Connection failed to the directory server. (2100)

I've been battling this myself. I think it was caused by something that went awry during a Snow Leopard Server to Lion Server upgrade before I took over managing the affected server. Systems were still binding to OD just fine, but I have had to repair random issues in which whole groups could no longer access shares on the server. When I would manually add a user in the ACLs for a specific share, they could access it. If they're a member of the affected group, they can't access the share. If I delete the whole group, recreate it, and then readd the users, everything is good again until the problem comes back. Soon after this started happening, the issue that you're describing started. I have setup OD many times over the years, so I know all of the basic steps to set it up. I've never seen this issue before. My plan is to destroy OD, and then rebuild it from scratch. Users will lose their passwords, but I can backup the users and groups in Workgroup Manager first, so that they keep their GUIDs and UIDs. I won't have to go back through all of the ACLs again and set everything up. I think that totally rebuiliding OD is the solution even if it doesn't root out the actual cause of the problem.

Could you elaborate on what you mean by: "we had to install a new server and domain" How exactly does one do this?

I should have posted this after I resolved the issue. I exported all of the users and groups out of Workgroup Manager to preserve the UIDs and GIDs of the users and groups. I did not include the Directory Administrator as part of the export. Then, I removed Open Directory, and set the server as a standalone server. After that, I verified that the server's DNS settings were correct, and that it has forward and reverse lookups for its host name. The best way to make sure that everything is good before setting up OD is to use Terminal:

sudo changeip -checkhostname

You should see something like this:

Primary address = 172.16.1.5

Current HostName = server.domain.com

DNS Hostname = server.domain.com

If there is a mismatch, this tool tells you exactly how to fix it. If it says that you need to repair DNS, you need to go through your DNS settings again, and make sure you typed everything in correctly and that the forward and reverse lookups are correct. I won't move forward with setting up OD unless both the current hostname and DNS hostname match.

I then recreated Open Directory, and reimported the users and groups from the export that I made. I created a temporary password for all users, and set them to require a password change on first login. I could then join Lion and Snow Leopard clients to OD without errors. Mobile user accounts were then able to login perfectly. They received the prompts to change their passwords as expected. All is well. In our case, I think something happened to Open Directory during the upgrade to Lion Server. It is now my policy to remove Open Directory prior to upgrading, then recreate it afterwards. Yes, this is a pain since the users will need to reset their passwords, and we have to rejoin all clients to OD, but it has meant that we no longer have the headache of having to fix permissions issues constantly, and the users are all happy now.

Thanks much for that detail.

Unfortunately for me, sudo changeip -checkhostname revealed everything was exactly right. I had "destroyed" my incorrectly working Open Directory before this (not saving anything, because I'm actually trying to set this up for the first time), and, after checking the DNS, I created a new OD master on this server. However, I still get:

Can't connect to directory server.

Error: Connection failed to the directory server. (2100)

when trying to bind a client to the server.

Does it possibly matter that the clients have their own static IP addresses, and are not on an internal network running directly through the server? Server and clients are on the same subnet, however.

When trying to bind the client (10.8) to the server (10.8 also), it fails and this is in the logs:

8/5/12 2:02:54.052 AM System Preferences[262]: -[ODCAddServerSheetController didFinishGettingServerInfo:] for "server.domain.name" got error Error Domain=com.apple.OpenDirectory Code=2200 "Could not resolve the address." UserInfo=0x7fa2c4cc3950 {NSLocalizedDescription=Could not resolve the address., NSLocalizedFailureReason=Could not resolve the address.}

("server.domain.name" has been changed to protect this innocent)

Any ideas what this means?

Also: the next log entry says:

8/5/12 2:03:04.305 AM System Preferences[262]: -[ODCAddServerSheetController handleOtherActionError: gotError: Error Domain=com.apple.OpenDirectory Code=2100 "Connection failed to node '/LDAPv3/ldap://server.domain.name'" UserInfo=0x7fa2c4cbf010 {NSLocalizedDescription=Connection failed to node '/LDAPv3/ldap://server.domain.name', NSLocalizedFailureReason=Connection failed to the directory server.}, Connection failed to the directory server.

Does this mean anything to anyone?

When you start typing the server's name into the Network Account Server field, does it start to auto complete? It should if DHCP is handing out the address of the LDAP server. Why do you have the clients on static IPs? I advise against that unless that's absolutely necessary. Also, what DNS server are the clients using? They're not going to find your server if the DNS server on the network does not have an entry for your server.

No, it doesn't auto complete. Does OD only work if clients are on an internal network, with the server giving them DHCP addresses, and the server acting as the gatekeeper for everything? Why would the OD system care where the OD server is? Why won't the client, if it can see the server for services like, e.g., ssh, afp, vnc, etc., not also see the LDAP service via the same DNS server?? Is this just a limitation of the Apple implementation, or is it generally true? Am I missing something here?

If the LDAP server does not also have to be a DHCP server for the same clients, how do I get my clients to "see" the LDAP server?

Why do you advise against static IP's, unless absolutely necessary? Is this for some other reason, unrelated to and OD system? I have a very small research lab at a university with only 4 workstations (including the server). It's easy enough to get IP addresses for them through my university, and each can be acccessed by lab members externally very simply. I've simply been creating local users on these machines, but thought that OD would, in principle, work well. Possibly this isn't worth my time, given the small network in my lab.

What your'e describing is not ideal but it can still work. In most environments, I setup OX Server as the DNS server on the network, or at least the first DNS server that is provided by DHCP. You can set your server as the DNS server for your clients, even if you're using static IPs for each. DNS is the key to Open Directory working properly. If your clients can't find the server at its fully qualified domain name (FQDN) such as server.domain.com, then you'll have problems. In environments where I have complete control, I setup OS X Server as the DNS server, and sometimes as the DHCP sever depending on how good the firewall is, and what DHCP options I have on the firewall. In your situation, it sounds like the best course to follow would be to use your OS X server as the DNS host, then when joining each system, use the server's FQDN. Before you do that, make sure that each client system can ping the server's FQDN and return the correct IP address. Also, make sure that your network admin knows what block of IP addresses you're using so that they don't use them for someone else. They could also setup satic maps for you instead of you using a static IP for each. I usually try to talk people out of using static IPs since any changes to the network can knock those systems offline.

Does the OSX server require that DNS queries come from an internal network for which it is the firewall? When I put the server's (fixed) IP address as the DNS server for one of my external computers (that I want to tie to the server's OD), AND I have the server DNS running (according to server.app), the external computer does not access the internet. I assume this means that the DNS server is actually NOT running on my OSX server, or that the server requires the DNS requests to come from an internal network that it serves. If it is possible to have external computers (not behind the server's firewall) access the DNS server, how might I do this? And if I did, would this allow the external computers to get their OD info from this server?

I have computers in different locations, making it impossible to have a physically wired internal network with the server being their firewall. Perhaps it is possible to create a VPN network tying my 4 computers together to the server, and then have the OD on the server give them their account info through this? Or is this not supposed to be necessary (the VPN I mean) to get external computers to ask the server for DNS info (and therefore, from what you said, allow OD to actually work)?

Thanks for any hints or things to try

Honestly, I think you're over complicating this. The best scenario is for OS X Server to run as the DNS server on the network, or at least as the primary DNS server for the clients you want to tie into OD. OS X Server definitely needs to be able to perform lookups using its own internal DNS. If you set DHCP to offer your server as the LDAP server, that helps a lot. All systems should be behind your firewall. If you need to add an OD client on the outside, that's OK, but directory lookups might not be very fast if the client is doing lookups over the internet.

I'm fine running the OS X server as a DNS server, in theory. But this doesn't work. I set the DNS running, and then direct the client machines to go to it for DNS info, and they draw a blank. This is true even though they can log in using the same IP address (they obviously can see the server for some purposes, but not for DNS. Or maybe the server isn't actually running DNS correctly (or at all), which would be really annoying since there is no indication in server.app that anything is amiss).

Also, as I said in my post, my other machines cannot physically be located in the same room, so how can they use the Server as their firewall? Do you mean using a VPN?

It sounds like you are saying that I CAN have clients outside (not behind the server firewall), at least in theory (if I can get DNS working on the server) but it might be slower?

(Lion Server, Lion Client:) In the client computer, go to the network control panel. Select the network you are using (Ethernet, WiFi) and click the Advanced... button. Then select the DNS tab. Verify that the Server IP address is in the list of DNS servers. If not, add it.

Now the Server name (www.myserver.mycountry) can be resolved by the client and you will be able to add the Server as Network Account Server in the Users and Groups Login Options setting. Provided that you have set up the Server's Firewall and DNS services correctly, of course.

Hi

I am using mountail lion 10.8.2, server 2.1, this problem solved for me by:

Preferences > Sharing > Edit ( edit computer name )

then check Use Global Dynamic hostname

and then enter your host name

it worked for me !

but it is not working when I want to connect to my server over the internet!!!!