Malcolm McLeary
Level 1 (69 points)
Servers Enterprise

Q: What services can I run on an Open Directory Replica?

Hi Guys,

 

I've got a Mac mini running OSX 10.11 and Server App supporting a small office and I'd like to set up a 2nd machine and share the load ... split the services between the two machines.

 

The 2nd Mac mini is up and is running as an Open Directory Replica and Secondary DNS but I'd like to know if there are restrictions/limitations on which services will work on an ODR or if there are any tricks to getting them working.

 

On the ODR I have enabled the Mail service and it seems to be behaving with existing Network users.

 

I have enabled VPN but it only allows the local admin account to authenticate.  If I choose All Users or selectively add Network Accounts I get authentication failures.  Accessing the VPN on the ODM works fine.  The VPN service itself is working on both boxes but it seems that only the ODM will authenticate Network users.

 

Cheers,  Malcolm

Posted on Aug 26, 2016 7:30 PM

Close
Malcolm McLeary

Q: What services can I run on an Open Directory Replica?

  • All replies
  • Helpful answers

  • by Strontium90,

    Strontium90 Strontium90 Aug 27, 2016 3:37 AM in response to Malcolm McLeary
    Level 5 (4,067 points)
    Servers Enterprise
    Aug 27, 2016 3:37 AM in response to Malcolm McLeary

    Nice work on building a redundant infrastructure.  As you discovered, services like OD and DNS are designed to integrate well across devices.  File Service, network homes (if needed), and Time Machine are also good tools to split across the devices to help with load balancing.

     

    Regarding VPN, it is really the only service I can think of that needs a little adjustment. 

     

    If you have multiple Open Directory servers and you want to allow a Replica Server to run VPN, you will discover that you will fail to connect with the following two error messages:

     

      DSAuth plugin: Could not retrieve key agent account information.

      DSAuth plugin: MPPE key required, but its retrieval failed.

     

    To resolve this issue follow these steps:

    1:  Connect to the Open Directory Master.

    2:  Launch Server.app on the Open Directory Master.

    3:  Select Users from the sidebar.

    4:  From the Server.app’s View menu, choose Show System Accounts...

    5:  In the list of users, find the VPN MPPE Key Access User and delete the account.  Yes, delete it.

    6:  Connect to your Open Directory Replica.

    7:  Using the Terminal application, run the following command:

     

    sudo vpnaddkeyagentuser /LDAPv3/127.0.0.1

     

    8:  You will be asked to enter the Directory Admin’s user name (commonly diradmin) and his password.

     

    Enter admin name for node /LDAPv3/127.0.0.1:

    Password:

     

    9:  Stop and/or start the VPN service on the Open Directory Replica and try connecting again.

     

    Hope this helps

     

    Reid

    Apple Consultants Network

    Author - "El Capitan Server – Foundation Services"

    Author - "El Capitan Server – Control & Collaboration"

    Author - "El Capitan Server – Advanced Services"

    :: Exclusively available in Apple's iBooks Store

  • by Malcolm McLeary,

    Malcolm McLeary Malcolm McLeary Aug 27, 2016 5:42 PM in response to Strontium90
    Level 1 (69 points)
    Servers Enterprise
    Aug 27, 2016 5:42 PM in response to Strontium90

    Hi Reid,

     

    Unfortunately the situation is unchanged after doing as you have suggested.

     

    When I connect with my account I get the following ...

     

    Sun Aug 28 10:18:06 2016 : rcvd [CHAP Response id=0xe0 <7d4e6369718c0b5d75fbccfa420b36cc000000000000000005255a7bea37ca734a03190a61fc29 30684bf8e156b6647d00>, name = "malcolm"]

    Sun Aug 28 10:18:06 2016 : sent [CHAP Failure id=0xe0 ""]

    Sun Aug 28 10:18:06 2016 : CHAP peer authentication failed for malcolm

    Sun Aug 28 10:18:06 2016 : sent [LCP TermReq id=0x2 "Authentication failed"]

    Sun Aug 28 10:18:06 2016 : Connection terminated.

    Sun Aug 28 10:18:06 2016 : L2TP disconnecting...

    When I connect with the admin account I get ...

     

    Sun Aug 28 10:18:40 2016 : rcvd [CHAP Response id=0x24 <0dc65ac3bcb740c0aeba6f70e5a6fd880000000000000000dfca17d19b7b49ef923f98ccf4e0b1 9a7ad06735830f5bc700>, name = "admin"]

    Sun Aug 28 10:18:40 2016 : sent [CHAP Success id=0x24 "S=982DAB6B2476C4A71520E0A3266085AFC9DD30C3 M=Access granted"]

    Sun Aug 28 10:18:40 2016 : CHAP peer authentication succeeded for admin

    Sun Aug 28 10:18:40 2016 : DSAccessControl plugin: User 'admin' authorized for access

     

    Fortunately it still works for Network Accounts on the ODM.

     

    Cheers,  Malcolm

  • by John Lockwood,

    John Lockwood John Lockwood Sep 1, 2016 3:31 AM in response to Malcolm McLeary
    Level 6 (9,165 points)
    Servers Enterprise
    Sep 1, 2016 3:31 AM in response to Malcolm McLeary

    It is possible to run additional services on an OD Replica but in nearly all cases this has nothing really to do with being a replica server.

     

    One case that has not been mentioned yet is the fact that both the OD Master and the OD Replica will act as NTP time servers. They will also sync to each other and any OD client Mac can sync to them. This ensures all of them have their clocks in sync. In order for Kerberos to work the clocks must be in reasonably close synchronisation, if an individual machine has a clock significantly different this is a common cause of Kerberos failing.

     

    Active Directory does something very similar but actually will change the AD client computer to use the AD server(s) as the NTP server automatically - something OD binding does not seem to do although you can automate this yourself in your own scripts, e.g. a script to both bind to OD and set the NTP server setting on the client.

  • by Tearjerker,

    Tearjerker Tearjerker Sep 1, 2016 6:43 AM in response to Malcolm McLeary
    Level 1 (59 points)
    Sep 1, 2016 6:43 AM in response to Malcolm McLeary

    Hi!

     

    I have nearly the same setup:

     

    Box1:

    OD Master

    File Sharing

    Time Machine Server

    Profile Manager

     

    Box2:

    OD Replica

    Apple Remote Desktop - Task Server


    I have an important hint for you regarding Profile Manager:

    When you plan to update your OD Master Server (e.g. because of OSX update or Server update), shut down the OD replica server first, before you shutdown your OD master! Otherwise your Networkusers will be "moved" to the Replica OD and all your configurations in PM are lost (e.g. VPP settings) during update process!

     

    1. Shutdown OD Replica

    2. Shutdown OD Master and the rest of the services

    3. Do your updates

    4. Start OD Master before starting OD Replica


    Cheers!