Many, if not most, OD problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.
1. The OD master must have a static IP address on the local network, not a dynamic address.
2. The primary DNS server used by the master must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.
3. Verify that the master's hostname matches its domain name by running the shell command
sudo changeip -checkhostname
The name must not be in the ".local" top-level domain, which is reserved for Bonjour.
4. Follow these instructions to rebuild the Kerberos configuration on the master.
5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases.
6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.
7. Reboot the master and the clients.
8. Don't log in to the server with a network user's account.
9. Export all OD users, delete them, turn off OD, turn it back on, and import. Ensure that the UID's are in the 1001+ range.