SBeattie2,

    SBeattie2 SBeattie2 Feb 13, 2016 12:43 AM in response to Pierre Froelicher1
    Level 2 (185 points)
    Servers Enterprise
    Feb 13, 2016 12:43 AM in response to Pierre Froelicher1

    -Pierre - Please be sure to read all of Mr. Hoffman's valuable advice.  I am going to assume that you have a pretty small environment - with just a few users that actually require access to your OS X Server - and some number of "guest" users that require only access to the internet and nothing else.  I'm also assuming that you have very few records in your OS X Server DNS (the required entries for the server itself and possibly for a few local devices).  If this is not true - then my suggestions that follow may not be a suitable solution for your issue - but still you may want to consider them - at least as an interim solution.

     

    First:  The reason that you are having trouble with the guest network on your Airport router is due to the fact that Airport routers implement the guest network by using a different subnet (typically defaulting to 172.16.42.x/24) for the guest network.  The Airport router does not provide any routing between the the two subnets - thus it is not possible for guests to access to 10.0.x.x/24 or vice-versa.   The Airport router hands out the same two DNS server address to both the local 10.0.x.x/24 clients as well as guests.   Thus - when you specify 10.0.x.x and 8.8.8.8 (regardless of the order) - all clients (including the guest network) receive these two addresses.  The DNS resolver (in each client device) - expects that the two DNS server addresses that it receives from DHCP are going to be  "logically" reachable (meaning that there is a route to each).  The resolver on clients in the 10.0.x.x/24 subnet can reach both 10.0.x.x and 8.8.8.8 - but - the resolver on clients in the guest subnet (172.16.42.x/24) cannot "logically" reach the 10.0.x.x DNS server because it fails with a "no route to host" error - and does not attempt to try the 8.8.8.8 (which is reachable).  Resolution "terminates" because one of the two DNS servers cannot logically be reached - even though the server is actually available - and thus there is no access to the internet from the guest network.  For clients on the 10.0.x.x/24 subnet - external resolution would still succeed (even if the OS X DNS Server was shutdown) - because both servers are logically reachable - and since 10.0.x.x is down (it is considered as not responding or not available) and the resolver then attempts to query 8.8.8.8 - and clients on the 10.0.x.x/24 subnet would still get internet access to external websites/hosts.  The guest network functionality in Airport devices really does NOT work well (or at all) when a local DNS server is involved - and the local DNS server IP is one of the two DNS Server IPs handed out to clients. The Airport router really needs to allow "guest" DNS servers to be specified - but currently that is not an option.

     

    Quick Resolution - without having to change any of your hardware (at least not at this time):

     

    1.  On your Airport Router - set your DNS Servers to one of the following:

         a.  8.8.8.8 / 8.8.4.4  (Google DNS)

         b.  208.67.222.222 / 208.67.220.220

         c.  Leave the DNS Servers blank (the DNS servers from your ISP will be used - and should show up in a light grey font)

     

    Note:  you can enter your search domain here  (for example:  example.com)  The search domain will be handed out to the guest network as well - but it will not really perform any function there - and should not cause any problems either.

     

    The above settings will handout "reachable" DNS servers to every DHCP device on the local as well as the guest network but not provide any access to your local DNS server (this is addressed in the next step).

     

    2.  Override DNS server setting only on local client devices that require access to you OS X Server (Desktops, portables, handhelds, etc).  This is feasible only in a small environment - but may be worth the effort to get your environment up and running while you determine how to implement a better solution.  You do not need to do a manual override on devices such as NAS drives, printers, and other network devices that don't directly access your server.

     

    For Macs:  Open system preferences / network - for both Ethernet and Wifi (in the advanced settings) click the DNS tab.  In the DNS servers list - remove any servers that are currently listed (the ones that are DHCP provided are grey and will disappear after you enter a manual ip address).  Click the + (plus) sign to enter a new server - enter your 10.0.x.x DNS server - and only that server - no other DNS servers should be listed.


    For iOS Devices:  In the wifi settings connect to each wifi access point that will be used on the network and tap the arrow to the right of the network name.  This will bring up the network settings.  Tap on the DNS servers (it will be a common separated list of IP addresses - from DHCP) - enter your 10.0.x.x DNS server - and only that server - no other DNS servers should be listed.

     

    For windows PC's and other non-apple devices - use the appropriate procedure for those devices to override the DNS settings and enter your 10.0.x.x DNS server.

     

    Once all the devices needing server access have been overridden you will have accomplished the following:

     

    1.  All devices not requiring access to OS X Server - will have internet access - by default from DHCP - Guest network included.  If OS X Server is down for maintenance - these devices will still have uninterrupted access to the Internet.

     

    2.  Any devices that do require access to OS X Server - will get their IP address and search domain via DHCP - but will use the overridden 10.0.x.x DNS server and will have access to the Internet and to OS X Server services.  When OS X Server is down for maintenance - these devices will not have Internet access.

     

    Next Step (for a better solution):

     

    1.  Set up profile manager on OS X Server.

    2.  Enroll the devices (Macs and iOS devices) that require a DNS override.

    3.  Set up a network profile that you can push to devices that will automatically or manually be pushed to these devices to override the DNS server settings to use OS X Server.

     

    Other Alternatives (requires hardware changes).

     

    Use a different router (ASUS RT-AC68U) - or one that has VLAN style Guest Network functionality (some routers provide multiple guest networks) and do not have the local DNS server conflict.

     

    Attempt to use DHCP service on OS X Server.  I don't recommend this if your environment is small.  You want to user a built-in router DHCP server whenever possible.

     

    Get an inexpensive Netgear managed switch.  This will allow you to set up  port-based VLANS.  You would need to put a separate Wifi Access point on a VLAN by itself - to provide guest network functionality - but it also may require some redesign of your network.  There is planning required for this solution.

     

    The important thing is that you implement a solution that is going to suit your needs and provide security as well as not taking up all of your time.  If you are finding that you are spending all your time troubleshooting something or trying to trick something into working correctly - you would be far better off to buy something better to replace it.

     

    Mr. Hoffman - Do you agree?

     

    ~Scott

  • by MrHoffman,

    MrHoffman MrHoffman Feb 13, 2016 6:49 AM in response to SBeattie2
    Level 6 (15,637 points)
    Mac OS X
    Feb 13, 2016 6:49 AM in response to SBeattie2

    The configurations suggested by SBeattie2 will work.

     

    But it's not something I'd choose.   I just don't use AirPort or Time Capsule, here.   Not configured as a router/gateway/firewall/NAT box.   It's a good choice for home users and a very good choice for home users with OS X devices, but it's just not good for servers and server-oriented networks.  It's not meant for that usage.  It lacks parallel DHCP settings, and a VPN server, and — for both good and bad — is rather limited with what you can do as a firewall box.   Now I do use AirPort and Time Capsule devices as access points (APs), which is an entirely different configuration.   Apple calls this "bridging". 


    I don't consider VLAN separation to be particularly trustworthy, though I do use that with port configurations on various various managed switches.    Subnets are not a secure separation, particularly if the user has control over the IP address assigned and that is the case with any bring-your-own-device networks.  (I've had some folks entirely snarl networks, and unintentionally.  If they were trying...)

     

    My preferred separation involves a DMZ for externally-accessible servers and/or for the guests, a competent DMZ-capable router/gateway/firewall/NAT box, and parallel AP equipment.

     

    The prices on APs, managed switches and competent router/gateway/firewall/NAT boxes have cratered in recent years.

     

    The local small-business network configurations I support and install tend to be built from commercial-grade APs and/or from TCs configured as APs (if folks aren't using OS X Server as a Time Machine target, or want redundant TM targets), ZyXEL or other web-managed managed switches, and USG-series router/gateway/firewall/NAT/VPN boxes.  Further up the network scale, there's mid-range or higher ZyXEL gear as well as offerings from others and the rather more expensive Cisco gear.   There's been a variety of good AP gear recently available, too — business-grade AP gear, at very low prices.

  • by Pierre Froelicher1,

    Pierre Froelicher1 Pierre Froelicher1 Feb 14, 2016 9:09 AM in response to MrHoffman
    Level 1 (118 points)
    Servers Enterprise
    Feb 14, 2016 9:09 AM in response to MrHoffman

    Hoffman and Scott,

    thanks for your advice.

    First: I adopted Scott version A. I put 8.8.8.8 as the DNS server in the AEBS and went to all my (5) workstations and put in 10.0.117.10, the IP of my server within my network.

    Still do not like the setup, because, as Scott pointed out if the server fails (he is human after all..haha) my 5 workstations will not access internet anymore.

     

    I am still reluctant to spend more money on my all mac setup. A mini server running filemaker server, OD, Filesharing, DNS. An AEBS as Router, firewall and RADIUS WIFI, all working out of the box with the SERVER app.

    I use Profile Manager for my 5 workstations and soon three iPads. We are a small cosmetics manufacturer. The guest network is for employees and visitors.

     

    Questions:

    I use 10.0.117.x as my internal ip pool.. Is there any problem with this? (I mean the 117.. I choose this number so to never have a conflict with VPN, where the IP's of the networks should not be the same.. But due to my lack in knowledge. I assumed I could choose any number here. Correct??

     

    If I put in the workstations 10.0.117.10 AND some outside DNS servers's IP.. would they at least work when 10.0.117.10 is down?

     

    Anyway.. thanks a lot for you very good advice.

    Yours

    Pierre

  • by MrHoffman,Helpful

    MrHoffman MrHoffman Feb 14, 2016 11:12 AM in response to Pierre Froelicher1
    Level 6 (15,637 points)
    Mac OS X
    Feb 14, 2016 11:12 AM in response to Pierre Froelicher1

    10.0.0.1 to 10.255.255.254 are available for use as private IP addresses, and competently-built network gateway devices will not make these or other private network addresses visible across NAT or related processing.

     

    If you have a private DNS server and a public DNS server, it's anybody's guess what a particular client will do, when it gets handed a failed translation from the public DNS server for a local host name.   More than a few clients will not try other DNS servers, which means at least some local clients will not resolve local DNS names, when they happen to select a not-local DNS server.

     

    If the server is down, then switch the DHCP server to the public IP addresses, and either renew the DHCP or reboot the clients.   Or get a backup DNS server or two.  A "plug" computer should have enough to run a small DNS server, after all.   Mid- and upper-end gateways can often contains a DNS server, too.  Old and underpowered Mac boxes that can still run recent software make nice backup DNS servers, too.

  • by SBeattie2,

    SBeattie2 SBeattie2 Feb 15, 2016 11:56 PM in response to Pierre Froelicher1
    Level 2 (185 points)
    Servers Enterprise
    Feb 15, 2016 11:56 PM in response to Pierre Froelicher1

    Your environment is very small and I can understand not wanting to spend additional money.  With that in mind I would suggest the following:

     

    1.  For the time being you could try putting the 10.0.117.10 and 8.8.8.8 into each client machine DNS settings.  Remember that the order in which you specify the DNS servers does not determine which is used first.  DNS queries are sent to both DNS servers simultaneously and whichever responds first is the answer that will be returned.  Typically the internal server is going to respond first (which is what you want) - but there is no guarantee of this and it could cause occasional unexpected behavior.  If the only entries in the local DNS server are those 6 records for the server itself - the most noticeable impact would be the temporary inability to access your server and/or its services due to 8.8.8.8 trying to resolve server.yourdomain.com and failing.  10.0.117.10 will also locally cache results that are received from 8.8.8.8 for for each record's specified TTL duration.  Subsequent queries to those domains will likely come from the local cache.  Again - to reiterate - there is no guarantee.  When multiple DNS servers are specified - there is an expectation that either server should return identical results - if both are up.  In your implementation - these are two different servers.  In a larger environment - having dissimilar DNS servers specified could cause major problems.  I suggest you try it to see if is predominantly going to work for you.  It would seem to me that in your environment an occasional failed lookup of server.yourdomain.com would be less serious - than 5 users having no internet access at all - if you are not there to resolve it.

     

    2.  You could try setting up a secondary/slave DNS server - by installing OS X Server on a second Mac and set DNS up as a secondary server.  Keep in mind - that making a second Mac a server will have some minor impact on that Mac - and the fact that Server is running - will prevent the Mac from sleeping.  The secondary DNS server will replicate the primary DNS server - and should seamlessly handle DNS requests in the the event that the primary is down.  I have not set up a secondary DNS server myself - so I can't provide specific instructions.  The best advice that I can give - if you choose to try a secondary server - is to image backup (or create a clone of) the other Mac as well as the server before attempting to install Server.  You could try creating a small partition on the second Mac and then install El Capitan and Server - and experiment with the secondary DNS by booting from the second partition.  Once you get it working - repeat the setup on the main partition and then delete the second partition.  I suggest the partition method so that the Mac will not be impacted if something should go wrong.

     

    Also - you are using Radius.  The radius setup worked automatically when you selected the checkbox - because you are using an Airport router.  The automatic Radius setup does not work with other routers - nor will it work with a secondary Airport access point.  There is a free tool called Admin Radius Tool on the Mac App Store.  It can be used to setup Radius on multiple routers or access points - regardless of router/access point manufacturer.

     

    Let us know what you decide to do - and best of luck.

    ~Scott

Previous Page 2