Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: beachmat
beachmat Author
User level: Level 1
29 points

Open directory setup problems

When we upgraded from 10.6 server to 10.9 with server 3.2.2, I couldn't enable Open directory, and there was a message saying the server was successfully configured as a directory server, but an error occurred. I assumed it was something from the old system it didn't like, so I did a clean install instead and all seemed to be well. However a few weeks later, for some reason Open Directory became irretrievably corrupted, so I did another clean system install, but this time I'm getting the same error when I try to set up Open Directory. I let Server set up the DNS, set it to allow the server to do lookups, and it appears to be ok from an nslookup. I've tried using the terminal commands to destroy the OD data but no joy. If I use the terminal command to set up OD, it says something about a record not being found for servername.private. Wondering if anyone can shed any light on this?



thanks

Posted on Feb 16, 2015 6:18 AM

Reply
Question marked as Best reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,547 points

Posted on Feb 16, 2015 6:15 PM

Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.

1. The OD master must have a static IP address on the local network, not a dynamic address. It must not be connected to the same network with more than one interface; e.g., Ethernet and Wi-Fi.

2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.

3. The primary DNS server used by the server must be itself, unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

4. Only if you're still running Mavericks server, follow these instructions to rebuild the Kerberos configuration on the server.

5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases. Otherwise delete all certificates and create new ones.

6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.

7. Reboot the master and the clients.

8. Don't log in to the server with a network user's account.

9. Disable any internal firewalls in use, including third-party "security" software.

10. If you've created any replica servers, delete them.

11. If OD has only recently stopped working when it was working before, you may be able to restore it from the automatic backup in /var/db/backups, or from a Time Machine snapshot of that backup.

12. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.

If you get this far without solving the problem, then you'll need to examine the logs in the Open Directory section of the log list in the Server app, and also the system log on the clients.

View in context
5 replies
Question marked as Best reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,547 points

Feb 16, 2015 6:15 PM in response to beachmat

Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.

1. The OD master must have a static IP address on the local network, not a dynamic address. It must not be connected to the same network with more than one interface; e.g., Ethernet and Wi-Fi.

2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.

3. The primary DNS server used by the server must be itself, unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

4. Only if you're still running Mavericks server, follow these instructions to rebuild the Kerberos configuration on the server.

5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases. Otherwise delete all certificates and create new ones.

6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.

7. Reboot the master and the clients.

8. Don't log in to the server with a network user's account.

9. Disable any internal firewalls in use, including third-party "security" software.

10. If you've created any replica servers, delete them.

11. If OD has only recently stopped working when it was working before, you may be able to restore it from the automatic backup in /var/db/backups, or from a Time Machine snapshot of that backup.

12. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.

If you get this far without solving the problem, then you'll need to examine the logs in the Open Directory section of the log list in the Server app, and also the system log on the clients.

Reply
User profile for user: beachmat
beachmat Author
User level: Level 1
29 points

Feb 18, 2015 3:41 AM in response to Linc Davis

So in fact you should not be attempting to run OD with a .private host name? This is confusing because the host wizard says that you can use a .private host name if the only service that you want to be accessible from outside is VPN. But to run VPN you have to run OD. And the OD wizard has allowed me to create an OD directory on a .private host name without giving any errors.

Reply

Open directory setup problems

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up