Lion Server problem - Computer is already a network directory server

Question

Level 1

0 points

Lion Server problem - Computer is already a network directory server

So I purchased Lion Server to trial it at home and it is not going well. Initially I was having issues connecting to the web interfaces for profile manager, etc. The server was not responding and so I uninstalled server and reinstalled it from the Mac Store (FYI: Apple has charged me for the OS and the server app as a result of this for some reason!!!)

With Server reinstalled I went to set up the server as a network directory and am shown this message every time I try to set up the directory admin account: "Computer is already a network directory server - This computer is already configured to manage network accounts. It cannot be configured again."

This leaves me unable to set up any profile or device management, I have tried the following solutions:

Uninstall and reinstall server
Deleted ServerVersion plist
Reinstalled Lion
Reinstalled Lion with format of HDD (although I did recover from a Time Machine Backup which included settings)

Any help would be appreciated.

Posted on Jul 28, 2011 2:10 AM

Reply

Answer 1

Best reply

tArre

Level 1

85 points

Jul 28, 2011 2:29 AM in response to true3man

i would test to configure the server again as "standalone server", and then promote again to "Open Directory Master" and see if that works.

make backups!!! , that will erase all entries in OD (groups, users, machines, profiles, etc...)

You can do it from "Server Tools" better than "Server.app".

Here you'll find the "almost classic" Server Tools: http://support.apple.com/kb/DL1419

good luck!

Reply

Answer 2

true3man Author

Level 1

0 points

Jul 28, 2011 4:12 AM in response to tArre

Thanks for the link, so I tried the good old Snow Leopard Server Admin App and tried to create a standalone server as you suggested and now get a new error message:

"The hostname does not resolve to any configured address. Please ensure your hostname and network configuration is correct."

Any ideas?

Reply

Answer 3

Jul 28, 2011 4:41 AM in response to true3man

true3man wrote:

Thanks for the link, so I tried the good old Snow Leopard Server Admin App and tried to create a standalone server as you suggested and now get a new error message:

"The hostname does not resolve to any configured address. Please ensure your hostname and network configuration is correct."

Any ideas?

Before trying to setup OD it is a good idea to run the command line tool changeip to check the DNS setup is right. Do the following in Terminal on the server.

sudo changeip -checkhostname

Reply

Answer 4

Jul 28, 2011 5:02 AM in response to true3man

Hi

Barely anything will work on OSX Server without a correctly configured DNS Service. Assuming NAT this can be either on the Server itself or on another Server you may already which is providing the service for your private network. If this is the only Server you have then DNS must be configured on that Server. If the server is exposed to the Internet (ie: not behind NAT) DNS would be something your ISP and/or Domain Registrar will setup for you.

This all assumes you have an understanding of DNS basics and how it relates to running your own private server?

For a problem free Open Directory Master (network directory server) and associated services, you really must have DNS correctly resolving on both pointers. The advice John has given you should help you determine the validity of however your DNS is configured and should help us assist you further.

HTH?

Tony

Reply

Answer 5

true3man Author

Level 1

0 points

Jul 28, 2011 6:57 AM in response to Antonio Rocco

Really helpful advice, have basic knowledge of DNS but didnt realise its impact in Open Directories. The terminal command did uncover a conflict in the host name with the DNS host name and that has been reolved. However, I am now getting a new configuration error when trying to set up an Open Directry Master the log is below:

2011-07-28 14:15:22.009 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/configure.bundle'

2011-07-28 14:15:22.085 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/keychain.bundle'

2011-07-28 14:16:00.855 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClient.bundle'

2011-07-28 14:19:30.094 BST - Registered subnode with name '/LDAPv3/127.0.0.1'

2011-07-28 14:19:48.611 BST - Unregistered node with name '/LDAPv3/127.0.0.1'

2011-07-28 14:24:02.199 BST - Registered subnode with name '/LDAPv3/127.0.0.1'

2011-07-28 14:24:11.441 BST - Unregistered node with name '/LDAPv3/127.0.0.1'

2011-07-28 14:26:26.580 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/proxy.bundle'

2011-07-28 14:30:08.431 BST - Registered subnode with name '/LDAPv3/127.0.0.1'

2011-07-28 14:30:18.147 BST - Unregistered node with name '/LDAPv3/127.0.0.1'

Reply

Answer 6

Jul 28, 2011 7:19 AM in response to true3man

Hi

What makes you think it's an error? When promoting to an OD Master Role the server adds itself in the LDAP node with its own loopback address. This has always been the case with every version of the Server going back to at least 10.4. I've not had chance to look at Lion Server yet but it's difficult to imagine Apple changing this too much?

What exactly happens? If the Overview Pane (assuming this is still there) says everything is running and the Search Base is the fully qualified domain name of your Server then it should be OK. How do you find out the fully qualified domain name of your Server? Issue hostname from the command line. If this matches what you have configured in the DNS Service then promotion should success in approx 30 seconds or so.

HTH?

Tony

Reply

Answer 7

true3man Author

Level 1

0 points

Jul 28, 2011 1:04 PM in response to Antonio Rocco

Sorry I copied the wrong log.

What is happening is the Open Directory Assistant attempts to create and Open Directory Master but fails claiming there was a configuration error and to view the configuration log which I have copied below.

2011-07-28 19:57:45 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi

2011-07-28 19:57:45 +0000 command: /usr/bin/ldapsearch -x -LLL -H ldapi://%2Fvar%2Frun%2Fldapi -b cn=config -s base olcServerID

2011-07-28 19:57:45 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi

2011-07-28 19:57:45 +0000 command: /usr/sbin/mkpassdb -o -u diradmin -p -q

2011-07-28 19:57:46 +0000

2011-07-28 19:57:48 +0000 command: /usr/sbin/mkpassdb -setadmin 0xdc9dacf8b95311e0b494d49a20d93acc 0

2011-07-28 19:57:48 +0000 Admin's entry UUID is: 9134bc0a-a748-4161-b6b2-53c136b933b9

2011-07-28 19:57:48 +0000 Setting SASL realm to <SERVER.FREEMAN.PRIVATE>

2011-07-28 19:57:48 +0000 command: /usr/sbin/mkpassdb -setrealm SERVER.FREEMAN.PRIVATE

2011-07-28 19:57:48 +0000 command: /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.PasswordService.plist

2011-07-28 19:57:49 +0000 Stopping LDAP server (slapd)

2011-07-28 19:57:52 +0000 Starting LDAP server (slapd)

2011-07-28 19:57:52 +0000 Waiting for slapd to start

2011-07-28 19:57:52 +0000 ...

2011-07-28 19:57:54 +0000 Configuring Kerberos server, realm is SERVER.FREEMAN.PRIVATE

2011-07-28 19:57:54 +0000 command: /usr/sbin/kdcsetup -f /LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi -w -a diradmin -p **** -v 1 SERVER.FREEMAN.PRIVATE

2011-07-28 19:58:18 +0000 Contacting the Directory Server

Authenticating to the Directory Server

Creating Kerberos directory

Creating KDC Config File

Creating Kerberos Database

Creating new random master key

Creating Kerberos Admin user

Creating ACL file

Adding kerberos auth authority to admin user

Starting kdc & kadmind

Adding the new KDC into the KerberosClient config record

Finished

2011-07-28 19:58:18 +0000 command: /usr/sbin/kdcsetup -e

2011-07-28 19:58:18 +0000 command: /usr/sbin/sso_util configure -x -r SERVER.FREEMAN.PRIVATE -f /LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi -a diradmin -p **** -v 1 all

2011-07-28 19:58:19 +0000 command: /usr/sbin/mkpassdb -kerberize

2011-07-28 19:58:19 +0000 Updating user records and principals

2011-07-28 19:58:34 +0000 Asking OpenDirectoryConfig to bind to server: 127.0.0.1

2011-07-28 19:58:38 +0000 Attempting to open /LDAPv3/127.0.0.1 node

2011-07-28 19:58:38 +0000 Verified /LDAPv3/127.0.0.1 node is available

2011-07-28 19:58:40 +0000 command: /usr/sbin/sso_util info -r /LDAPv3/127.0.0.1 -p

2011-07-28 19:58:40 +0000 Creating Root CA

2011-07-28 19:58:41 +0000 ***Error creating domain CA. Error - The specified item already exists in the keychain.

2011-07-28 19:58:41 +0000 Root CA creation failed with error - -25299

2011-07-28 19:58:41 +0000 Destroying OD master as CA creation failed with error 75

2011-07-28 19:58:41 +0000 Logging slapd container data to /var/run/slapconfig_error_1311883121

2011-07-28 19:58:41 +0000 Stopping LDAP server (slapd)

2011-07-28 19:58:44 +0000 command: /usr/sbin/slapcat -l /var/run/slapconfig_error_1311883121/user.ldif

2011-07-28 19:58:44 +0000 command: /usr/sbin/slapcat -b cn=authdata -l /var/run/slapconfig_error_1311883121/authdata.ldif

2011-07-28 19:58:45 +0000 Error retrieving kerberos realm

2011-07-28 19:58:45 +0000 CopyReplicaArray: ldap_search_ext_s failed

2011-07-28 19:58:45 +0000 Error retrieving replica array

2011-07-28 19:58:45 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.opendirectorybackup.plist

2011-07-28 19:58:45 +0000 Deleting Cert Authority related data

2011-07-28 19:58:45 +0000 No intCAIdentity, not removing int CA from keychain

2011-07-28 19:58:45 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist

2011-07-28 19:58:45 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist

2011-07-28 19:58:45 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist

2011-07-28 19:58:45 +0000 _destroyLDAPServer: Failed to find computer record named server.freeman.private$: 2100 Connection failed to the directory server.

2011-07-28 19:58:45 +0000 Updating ldapreplicas on primary master

2011-07-28 19:58:45 +0000 Unable to locate primary master

2011-07-28 19:58:45 +0000 Primary master node is nil!

2011-07-28 19:58:45 +0000 Unable to locate ldapreplicas record: 0 (null)

2011-07-28 19:58:45 +0000 Error setting read ldap replicas array: 0 (null)

2011-07-28 19:58:45 +0000 Error setting write ldap replicas array: 0 (null)

2011-07-28 19:58:45 +0000 Could not retrieve xmlplist from ldapreplicas: 0 (null)

2011-07-28 19:58:45 +0000 Error synchronizing ldapreplicas: 0 (null)

2011-07-28 19:58:45 +0000 Removing self from the database

2011-07-28 19:58:45 +0000 Warning: An error occurred while re-enabling GSSAPI.

2011-07-28 19:58:45 +0000 Stopping LDAP server (slapd)

2011-07-28 19:58:46 +0000 cleanKeytab: unable to retrieve default realm

Reply

Answer 8

Jul 28, 2011 1:33 PM in response to true3man

Hi

2011-07-28 19:58:40 +0000 Creating Root CA

2011-07-28 19:58:41 +0000 ***Error creating domain CA. Error - The specified item already exists in the keychain.

2011-07-28 19:58:41 +0000 Root CA creation failed with error - -25299

2011-07-28 19:58:41 +0000 Destroying OD master as CA creation failed with error 75

Looks like there's a problem with either the Certificate or keychain or both.

HTH?

Tony

Reply

Answer 9

matwyn

Level 1

10 points

Jul 28, 2011 5:56 PM in response to true3man

Hi - I'd take a look in the Keychain for the following entries in the System Keychain.

IntermediateCA_hostname

OPENDIRECTORY_ROOT_CA_IDENTITY

OPENDIRECTORY_INT_CA_IDENTITY

MACHINE_IDENTITY

It may be that if they're already there, (possibly from an abortive attempt to create earlier) that it can't 'rewrite' them again. Lion Server is a lot more certificate savvy than SL was and will generate Leaf certs and sign them with it's own self-signed CA.

If they're there, then export them (so you can bring them back if it's not the cause) and then delete them and try again.

Cheers

Matt

Reply

Answer 10

Xenolith

Level 1

25 points

Aug 15, 2011 10:43 PM in response to true3man

Have any luck with this? I just got the same problem. Tried removing all certs from the keychain and did not help. Also, my DNS is correctly configured with both forward and reverse mappings for the same name as the Kerberos realm (but in lower case of course).

Any one have any more suggestions? This knocks out my OD server since I can't even re-setup OD :-(

Reply

Answer 11

InGen

Level 1

5 points

Aug 22, 2011 2:05 PM in response to true3man

I had the same issue. I changed the host name from Server.app's network panel. I changed it from example.com (internet name) to example.com (private network). This fixed it for me. Took 3 hours before taking that shot in the dark.

Reply

Answer 12

Xenolith

Level 1

25 points

Aug 22, 2011 4:29 PM in response to InGen

Alas, my situation still fails with the same error:

2011-08-22 23:22:56 +0000 Creating Root CA

2011-08-22 23:22:59 +0000 ***Error creating domain CA. Error - The specified item already exists in the keychain.

2011-08-22 23:22:59 +0000 Root CA creation failed with error - -25299

PITA really... I'm pedantic when it comes to writing error messages. Crap like "I can't do it because it's already there" is just BS... 'which key' might help someone actually find a way to fix it.

Reply

Answer 13

Aug 22, 2011 4:38 PM in response to true3man

I to was running into a problem here. The tip about DNS pointed me in the right direction.

When the server is set up for the very first time, it records an entry for itself in the local DNS server records. The assumption being that the IP address it has on initial configuration is the one it will ultimately have. In my case, I'm not using the Lion Server as the DHCP server so I set the values elsewhere and set the local values manually. Even though you change the IP and Hostname in Server.app, it doesn't update that DNS record for the local DNS server.

The fix is to install the Admin Server Tools and open Server Admin.app and fix the offending DNS entry.

Reply

Answer 14

Xenolith

Level 1

25 points

Aug 22, 2011 5:13 PM in response to jonathan458

No dice for me... My DNS already has both forward and reverse mappings correctly for the host name I'm using.

Reply

Answer 15

Sep 1, 2011 7:19 PM in response to matwyn

In addition to this look for certificates related to your server name as well. Eventually I deleted all of them with my server name in them, then I repaired the keychain to make them really go away (this seems to be a bug) and did the OD install successfully!

Reply