stephan (Germany)

Q: After Updating to Server 4.1 Open directory and LPAD gone

Hello,

 

two days ago I discovered that Open directory was not working on our Server (Mac Mini 2012). I suspect it stopped working after updating to 10.10.3 and OS-X Server 4.1. When I try to start Open directory in the Server App the Server App prompts: Unable to load Replica List. When I try to recreate my Open directory Server I Get: OD Server already exists.

 

I get the following log entries:

 

LDAP Log

 

Apr 11 22:03:02 server.seju.eu slapd[925]: @(#) $OpenLDAP: slapd 2.4.28 (Feb 24 2015 21:45:59) $

  root@osx202.apple.com:/BinaryCache/OpenLDAP/OpenLDAP-499.32.4~1/Objects/servers/slapd

Apr 11 22:03:02 server.seju.eu slapd[925]: daemon: SLAP_SOCK_INIT: dtblsize=8192

Apr 11 22:03:02 server.seju.eu slapd[925]: TLS: OPENDIRECTORY_SSL_IDENTITY identity preference overrode configured olcTLSIdentity "APPLE:server.seju.eu"

Apr 11 22:03:02 server.seju.eu slapd[925]: slap_add_listener: opened additional listener 'ldaps:///'

Apr 11 22:03:02 server.seju.eu slapd[925]: bdb(dc=server,dc=seju,dc=eu): unable to allocate memory for mutex; resize mutex region

Apr 11 22:03:02 server.seju.eu slapd[925]: bdb_db_open: database "dc=server,dc=seju,dc=eu" cannot be opened, err 12. Restore from backup!

Apr 11 22:03:02 server.seju.eu slapd[925]: bdb(dc=server,dc=seju,dc=eu): txn_checkpoint interface requires an environment configured for the transaction subsystem

Apr 11 22:03:02 server.seju.eu slapd[925]: bdb_db_close: database "dc=server,dc=seju,dc=eu": txn_checkpoint failed: Invalid argument (22).

Apr 11 22:03:02 server.seju.eu slapd[925]: backend_startup_one (type=bdb, suffix="dc=server,dc=seju,dc=eu"): bi_db_open failed! (12)

Apr 11 22:03:02 server.seju.eu slapd[925]: bdb_db_close: database "dc=server,dc=seju,dc=eu": alock_close failed

Apr 11 22:03:02 server.seju.eu slapd[925]: slapd stopped.

 

 

 

Open Directory Log

 

2015-04-11 21:57:10.624284 CEST - AID: 0x0000000000000000 - opendirectoryd (build 382.20.2) launched...

2015-04-11 21:57:10.752590 CEST - AID: 0x0000000000000000 - Logging level limit changed to 'error'

2015-04-11 21:57:10.916732 CEST - AID: 0x0000000000000000 - Initialize trigger support

2015-04-11 21:57:10.951833 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/SystemCache.bundle'

2015-04-11 21:57:10.958469 CEST - AID: 0x0000000000000000 - Module: SystemCache - failed to load persistent state - Input/output error

2015-04-11 21:57:10.962533 CEST - AID: 0x0000000000000000 - Registered node with name '/Active Directory' as hidden

2015-04-11 21:57:10.962833 CEST - AID: 0x0000000000000000 - Registered node with name '/Configure' as hidden

2015-04-11 21:57:10.963182 CEST - AID: 0x0000000000000000 - Discovered configuration for node name '/Contacts' at path '/Library/Preferences/OpenDirectory/Configurations//Contacts.plist'

2015-04-11 21:57:10.963194 CEST - AID: 0x0000000000000000 - Registered node with name '/Contacts'

2015-04-11 21:57:10.963438 CEST - AID: 0x0000000000000000 - Registered node with name '/LDAPv3' as hidden

2015-04-11 21:57:10.966901 CEST - AID: 0x0000000000000000 - Registered node with name '/Local' as hidden

2015-04-11 21:57:10.968600 CEST - AID: 0x0000000000000000 - Registered node with name '/NIS' as hidden

2015-04-11 21:57:11.031990 CEST - AID: 0x0000000000000000 - Discovered configuration for node name '/Search' at path '/Library/Preferences/OpenDirectory/Configurations//Search.plist'

2015-04-11 21:57:11.032007 CEST - AID: 0x0000000000000000 - Registered node with name '/Search'

2015-04-11 21:57:12.343838 CEST - AID: 0x0000000000000000 - Discovered configuration for node name '/LDAPv3/127.0.0.1' at path '/Library/Preferences/OpenDirectory/Configurations/LDAPv3/127.0.0.1.plist'

2015-04-11 21:57:12.343888 CEST - AID: 0x0000000000000000 - Registered subnode with name '/LDAPv3/127.0.0.1'

2015-04-11 21:57:13.549377 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/legacy.bundle'

2015-04-11 21:57:13.551131 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/search.bundle'

2015-04-11 21:57:13.554053 CEST - AID: 0x0000000000000000 - '/Search' has registered, loading additional services

2015-04-11 21:57:13.554064 CEST - AID: 0x0000000000000000 - Initialize augmentation support

2015-04-11 21:57:13.557920 CEST - AID: 0x0000000000000000 - Successfully registered for Kernel identity service requests

2015-04-11 21:57:13.557940 CEST - AID: 0x0000000000000000 - Adjusting kernel ID cache (100 -> 250) and membership cache (100 -> 500)

2015-04-11 21:57:13.575235 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/PlistFile.bundle'

2015-04-11 21:57:13.578418 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/FDESupport.bundle'

2015-04-11 21:57:13.583810 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleID.bundle'

2015-04-11 21:57:13.615788 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ConfigurationProfiles.bundle'

2015-04-11 21:57:13.619666 CEST - AID: 0x0000000000000000 - Registered subnode with name '/Local/Default'

2015-04-11 21:57:13.632498 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ldap.bundle'

2015-04-11 21:57:13.845588 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClientLDAP.bundle'

2015-04-11 21:57:13.849664 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClientPWS.bundle'

Mac mini, OS X Yosemite (10.10.3), Server 4.1

Posted on Apr 11, 2015 1:45 PM

Close

Q: After Updating to Server 4.1 Open directory and LPAD gone

  • All replies
  • Helpful answers

Page 1 Next
  • by MrHoffman,Solvedanswer

    MrHoffman MrHoffman Apr 11, 2015 4:20 PM in response to stephan (Germany)
    Level 6 (15,627 points)
    Mac OS X
    Apr 11, 2015 4:20 PM in response to stephan (Germany)

    Looks like there's a corruption, and that can mean restoring from backups.

     

    That written, it's possible there are some DNS issues here as your host has a public CNAME (alias) and what might be a dynamic DNS provider.  DNS configuration issues can cause LDAP to become confused.

  • by stephan (Germany),

    stephan (Germany) stephan (Germany) Apr 11, 2015 10:39 PM in response to MrHoffman
    Level 1 (0 points)
    Apr 11, 2015 10:39 PM in response to MrHoffman

    I always thougth DNS would be ok, although my performance was so slow, that I had to add to many settings. I also used a script running as launchdaemon to dynamically update my public IP address. Maybe it did not launch after the update and we ended up here?

     

    but now things escalated! Yesterday after writing this post I tried to stop the OD instance by unloading launched configuration (I administer the server remotely):

     

    sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.plist

     

    the screensharing connection was interrupted and when I tried to restart the mac mini with screen attached it did not load past half loading bar on the apple screen.

     

    Starting in single user mode gets me to the command line where I can:

    1) $ /sbin/fsck -fy

    i get: "The volume ... Appears to be ok

    The Volume was modified."

    and:

    2) $ /sbin/mount -uw /

    after

    exit

    i get somewhere:

    "Bootcachecontrol: Unable to open /var/db/Bootcache.playlist: no such file or directory

    pfctl: the use of -f option, could result in flushing of rules present in main ruleset added by the system at startup.

    See /etc/pf.config for further details.

     

    no ALTQ support in kernel

    ALTQ related functions disabled

    pf enabled

    net.inet.tcp.delayed_ack: 3 -> 2

    bash: /etc/rc.installer_cleanup: No such file or directory.

     

    I hope someone can help...

  • by essandess,Helpful

    essandess essandess Apr 14, 2015 7:41 AM in response to stephan (Germany)
    Level 1 (28 points)
    Applications
    Apr 14, 2015 7:41 AM in response to stephan (Germany)

    I had a similar problem. A couple days after upgrading, I encountered OD's "Unable to load replica" problem and had my server's certificate deleted from my system keychain!

     

    Server.app + OD + LDAP are all extremely fragile and I just don't trust them during transitions, so I always keep an independent bootable backup with Carbon Copy Cloner and this preflight script. I'll post my notes for recovering OD below, but in my case, nothing worked this time, and I couldn't start OD robustly across reboots. Fortunately for me, my 12 hour old bootable backup was working, so I just used CCC to copy my bootable backup back. Not sure what I would have done had that not worked short of rebuilding everything from scratch.


    Pre-steps:


    0. Bootable backups, Time Machine backups, and dirserv backups of everything.

    1. Disk Utility: Fix disk permissions, Fix disk

    2. PRAM reset, Command-Option-P-R at boot

    3. DiskWarrior to rebuild the disk directory


    Possible steps to fix OD:


    # Fix Open Directory "Unable to load replica"

     

    # Try this first:

    # https://support.apple.com/en-us/HT200018

    # Quit Server.app

    sudo mkdir /var/db/openldap/migration/

    sudo touch /var/db/openldap/migration/.rekerberize

    sudo killall PasswordService

    # Open Server.app

     

    # Try this second:

    # http://apple.stackexchange.com/questions/79141/how-to-fix-failing-open-directory -database-cn-authdata-cannot-be-opened-err

    sudo serveradmin stop dirserv

    sudo launchctl unload -w /System/Library/LaunchDaemons/org.openldap.slapd.plist

    sudo db_recover -h /var/db/openldap/authdata/

    sudo /usr/libexec/slapd -Tt

    sudo launchctl load -w /System/Library/LaunchDaemons/org.openldap.slapd.plist

    sudo serveradmin start dirserv

     

    # Try this third:

    # https://discussions.apple.com/thread/6018956

    sudo serveradmin stop dirserv

    sudo slapconfig -restoredb /private/var/backups/ServerBackup_OpenDirectoryMaster.sparseimage

    sudo serveradmin start dirserv

     

    # Try this fourth (assuming ccc_preflight od backup):

    # https://discussions.apple.com/thread/6018956

    sudo serveradmin stop dirserv

    sudo slapconfig -restoredb /private/var/backups/odbackup/od_2015-04-11.sparseimage

    sudo serveradmin start dirserv

     

    # Try this last:

    sudo rsync -va /your-backup-drive-possibly-TM/private/var/db/openldap/authdata/ /private/var/db/openldap/authdata/


    If your server cert gets deleted from the System keychain, you'll need to boot into the bootable backup and export the certificate+key that looks like hostname.domainname.tld, signed by IntermediateCA_HOSTNAME.DOMAINNAME.TLD_1, copy this to the server drive, import back into the System keychain. The cert should then appear within Server.app again. See here for how to do this if all you have is the System keychain file.


    If anyone has reliable advice how to fix a corrupt OD that would be a huge help.


  • by P_Reventlow,

    P_Reventlow P_Reventlow Apr 13, 2015 7:38 AM in response to essandess
    Level 1 (0 points)
    Apr 13, 2015 7:38 AM in response to essandess

    Essandess, the steps you listed were a great help for me - thanks!

    What worked for me was to restore /var/db/openldap/openldap-data/id2entry.bdb from timemachine until I could run your second surgestion without any errors. After that OD finally started up and all network users were back. Last thing was to set the correct cert for OD.

  • by essandess,Helpful

    essandess essandess Apr 14, 2015 7:41 AM in response to P_Reventlow
    Level 1 (28 points)
    Applications
    Apr 14, 2015 7:41 AM in response to P_Reventlow

    Glad that worked -- I'd test it across reboots, which was an issue for me until I threw in the towel and reverted to a 12 hour old clone.

     

    I would have liked to just restore the files necessary to get Open Directory back, but I don't have a list of what these are.

     

    When I restored using Carbon Copy Cloner, I asked it to make a Safety Net, which shows all the stuff it replaced. In case it's useful to others (or myself) in the future, here are some likely candidate directories to attempt restoring from backup:

     

    /private/var/db/openldap

    /private/etc/openldap

    /private/etc/certificates

    /private/var/db/krb5kdc/kdc.conf

    /private/etc/krb5.keytab

    /private/var/db/krb5kdc

    /Library/Keychains/System.keychain

    /Library/Preferences/com.apple.openldap.plist

    /Library/Preferences/edu.mit.Kerberos.kadmind.launchd

    /Library/Preferences/OpenDirectory

     

    I don't know which specific restoration fixed my specific problem, but it had to do with the contents of one of these directories.


    The changes in /private/etc/openldap were ldap.conf, rootDSE.ldi, slapd.conf, slapd.d, slapd.d.backup, slapd_macosxserver.conf.

     

    The changes in /Library/Server/* were: Alerts, Calendar and Contacts, Configuration, Firewall, Logs, Mail, Messages, Network, PostgreSQL, ProfileManager,  SetupWeb, Wiki, but I don't believe the problem is in the /Library/Server directory.


    Another last resort option is to try a Safe reboot to wipe away all cache. Also, be sure to watch your System keychain if you run the command "slapconfig -restoredb" because I've seen this command delete the server certificate from the keychain at times, which will render LDAP authentication useless unless you have a backup of your certs.

     

    The real solution would be an LDAP implementation that isn't fragile to occasional/inevitable db corruption or upgrades. One shouldn't have to think about reverting an entire server or deleting a directory master just to fix the relatively frequent LDAP corruption problems.

  • by stephan (Germany),

    stephan (Germany) stephan (Germany) Apr 14, 2015 7:35 AM in response to essandess
    Level 1 (0 points)
    Apr 14, 2015 7:35 AM in response to essandess

    Thank you very much for your help. I will keep your suggestions as best practice for my next running server, they are very clear as well as precise indeed. Unfortunately at this point my situation has deteriorated so far that the machine is unable to boot. Somehow the BootCache.playlist disappeared. I don't know how. I was trying step #2 via screen sharing session, when everything went .....

     

    That means I will probably have to build everything from scratch. I wrote another question regarding the boot problem and in case no one has an idea how to solve this I will reinstall everything tomorrow.

     

    I think I kept a copy of all ssl certificates.

     

    From now on I will use TimeMachine to backup the server and CarbonCopy as backup-backup.

     

    The funny part is that I did not do so much in command line since the 80s ...

     

    Again, thank you so much.

  • by essandess,

    essandess essandess Apr 14, 2015 8:43 AM in response to stephan (Germany)
    Level 1 (28 points)
    Applications
    Apr 14, 2015 8:43 AM in response to stephan (Germany)

    Not booting could be a disk problem. I've seen this even on new boxes with SSDs. I would try all the pre-steps above as a necessary precaution.

     

    Try Command-R boot to use the Recovery partition>Disk Utility to fix the disk and permissions.

     

    If that fails—or even if it works, use Disk Warrior, and use Disk Warrior anyway for regular directory rebuilds.

     

    I've learned through hard experience that DIskWarrior along with Carbon Copy Cloner are essential. It's no fun to contemplate how much you'd spend to get your data back, certainly a lot more than DW and CCC.

  • by MrHoffman,

    MrHoffman MrHoffman Apr 15, 2015 6:08 PM in response to stephan (Germany)
    Level 6 (15,627 points)
    Mac OS X
    Apr 15, 2015 6:08 PM in response to stephan (Germany)

    Slow network performance is the hallmark of a DNS error.   That's the DNS connections timing out.

     

    Assuming that network address translation (NAT) is in use, what you're trying to do is possible, if you use a subdomain of the public-facing dynamic DNS provider, but I prefer to avoid that as that provider has the domain registered and not me — I much prefer to have and to use a domain that I have registered internally, and then use the dynamic provider for connections into the host when those are necessary. 

     

    FWIW, I have a detailed write-up on DNS configurations available.  There is an article or two on the issues with dynamic DNS linked there, as well.

     

    if DNS is hosed, much of the rest of the stack will be somewhere past flaky — server DNS is key to authentication and certificate-based network security, among other details.  Open Directory typically needs DNS, and certificate-based security.  Among other services.

  • by stephan (Germany),

    stephan (Germany) stephan (Germany) Apr 16, 2015 1:05 AM in response to MrHoffman
    Level 1 (0 points)
    Apr 16, 2015 1:05 AM in response to MrHoffman

    Since DNS and Certificates are the only topics I am not completely sure about I would like to ask your opinion about my network settings. I read your article, but would like to ask you nevertheless some clarifications.

     

    I have an office network. Router + server + several clients. DHCP is provided by the router. The Server has DHCP with fixed IP.

     

    1) IPS provider only has dynamic IP. I use a DYN-DNS service to update my PUBLIC IP and a script on the server to provide the DYN-DNS service with it. This is working.

     

    2) The DYN-DNS service associates my public IP with a DYN-DNS HOSTNAME.

     

    3) I have a REGISTERED DOMAIN and configured a SUBDOMAIN, which I forwarded to the DYN-DNS HOSTNAME. I also created a CNAME record for my SUBDOMAIN to my DYN-DNS HOSTNAME. All the other hostname records for the domain are still managed by my service provider's name server.

     

    4) On the server I have running Server 4.1 and OS-X 10.10.3. I have DNS service turned on. HOSTNAME = SUBDOMAIN. In the DNS section of the Server APP I get:

     

         ACCESS

         Status: Set your network DNS settings to (PUBLIC IP)

     

         SETTINGS

         Forwarding Servers: I have the IP4 and IP6 of my router.

     

         Perform lookups: only for clients on local network.

     

         RECORDS

         PRIMARY ZONE

         SUBDOMAIN machine

         SUBDOMAIN nameserver

     

         REVERSE ZONE

         FIXED SERVER IP reverse mapping

         SUBDOMAIN nameserver

     

         In PREFERENCES on my SERVER I have entries for localhost (127.0.0.1) as well as the IP4 and IP6 of my router

        

    5) On the client I am currently writing from, I have the IP4 address of my server as DNS server. On other clients I might still have additional DNS servers beside my SERVER's IP.

     

    6) The router has my service provider's IP4 and IP6 DNS servers configured.

     

     

     

    My question is:

    a) Is this setting correct?

     

    b) Can I add in SERVER additional forwarding servers, beside the IP addresses of my ROUTER? Can I add the DNS server addresses of my provider, google, etc. as additional DNS forwarding server?

     

    c) Should I only have my SERVER IP as DNS entry in my clients or can I add additional DNS entries (IPS, google, ...)?

     

     

     

    I am asking, because, since I changed DNS settings, websites such as wikipedia are extremely difficult to load. Usually they do not load at all and I thought this might be caused by the DNS settings. What should I do? Do I have to restart Router, Server and all clients or did I commit an error in the settings?

     

    Thank you very much in advance.

  • by MrHoffman,

    MrHoffman MrHoffman Apr 16, 2015 9:28 AM in response to stephan (Germany)
    Level 6 (15,627 points)
    Mac OS X
    Apr 16, 2015 9:28 AM in response to stephan (Germany)

    TL;DR, assuming a NAT'd network... a) no.  b) use your DNS server only, and forwarding from your DNS server is an optimization, and do not reference off-LAN DNS servers except as forwarders and only from your DNS server and c) reference only your local DNS server(s)

     

    For internal DNS within a NAT'd network, I would not reference any domain associated with dynamic DNS provider.  Even for a home network.  I would not use any domain names related to the dynamic DNS provider anywhere on my internal network, outside of references to services such as mail that might be hosted at that provider.  Dynamic DNS is great for home users, but it does not work very well with servers, and I definitely would not try to use the dynamic DNS name or subdomains of that domain on my internal network.  Keep dynamic DNS separate from your operations and your configuration.


    FWIW, I've posted a very detailed description of how DNS works, and the various configurations and trade-offs available; that's the earlier link.


    Forwarding servers are a performance optimization — they're a way you can allow an upstream server to cache DNS translations for you (because the upstream server may have already translated the host for another user of that DNS server), but your own server will also be caching translations for you after the first translation.  Forwarding servers are useful when you might want to use Google DNS (8.8.8.8 and 8.8.4.4), which are rather likely to have cached the translations for you.  In terms of correct operations, forwarding servers are not relevant — they "just" avoid the overhead of the recursive DNS translations starting at the DNS root servers.


    Unless your gateway firewall box contains a DNS server, you're probably just adding a hop.  Some mid- and various upper-end gateway firewall boxes do contain a DNS server, but many mid and lower-end boxes do not.   If your gateway firewall does have a DNS server, you can potentially use that in place of the OS X DNS server, or can use it in parallel for reliability.   Most low-to-mid-range gateway firewall boxes contain what is known as a DNS forwarder.  Not a DNS server.  DNS forwarders pass the translation request along to the ISP DNS server.  DNS forwarders don't have local IP address translations, either.


    As discussed in the article and with the exception of any optional specifications of forwarding servers within the context of your DNS server, you do not want to reference any DNS servers off your local network from any of your clients — just your local DNS server.  No ISP DNS servers, no off-LAN DNS servers, nothing.  Just your local DNS servers.   This requires you to configure your DHCP server and any static-configured hosts to reference and to vend only your local DNS server(s) IP address(es).    When your DNS server refers to itself via its Network preferences setting, it should refer only to 127.0.0.1 — how IP refers to the local host — and to any other LAN-private DNS servers you may be running.  If you are using NAT, do not reference off-network DNS servers.  Off-network DNS servers do not have translations for your local addresses, and many devices will not re-try DNS translations — first server they get that says "nope", and the translation attempts then end.  Off-private-LAN translations also cannot provide private IP address translations.


    Again, please have a look at that linked article — that's been written in response to more than a few DNS configuration mistakes and confusions that have arisen over the years...


     


  • by stephan (Germany),

    stephan (Germany) stephan (Germany) Apr 17, 2015 3:25 AM in response to MrHoffman
    Level 1 (0 points)
    Apr 17, 2015 3:25 AM in response to MrHoffman

    Enlightenment slowly arises ... when I configured everything, I was in fact completely in doubt about the hostname / domain configuration part ... similar to a bricoleur I started with learning by doing. Sorry, but I went trough too many tutorials and had to solve too many different problems (dynIP from ISP > DYN DNS, DomainNameserver entries at my domain hosting provider, OS-X server setup, SSL certification, ...), the questions I have are probably obvious to most.

     

    I am starting to understand things more comprehensively now, but think that I am not familiar to a 100% percent with some of the technical vocabulary you use or at least some of it confuses me. For example the part with the "dynamic DNS provider". I thought I had not used anything of my dynamic DNS provider in my settings. I mean in my situation I have a domain hosting provider (which I need in order to have my domain registered, redirected, name server for the domain, etc), dynamical DNS provider (which I need to solve the inconvenience of the DYNAMICAL IP I get from my ISP PROVIDER), but I did not use anything of the dynamical DNS provider in my local settings. I used a SUBDOMAIN I created at my domain hosting provider, but this is static and not dynamic, but I apparently got confused and screwed things up?

     

    A) This means my main mistake in configuring internet-access to my server is that I:

     

    - registered a DOMAIN.TLD, created a SUBDOMAIN.DOMAIN.TLD and redirected this subdomain (through a DynDns service) at my HOME PUBLIC IP and then used the same name (SUBDOMAIN.DOMAIN.TLD) as the HOSTNAME of my server configuration (instead of server.example.com). I thought since I wanted to access my server from the outside I had to point to this server from the outside, but obviously I am missing the basics of networking, dns, etc. and this whole configuration is completely insecure ... ?

     

    I did this because in a book about OS-X SERVER in the chapter about configuration of ACCESSING YOUR SERVER > INTERNET, it says to use my COMPUTER NAME in the field COMPUTER NAME and the registered DOMAIN NAME in the field HOSTNAME during the step CONNECTING TO YOUR SERVER. And also on other websites is written: "Internet host name: If you're entering a hostname in this field, it must be a fully qualified domain name that you have registered with a domain authority. For example, server.example.com, where "server" is the hostname and can be any name you wish to use; "example" is the domain name you registered; and "com" is the top-level domain that you registered. Once again, the hostname must be all lowercase letters and not contain any spaces."


    Following your documentation and rereading the last sentence from the quote I understand that I have to use COMPUTER_NAME.DOMAIN_NAME.TLD.

     

    It is supposed to be MACHINE.DOMAIN.TLD !!! (machine.domain.tld has not to be registered externally, such as by my domain provider)

    DOMAIN.TLD or SUBDOMAIN.DOMAIN.TLD can be pointed to my PUBLIC ISP IP, through DYN DNS ... and MACHINE.DOMAIN.TLD will be happy to answer all enquiries to DOMAIN.TLD or SUBDOMAIN.DOMAIN.TLD?

     

    1A) I could solve this by directing my DOMAIN.TLD to my PUBLIC IP from the ISP and delist my SUBDOMAIN.DOMAIN.TLD at the domain hosting provider and keep my hostname or

    2A) change the hostname of my OS-X SERVER and keep the SUBDOMAIN.DOMAIN.TLD pointed to my PUBLIC IP, this way I can still host the website at my domain provider and keep the subdomain for server access.

     

    Is my interpretation correct?

     

    B) I now configured all devices in our office network (apart from the GATEWAY) to use our SERVER as DNS SERVER. My configuration is now: GATEWAY (Airport Extreme) with DSL modem attached - SWITCHES - SERVER - CLIENTS.

     

    B1) GATEWAY/INTERNET has DNS entries for DNS SERVERS of my ISP (both IPV4 + IPV6)

    B2) GATEWAY/INTERNET does not use dynamical global hostname (don't know what that is for)

    B3) GATEWAY/NETWORK serves DHCP with IP reservation for SERVER and some CLIENTS

    B3) GATEWAY/NETWORK here "NAT Port Mapping" is enabled

    B5) GATEWAY/NETWORK here "Enable default host at" is disabled (don't know what that is for)

     

    B6) SERVER provides DNS service and has IPV4 address and IPV6 address of GATEWAY configured as forwarding servers.

    B7) SERVER performs DNS lookups only on local network

    B8) SERVER has DNS entries in PREFERENCES/NETWORK for 127.0.0.1, IP4 GATEWAY, IP6 GATEWAY

     

    C) This means my SERVER provides DNS service for the local network and forwards enquiries it can not resolve (related to external public addresses) to my GATEWAY which serves them to the DNS SERVERS of my choice, such as of my ISP or google, etc.....? Is this correct now? I think AIRPORT EXTREME does not have a DNS server but is a DNS forwarder.

     

    D) In the relation to the exclusive use of internal DNS SERVER entries on all devices you say: "This requires you to configure your DHCP server and any static-configured hosts to reference and to vend only your local DNS server(s) IP address(es)." In my case the GATEWAY/ROUTER (Airport Extreme) is my DHCP server (he also serves a WIFI network), and I think he has to have the external DNS SERVER entries and not my internal DNS SERVER. Or how would a client in my local network get off-LAN?

     

    D1) Or should I configure also my GATEWAY/ROUTER to use my local DNS SERVER, clear the IPV4 + IPV6 GATEWAY entries in the FORWARDING SERVERS SECTION on the SERVER/DNS SERVER and have the OFF-LAN external DNS server addresses instead.

     

    I hope you can solve my final doubts. I read your article several times. He is very well written, but I am not an English native speaker and there are to many different topics involved, different technical jargons add up and tend to complicate things sometimes. And finally ... network configuration has to be reliable and secure so better doing it right!

     

    Thank you very much in advance!

  • by MrHoffman,

    MrHoffman MrHoffman Apr 17, 2015 4:49 PM in response to stephan (Germany)
    Level 6 (15,627 points)
    Mac OS X
    Apr 17, 2015 4:49 PM in response to stephan (Germany)

    Please forget about your Dynamic DNS provider.  That's not your domain.   Yes, you do have permission of the registrant to use a subdomain, but the domain is not yours.  Get yourself a real and registered domain.   Saves hassles down the road.  Again, I would avoid using a subdomain of a domain offered via a dynamic DNS provider.  That doesn't end well, when you change dynamic DNS providers or hosting.


    Your public (dynamic) IP address is not referenced within your network, except at your gateway-firewall box.

     

    Your dynamic DNS name is not something that's at all used or referenced within your network perimeter.

     

    I'd delete the current internal configuration and would follow what I posted in that article.

     

    Using the same domain name inside your network perimeter and outside your network perimeter is possible, but I'd avoid it.    Use a different (registered) domain, or a subdomain of a (registered) domain.  Don't try to run with the same domain within your network, and configured in the public DNS servers from your domain registrar.

     

    The book you're reading — I would encourage following what I wrote, as I can help with that, and can clarify that — probably does not cover using a dynamic IP address nor a dynamic DNS provider.   Dynamic providers are far more common with client configurations.  Servers get static addresses, as otherwise some services will not work as expected, or won't work reliably — you'll be able to start them and they can look OK, but other hosts deliberately will not interoperate.

     

    I'm going to have to re-read that text you've posted and will try to post a more detailed answer in a few hours, as this message got posted prematurely; there's some "post it" sequence in this forum software, and I hit it.

  • by MrHoffman,

    MrHoffman MrHoffman Apr 17, 2015 5:17 PM in response to stephan (Germany)
    Level 6 (15,627 points)
    Mac OS X
    Apr 17, 2015 5:17 PM in response to stephan (Germany)

    Dynamic DNS provider: that's the service you are using to get a translation of some domain name to your dynamic IP address.  Dynamic DNS differs from static DNS, in that dynamic DNS gets updated automatically each time your dynamic IP address changes.

     

    Dynamic IP and dynamic DNS are not common with servers, and can preclude using some functions of the server such as mail.  Mail will work, mail will start, mail will appear to run, but other mail servers can and variously will detect your dynamic address, and can and variously will decide not to receive mail from your server, and some may decide not to send mail to your server.  You can configure a mailhop service, but that's beyond the scope of getting your internal DNS going,

     

    Internal DNS.  Inside your gateway firewall router box. Private DNS.  Probably hosted by your OS X Server box.

     

    External DNS.  Outside your gateway firewall router box.  Public DNS.  Hosted by various providers.

     

    1a: please follow the article I have linked.  Get your internal DNS configured and working.  Then look at getting the dynamic DNS provider configured.  Do not use the same domain name or the same subdomain name for internal DNS and for external DNS.    I'd avoid using any domain from the dynamic DNS provider — while you might have permission to use that domain, you are not the formal registrant, which means you are a tenant of the dynamic provider.  That's fine for your public DNS — do not assume that you will be hosting mail or web services or other such access on a dynamic IP address — but you do not want to use somebody else's registration for your internal network.  (Yes, it's possible to do that, but the configuration is more complex and — as you're discovering — more confusing.)

     

    2a: please follow the article I have linked.  Get your internal DNS configured and working.  Ignore anything with your dynamic provider for now.  That comes later.  As mentioned in 1a, keep clear of the dynamic provider's domain name.


    B1: When you're done getting it configured, you have your own DNS server now.   You'll be using that.


    B2: Okay.


    B3: your server should be at a static IP address on your internal network, and not a DHCP-vended dynamic address.  (Static IP?  Dynamic?)


    B3 (B4?): ignore port mapping for now.  That's for remote access and entry into your server and to offer the miscreants on the Internet a way to try to hack into your server.   When you get around to getting external access going, do not open up inbound DNS queries into your network, and do not open up any ports other than those that are strictly necessary.

     

    B5: the default host stuff is again for remote access, and should be ignored for now.

     

    B6: using your router as a forwarder adds overhead.  You're running a DNS server.  Have that reference the other DNS servers directly.

     

    B7: Correct.  Your gateway firewall router should vend the IP address of your DNS server.  It should not vend the address(es) of your ISP DNS server(s), nor the address of the gateway firewall router box as a DNS server.

     

    B8: No.  You are running your own DNS server.  Do not reference off-LAN DNS servers.  Do not reference your gateway firewall router box as your DNS server.  You are running a DNS server.  Only your DNS server can translate local addresses.  Attempting to reference off-network DNS serves will not work for any local DNS domain names — you're setting up your own domain name here, with your internal private IP address space — as the DNS servers off your network are from the public IP address space, and not the NAT'd (private) IP address space you are using.

     

    C: No.  see B8.  You are running your own DNS server.  Your own DNS server is the only DNS server you should reference here.

     

    D: No.  See C & B8.  See the rest.  You are running your own DNS server here.    Referencing other DNS servers is the path to problems and timeouts and confusion.

     

    D1: Yes.  You are running your own DNS server.  Only your local DNS server has local knowledge of the hosts on your network.  The two most common hosts on your network are your gateway firewall router box, and your server.  Other boxes with static IP addresses can include network printers, or other servers that you might add.

     

    Again, please re-read the article.  Set up your internal DNS first. 

     

    For your purposes here, your dynamic DNS and your dynamic IP is going to limit what sorts of services are accessible remotely. 

     

    So again — set up local DNS first, then get your public (external) DNS configured.

     

    With dynamic DNS, there's really not all that much configuration that's even available.  And again, you're not going to have a fully-capable server available, as ISPs tend to block some server-oriented traffic on dynamic IP accounts, and as some network services — mail services chief among these — really expect static IP.  Mail servers with dynamic IP addresses are detected by other mail servers, and are assumed to be spam engines; random infected client boxes.  There can also be other policy blocks here.  In short, do not expect much in the way of externally-accessible services.  Some will work.  Some will not.

  • by stephan (Germany),

    stephan (Germany) stephan (Germany) Apr 19, 2015 12:21 PM in response to MrHoffman
    Level 1 (0 points)
    Apr 19, 2015 12:21 PM in response to MrHoffman

    Dear MrHoffman, thank you very much for your effort!

     

    The network had been working before my last post, but I always got: "Set your network DNS settings to PUBLIC ISP IP to use this server", so apparently it was still not running well. After my last post I deleted the public DNS entries from my gateway, rebooted everything and got my server IP instead. After reading your post I decided to take your recommendation literally, deleted my DNS configuration and set up everything exactly following your article. Now everything appears to be running perfect! Thank you very much for your feedback and especially your comprehensive website! In 10.10 some details are different ... unfortunately I did not take notes, otherwise I would have been happy to share them with you in order to help you updating your article for 10.10.

     

    I now have my local DNS running, set up a second server with second DNS zone and OD replica.

     

    I learned a lot!

     

    The two biggest problems were to forget everything I thought I knew, coming from a DHCP + DNS forwarder setting, and to have the courage to delete Apple's auto-configuration settings. I usually don't trust things which supposedly configure themselves and prefer instead to learn and do it myself. So thank you for reminding me!

     

    Sorry for mentioning DynDNS. From my point of view it is not part of the equation and only complicated the discussion. (It is only active between our ISP and our domain hosting provider and stays there until we will get a static ISP IP). Obviously I did not use it at any stage in my configuration.

     

    We are not considering running mail or any major website from the server. We need a working internal network, with file sharing, backup, DNS, development server, rendering, HUGE data storage and sometimes remote access ... at least for now. Major websites and mail services run over our domain hosting provider. They have much more bandwidth.

     

    B3 ... our server always had static IP, but we now switched to a DHCP network with DHCP IP registrations for all hosts and static IP or DHCP with manual configured IP configuration on the clients. (We keep the network DHCP for guests, mobile devices,...).

     

    B4 ... Following your suggestion we did not open the ports for DNS on the GATEWAY.

     

    Although, with your help, everything is running fine now, I still would like to ask you some final questions:

     

    1) Coming from a DHCP + DNS forwarder setting, I learned a lot of time ago, at a very basic level, that you need to specify external DNS server in your client/router/... in order to let every machine on your local network know where to ask for address translations. Now we have a local network with it's domain and internal DNS server. But how is external DNS translation working? Is it also provided by our internal DNS server? How does he know the addresses of the DNS root server, where to ask about external translations? I did not tell any machine in the network how to connect to them....

     

    2) I have also questions regarding domain/zone names, they are slightly off topic, but I am asking. In a normal setting you use DOMAIN.TLD as your domain and your hostname completes the address to HOSTNAME.DOMAIN.TLD, your DNS zone is DOMAIN.TLD. If you used SUBDOMAIN.DOMAIN.TLD as your internal domain, your address would be: HOSTNAME.SUBDOMAIN.DOMAIN.TLD. This sounds logical ... (unfortunately the Apple's configuration assistant does not help very much. I think it configured my server with: hostname (SUBDOMAIN.DOMAIN.TLD) and the DNS zone was also SUBDOMAIN.DOMAIN.TLD. Now everything is more simple!

     

    2a) The search domain, which has to be configured all over our internal network, is going to be the name of our DNS zone: DOMAIN.TLD or SUBDOMAIN.DOMAIN.TLD and not WWW.DOMAIN.TLD or WWW.SUBDOMAIN.DOMAIN.TLD, since WWW would be already host!?


    2b) I understand that if we want to get a SSL certificate, we have to get a Certificate for the Zone (DOMAIN.TLD) and not the "FQDN" of the server (SERVER.EXAMPLE.TLD), since we would want to certify that we own the domain and the host is included, but not only the host. Is this right?


    2c) In case you have a "Split-Horizon or Split-Brain" setting. Your SSL certificate on your server would certify on the internal network as well as on the external network (In case you share a website from your server on the external network) that you own the domain? Is that right? We will use this configuration. And only out of curiosity how is that working in case of your preferred DNS configuration with EXAMPLE.NET as internal domain and EXAMPLE.COM on the external network?


    Thank you very much and compliments again for your comprehensive website with all the informative articles about DNS related to Mac environments.

Page 1 Next