viellencerts
Level 1 (8 points)
Mac OS X

Q: DNS Server Having Intermittent Issues with Open Directory

I work for a school and we're undertaking the large task of moving from Xserves running 10.6.8 to Mac Minis running 10.9. I have a lot of experience with OS X Server (I held ACSA up until they ditched it, and ACTC through the current OS) but I've hit a fairly large snag in configuring our DNS server. We currently run DNS via an AD server that is being retired at the end of the summer, so this is the first time our DNS will be Mac-based. That said, our network is ridiculously simple as we are a very small school. For the most part it's a flat network using the same IP range for our wired and wireless internal clients (we do have a vlan for guests but that's through Aerohive). I configured the DNS by hand, recreating the entries in our AD server (there were only about a dozen) and then adding in things that should have been there in the first place (e.g. printers and some other devices with static IPs that I'd like FQDNs for). Everything seemed to be working fine...until trying to log into Open Directory accounts.

 

For some background, the DNS server running 10.9 was the first server we upgraded and it was a completely clean install. We run DHCP on another Mac Server currently running 10.6.8 and it does have the proper OD server listed. All DNS entries for the OD server match our current DNS server. The issue is that it's taking some users 5-6 tries to log in with their network accounts. The errors they receive range from the login window shaking to it stating the user cannot log in at this time. This seems to be worse on client machines running 10.9. but it's appearing on machines running 10.6.8-10.9.3.

 

In my troubleshooting, I found that if I log in as a local user to one of those machines and do a dig for the OD server the results vary, this is where it gets weird. For example, if I dig ourodserver.ourdomain.org it will sometimes return host not found or it will sometimes resolve. If I ping the same thing it will sometimes work (even after stating it cannot resolve the host) and it will sometimes fail. If I then try a dig for the .local (e.g. ourodserver.local) it also yields the same varied results. However, on every machine that I've tested if I then open a Finder window and navigate to the server via the "Shared" menu and connect I have no trouble connecting and then magically my digs and pings in terminal work. If I revert DNS back to point to our old Windows server the issue goes away. I have meticulously combed through that server many many times now and am not seeing any missed entries. Any idea what could be causing this?

Xserve, Mac OS X (10.6.8), Server

Posted on Jul 29, 2014 4:55 AM

Close
viellencerts

Q: DNS Server Having Intermittent Issues with Open Directory

  • All replies
  • Helpful answers

  • by Linc Davis,

    Linc Davis Linc Davis Jul 29, 2014 8:47 AM in response to viellencerts
    Level 10 (207,995 points)
    Applications
    Jul 29, 2014 8:47 AM in response to viellencerts

    You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.

    The primary DNS server used by the server must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

  • by viellencerts,

    viellencerts viellencerts Jul 29, 2014 8:59 AM in response to Linc Davis
    Level 1 (8 points)
    Mac OS X
    Jul 29, 2014 8:59 AM in response to Linc Davis

    Thanks for that article! The host name is correct and there are forward and reverse DNS entries for the server on our DNS server. It does look like there's an issue though. When I run `host myhostname.domain.org` it resolves, but if I do `host myipaddress` I get one of the two following errors:

     

    If run on the server itself: `Host 44.254.168.192.in-addr.arpa not found: 2(SERVFAIL)`

    If run on the DNS server: `Host 44.254.168.192.in-addr.arpa. not found: 3(NXDOMAIN)`

     

    Since the entries on the DNS server appear to be correct I'm not sure what to change to fix this. Should I be editing the domain files in terminal instead of in Server.app?

  • by viellencerts,

    viellencerts viellencerts Jul 29, 2014 9:03 AM in response to viellencerts
    Level 1 (8 points)
    Mac OS X
    Jul 29, 2014 9:03 AM in response to viellencerts

    I also wanted to clarify that I didn't end up really upgrading the OD server. We had issues with doing a standard migration from 10.6.8->10.9 so after much ado I started on a clean install and then did just a users + groups export/import from the old server. I do have a lingering issue with that server but was going to save that for another post unless they're related. Basically, 10.6->10.8 users can log in to network homes no problem, but 10.9 users are sometimes receiving the message that their home folder has been moved, or they can't log in at all (login window shakes). We are sharing the folders via SMB, shared via a RAID attached to the OD server and I've verified the paths are set correctly in WGM (plus we can log in as the same user in a different OS).

  • by Linc Davis,

    Linc Davis Linc Davis Jul 29, 2014 9:33 AM in response to viellencerts
    Level 10 (207,995 points)
    Applications
    Jul 29, 2014 9:33 AM in response to viellencerts

    Obviously your setup isn't working, but there isn't enough information here to show why not. As you know, when you activate the DNS service, it automatically creates records for the server. If you've done something else, you're just going to have to go through it and figure out what you did wrong. I suggest you turn off OD and DNS, delete the DNS configuration, and start over.

  • by viellencerts,

    viellencerts viellencerts Jul 29, 2014 9:36 AM in response to Linc Davis
    Level 1 (8 points)
    Mac OS X
    Jul 29, 2014 9:36 AM in response to Linc Davis

    OD is on a different server and works fine when we use our old Windows AD server for DNS (aside from the issue with Mavericks that I mentioned). For DNS, I did only use Server.app to create each entry so it created the reverse entries manually, that's why I'm unsure of the errors I received when doing the host lookup. I will keep digging. I've already completely flattened the DNS server and manually added the entries once so I'm hesitant to do that a second time.

  • by viellencerts,

    viellencerts viellencerts Jul 29, 2014 10:06 AM in response to viellencerts
    Level 1 (8 points)
    Mac OS X
    Jul 29, 2014 10:06 AM in response to viellencerts

    I may have resolved the issue by just deleting the A + PTR record for that one server and re-adding them. I'm still not sure how the PTR record became corrupt though since it was automatically created by the Server.app. I did also look at the reverse zone files manually and the entry was correct. Very odd and I'm not convinced DNS is stable but this is a start.

     

    I can now log in consistently on all machines running 10.6-10.9, but am continuing to have the issue that some accounts that log into 10.9 machines cannot find the home folder. Going to try a new thread for that since it does not appear to be DNS related. :/