Newsroom Update
Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >
Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >
If I nuke my OD master, do I lose all my user accounts as well? None have been able to log in using OD on computers bound to the server, so I want to start over again, but hopefully without having to recreate each user. Thanks.
Mac mini, OS X Mountain Lion (10.8.5)
Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.
1. The OD master must have a static IP address on the local network, not a dynamic address.
2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.
3. The primary DNS server used by the server must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.
4. Follow these instructions to rebuild the Kerberos configuration on the master.
5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases. Otherwise delete all certificates and create new ones.
6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.
7. Reboot the master and the clients.
8. Don't log in to the server with a network user's account.
9. Disable any internal firewalls in use, including third-party "security" software.
10. If you've created any replica servers, delete them.
11. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.
I went through line-by-line and checked everything...
1) Using SCUTIL, the hostname is configured correctly, and according to the HOST command, the FQDN resolves to the IP address and vice versa.
2) Do I set the primary DNS server in the regular network control panel of the server, instead of in the Server app? I currently use my router to run DNS lookups for my network, instead of the server. This may be the problem.
So under DNS in the Server App, for "Forwarding Servers" is that where I would then put my router's IP address so that the server can resolve to outside addresses? And then in the next section, do I perform lookups for the server, some clients or all clients?
I also read something about checking all the Zone records, but they seem to be ok. There are two items under Primary Zone and both list the FQDN of my server, one as machine and one as nameserver. There's two items listed under Reverse Zone: my static IP address (as "reverse mapping") and the FQDN (as "nameserver.")
Before I go further, I wanted to make sure that those settings were correct in case it's a simple fix someplace there. I did also set the DNS server on my personal computer to look at the server's IP for DNS, and though this did still resolve to the internet, it did not allow OD to work.
Thanks.
Do I set the primary DNS server in the regular network control panel of the server, instead of in the Server app?
Yes.
So under DNS in the Server App, for "Forwarding Servers" is that where I would then put my router's IP address so that the server can resolve to outside addresses?
Yes.
do I perform lookups for the server, some clients or all clients?
The server itself and clients on the local network.
Destroying Open Directory Master
