10 Replies Latest reply: Jun 30, 2010 7:54 PM by James Nennemann
MorrisZwick Level 1 (0 points)
After initial setup, I needed to update my DNS domain and server name to prepare for a cutover to our pre-existing domain that is currently remote hosted. So I converted from myserver.private to myserver.mydomain.com. After running changeip to get the server and DNS names fixed, and redoing the Open Directory master setup so that Kerberos now uses the correct Realm (MYSERVER.MYDOMAIN.COM), everything seems to be fine EXCEPT that the LDAP Search Base is still "dc=myserver, dc=private". I have searched all over for an answer on how to change the LDAP Search Base and all I find are other people with my exact same issue.

Does anyone know how to update the LDAP Search Base when you update the DNS domain?

Thanks in advance!

MacBook, Mac Mini with Snow Leopard Server, Mac OS X (10.6.2)
  • MorrisZwick Level 1 (0 points)
    A call to Apple support helped solve this problem, especially to deal with a typo in the Apple Snow Leopard Server documentation:

    1. Export all of your users, groups, etc. to files. Passwords will be reset but everything else will work.

    2. In OD, change the server to be "stand alone" (basically turning off OD).

    3. From the command line run the following command, noting that you literally put the string "HostName" in the position specified, not the old host name specified in the documentation:

    sudo scutil --set HostName <fully qualified domain name>

    4. Reboot

    5. Restart Server Admin and recreate the OD master using the fully qualified name.

    6. Go to KeyChain and look for the entries for system -> com.apple.opendirectory. One should point to your server and one should be blank. Delete the bank entry.

  • adam_d Level 1 (0 points)
    Thank You!!!!
  • Corbywan Level 1 (60 points)
    What if I forgot to do step one after proceeding with the rest? Can I get my old directory back?

  • John Hawkins Level 1 (75 points)
    Blessed are the pessimists, for they hath made back ups.

    Yesterday, I accidentally deleted a group. Don't ever do that. Can't be undone, and the permissions on the sharepoints have to be re-built because the group name in the access control list is gone.

    If you delete users but still have groups and group permissions, you can re-populate the group with new users and the group permissions in the ACL are fine.

    Learned that the hard way.
  • buckster Level 4 (2,810 points)
    Has anyone figured a way to do this without hosing passwords?
  • James Nennemann Level 1 (55 points)
    Shouldn't you be able to 'archive' your OD in the Server Admin/Open Directory/Archive panel, then reload it after following the other steps? I thought it asked you for the ldap query string then at one point... I will find out after tomorrow as I have to do this very thing.
  • Antonio Rocco Level 6 (10,517 points)

    The problem with restoring an Archived LDAP Database is you'll be restoring the previous Domain/Realm with all references to it into a different Domain/Realm. I'm not saying this won't work but if you do you'll in all likelihood introduce potentially major problems.

    FWIW restoring a damaged/corrupted LDAP Database is not a good idea either.

  • James Nennemann Level 1 (55 points)
    I have to say if that is the case then it is really f@#$ up. I have run every version of OS X Server since version 1 and the server OS has always seemed a little unfinished with too much margin for error... very un-apple like. They kind of treat it like the red headed stepchild.

    I am going to image the SSD before I try so that I can still regress if need be. I will be giving it a shot in about 4 hours and I will try to remember to come back here and report progress.
  • Antonio Rocco Level 6 (10,517 points)
    Hi James

    I'm not sure I entirely agree with you, but you do have a point. However making a backup of the server either as a cloned .dmg or on a bootable external drive is regarded generally by Apple as "Best Practice'. This has been known for some time as of course you already knew. I make this point because a lot of posters on these boards fail to realise this and invariably end up posting because of some problem they've had after running a major update. It comes as a shock to some of them when they realise there's no 'rollback' or 'undo' as their is in Windows.

  • James Nennemann Level 1 (55 points)
    Yes... I had to export users, groups, computers and computer groups, demote to stand-alone, re-promote then reimport users, groups, computers and computer groups, loosing passwords for the 300+ users. *****, but such is life.

    Thanks for the input, Tony; You were right on. BTW - Archive and Restore worked just fine in 10.6. I performed that operation two or three times as I experimented. The only problem was that it brought over EVERYTHING including the LDAP search base.

    ****... if Snow Leopard was perfect, who would want to buy 10.7, right? (;-)