14 Replies Latest reply: Oct 31, 2013 4:34 AM by Relliott930
dvassallo Level 1 (0 points)

1) In an environement that contains two directory servers (one master, one replica), how does a client find the replica in the event that the master goes offline?

2) Is there any command to issue from the client side that will return all available directory servers in the domain?

  • Jonathan Melville Level 2 (450 points)

    I'll tell you exactly what an Apple engineer told me a few months ago.


    If you have an Open Directory Master on your network and replicas also, you should bind your clients to the master. I've seen other people talk about the "fail up" nature of Open Directory, meaning you should bind clients to replicas and if the replica fails, the client will automatically look upstream to another replica or to the master. Again, this is not how it was explained to me by Apple and I've never found authoritative documentation that states with certainty that OD fails up from replica to master.


    Somebody please jump in and correct me if I'm wrong.


    The way I understand it to work is when you bind your clients to the master, they will also receive the 'replication tree' containing the addresses of replicas on the network. If the master fails, the clients will start looking to the replicas.

    Is there any command to issue from the client side that will return all available directory servers in the domain?


    Run this from your master to view the replicas: sudo slapconfig -getmasterconfig

  • John.Kitzmiller Level 3 (870 points)

    This is conflicting of everything I've ever learned. Client machines should always be bound to the closest replica, and will indeed fail up to the master should the replica become unavailable. It does not work the other way around.


    I think you may have gotten some misinfomation from Apple, or there was a miscommunication somewhere along the line.

  • Jonathan Melville Level 2 (450 points)

    Edit: This is from Apple documentation that dates back to 10.5, but still...


    If an Open Directory master or its replicas become unavailable, its client computers with version 10.3–10.5 of Mac OS X or Mac OS X Server automatically find an available replica and connect to it.


    This seems to support what I was told by Apple.




    Hey John, I knew somebody would chime in!


    Agreed, the 'fail up' model is what I've always heard. I told the tech I had always heard you should bind to the replica (just for clarification) but was told I should be binding to the master.


    Anyway, thanks for responding. Do you have some documentation that clearly states how the fail-up process works?


    Message was edited by: Jonathan Melville

  • dvassallo Level 1 (0 points)

    Thank you all for your contributions to this discussion. I am glad to see that I am not alone with regards to finding the available information ambiguous. John K, if you do have any documentation supporting the "fail up" scenario I would love to see it. Additionally, I currently have a non-production environment with a master, replica, and file server (member server) hosting the user homes over AFP. I am going to test binding a client to the master and pulling the network cable. I will then test binding a client to the replica and pulling the network cable. I will post my findings tomorrow. Thank you all again.

  • Jonathan Melville Level 2 (450 points)

    Please report back when you do.


    Keep this in mind: When you go to System Preferences > Users and Groups > Login Options and see the address of your directory server, this address will not change after a failover (I'm pretty sure that's correct).


    So right now I'm bound to our company's master and it shows odmaster.mynetwork.net. If your replica is called odreplica.mynetwork.net, this address won't change in system preferences, it will still show the address of the master but it will be looking to the replica.


    An easy way to test OD authentication. In terminal type dscl /LDAPv3/hostname.domain.com -authonly username


    Replace with your domain and an actual username. It will prompt you for the users password. If you don't get an error from this, OD authentication is working properly.

  • John.Kitzmiller Level 3 (870 points)

    Your quote doesn't really support binding to the OD master any more than it supports binding to the replica.


    This document has a lot of great info: http://manuals.info.apple.com/en_US/OpenDirAdmin_v10.6.pdf


    Granted, it's for 10.6 but the majorty of it is still relavent in 10.7.


    When you start to look at the cascading OD setups described in there, it becomes clear why binding to a replica is a best practice, especially in larger environments.

  • Jonathan Melville Level 2 (450 points)

    Your quote doesn't really support binding to the OD master any more than it supports binding to the replica.


    I agree with you, it doesn't support one more than then other. But it also doesn't support the idea that binding to the master is "improper" because it has nowhere to "fail up" to if the master fails, which is the argument I hear most.


    I agree with your point about cascading OD setups in large environments. Thousands of clients authenticating to a single master seems like trouble. It even made a point in the manual you linked to about having a replica on every floor of a building to authenticate users. So your point there is well taken.


    But again, I've never seen anything that suggests Open Directory "fails up" to the master.

    "If the Open Directory master fails, computers connected to it switch to a nearby replica. This automatic failover behavior is a feature of Mac OS X and Mac OS X Server v10.4 and 10.5 or later."

    (Note this doesn't describe failing-up to the master, but failing over to a replica)


    "If an Open Directory master or its replicas become unavailable, client computers find an available replica and connect to it."


    To me, this implies you bind to either the Master or a Replica, but binding to the Master isn't 'improper'. it will still failover to a replica.

  • dvassallo Level 1 (0 points)

    Sorry for the delay with the results of my testing. I bound my test clients to the master. Logged in wiht a network account wiht a home folder on a third server in the member of a directory sytem role that specifically hosts the users home folders. Pulled the ethernet cabled from the master. Connectivity was not disrupted. I logged the client out and tested reconnecting with the master offline. The client reconnected without a hiccup. There was absolutely zero performance impact - granted this is a non-production environement. Thank you all for your contributions to the conversation.

  • techgal Level 1 (5 points)

    Just to clarify.. it also works if one is bound to the replica?


  • dvassallo Level 1 (0 points)

    Hey @techgal, I do not remember if I tried this or not but I have a whole virtulized testing environment that I can set this up in and test it out. I'll post my findings. I suspect it will work.

  • techgal Level 1 (5 points)

    That would be great. Also, do you know much about replicating servers and configuring use by them in distributed environments? ie., file sharing, home directories?

    Thanks again.

  • dvassallo Level 1 (0 points)

    Yes, binding to the replica and pulling the plug causes it to fail up.


    As far as your other question, give me more details what are you looking to do? Feel free to email me direct at dvassallo@mac.com.

  • techgal Level 1 (5 points)

    I guess though that if the home directory was on the replica, as in a mobile account with syncing or a network account where login depends on successful communication with the replica, it would not work.

  • Relliott930 Level 1 (0 points)

    Hi all, I have just found this thread. I am having serious problems and am at the end of my tether! I cannot believe Apple can get away with releasing such poor, bug filled software and passing it off as a network operating system, but that is a rant for another day.


    My Issue is, I have two servers, both 10.7.5. One Master and one replica. I had multiple issues with getting the replication to work (_LDAP_REPLICATOR binding errors) but for some reason, after leaving it overnight, this has started working now.


    The failover to the replica is not working correctly. I have some 10.8.x clients, bound to the master. When the master goes down, these clients find the replica with no issues. If the master is down for an extended amount of time however, these start failing logon too, however there is no red dot, they just hang. I have a couple hundred 10.7.5 clients. These will NOT find the replica if the master goes down. DNS is working with no issues. I then tried binding a 10.7.5 client to the replica instead. I then killed the masters connection, after a short delay, this seemed to work! great I thought. I logged in and out a few times, everything was fine. Rebooted the mac.... "network accounts are not available..". From this moment on, the client would no longer find the master. If i manually bind to the master, no problems. What is going on??


    Also, every bit of documentation I can find (what little there is) states that a replica is a read only copy of the master. In the latest iteration, you are also supposed to be able to change limited things on the replica, such as passwords. Why is it then , that I can modify passwords, modify MCX, create users etc and these changes are immediately passed to the master ? how can this be read only!!? it is definitely a replica, as viewed in server admin.


    Can anyone shed some light?