Should I have external IP in the DNS page ?

Thanks for your reply.

So, basically, you are telling me that it's a good thing that I see my internal IP on the DNS page, and not the public one ?

In fact, I already use a subdomain for this mac server. I recorded an A entry in my dns provider linking this particular subdomain to my public IP. All the others subdomains and the domain itself are linked to another server with another public IP.

In server.app, I only have a primary zone (subdomain.domain.com), a record linking the host name (= subdomain.domain.com) to the internal static IP of the server, and a reverse one. Does it seem ok to you ? Or should I change the hostname to something like sth.subdomain.domain.com ?

Thanks for your reply, and sorry if I misunderstand a bit or if I don't use the rights words, english is not my mother tongue.

By "linking the host name to the internal server IP address", I was referring to a A record.

So, I'm getting a bit further in my understanding of the DNS setup.

I just have another question. I have a A record in my DNS provider like this : subdomain.domain.com IN A 82.229.XXX.XXX, which is my router IP address.

I wonder if it's possible to use this subdomain as the host name of my mac server, and also my internal name server ?

When I try this, with my hostname and primary zone being subdomain.domain.com (plus A record and PTR on private IP), the DNS setup seems to work correctly (cmd host with hostname and private IP, displayed public host name in server.app, dig, changeip etc), but I am not able to use remote services such as Contacts on a device not connected to the local network. It says that credentials are not valid when I try to log in on my iPhone for example (but they should be). And I can only use network file sharing with afp, smb won't work.

But, if I use a host name before the subdomain, such as server.subdomain.domain.com, with subdomain.domain.com as primary zone, then everything works, lan filesharing, VPN, Contacts, cal etc, except that there's no public host name in the internet reachability, only my router IP address.

So, what am I missing ? I am bit confused by the fact that, in the first case, everything seems to be ok but is clearly not, and in the second case, it doesn't seem to be perfectly set up, but things work...

Thanks John for your reply.

In both cases I described in my previous message, I do have the Open directory server setup on the same mac, i.e. on my internal DNS server.

For testing, I use a macbook air on lan, and a iPhone which connects remotely with 4G. The macbook air first DNS server is the server IP private address.

I put Google IP as forwarding server in server.app and the mac server looks to its own IP address to resolve DNS before.

And in both cases the Open Directory server name is the same as the host name...

The iPhone doesn't use Open directory except for the credentials when trying to connect to an OS X server account, right ?

I really can't understand what's wrong. With subdomain.domain.com being everything (my hostname, DNS server, Open Directory server, primary zone, and the DNS of my router), I can't connect locally with my macbook air with "Add an OS X server account" in system pref.

The macbook sees the network, I can get the SSL certificate, but when entering OD credentials, it tells me that they are invalid. With this messages in the password error log :

Oct 26 2015 15:04:57 539179us Requested SASL mechanism not loaded: SMB-NT

Oct 26 2015 15:08:40 449964us 'algorithm' must be 'md5' or 'md5-sess'

Ok.

So I successfully connected to the server locally with a local account and with a network account, both with AFP and SMB (I couldn't yesterday with SMB if I remember well).

The macbook air is not bound to the server. I tried a few days ago, but I could only get an anonymous binding, so I stop trying it.

It's a root self-signed certificate (word to word translation from french), not a trusted one.

I checked the certificates...

I have three certificates. The two first ones are automatically generated (IntermediateCA_subdomain.domain.com_1), one of them is a 'Code Signing Certificate'.

The third one is a root self-signed certificate (word to word translation from french), not a trusted one. I created it after having watched the Todd Olthoff videos... I dont know much about certificates 🙂

Anyway, it doesn't matter which one I use for adding an OS X account on client, locally or remotely. In any case, it tells me that credentials are not valid.

And now I notice that I can connect locally (with the MBA) and remotely (iPhone 4G) to CalDAV and CardDAV by adding account for each service with my OD credentials.

But it still doesn't work if I try to connect by adding an OS X server account to get both of them simultaneously...

I can bind anonymously to OD with my MBA. Green light.

And add later a network account, and then log in to my MBA with this network account.