L2TP based VPN with OpenS/WAN server, OpenSSL machine certificates

Similar Messages

• Intermittent proxy error "There is a problem with the proxy server's security certificate. Outlook is unable to connect to the proxy server "

  Hi all,
  From time to time (at least once a day), the following message pops up on the user's screen:
  "There is a problem with the proxy server's security certificate. Outlook is unable to connect to the proxy server . Error Code 80000000)."
  If we click "OK" it goes away and everything continues to work although sometimes Outlook disconnects. It is quite annoying...
  Any ideas?
  Thank you in advance

  Hi,
  For the security alert issue, I'd like to recommend you check the name in the alert windows, and confirm if the name is in your certificate.
  Additionally, to narrow down the cause, when the Outlook client cannot connect again, I recommand you firstly check the connectivity by using Test E-mail AutoConfiguration. For more information, you can refe to the following article:
  http://social.technet.microsoft.com/Forums/en-US/54bc6b17-9b60-46a4-9dad-584836d15a02/troubleshooting-and-introduction-for-exchange-20072010-autodiscover-details-about-test-email?forum=exchangesvrgeneral
  Thanks,
  Angela Shi
  TechNet Community Support

• There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site "Mailserver"

  Good day Guys
  First of all I am not an Exchange Expert, and I might be asking a very stupid question, but please bare with me. :) 
  While I was on leave our Mail server fell over and The company got a Specialist to help out for the time being.
  We where\are on Microsoft Exchange 2007 , which Fell over, and the specialist was able to recover as much data as he could.
  They then installed Exchange 2013 and tried to migrate everything from 2007 to 2013 and not everything migrated over.
  But the problem is, Outlook Anywhere was enable on 2007 and worked a 100% (before the disaster)
  With Exchange 2013 I get the following error message when trying to connect With Outlook 2013, using an external connection:
  "There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site "Mailserver"
  Outlook is unable to connect to the Proxy server. (Error Code 0)"
  Has anyone had the Similar when migrating over from 2007 to 2013 or is this an Issue on IIS and nothing to do with Exchange migration?
  Your assistance will be greatly appreciated.

  Hi,
  Firstly, I would suggest we use Exchange 2013 FE as the Outlook Anywhere proxy server.
  For the certificate issue, it mostly occurs because the host name that Outlook are trying to access does not match the certificate SAN. Please check with this point. If they do not match, you
  can change the host name by referring to the following article:
  https://support.microsoft.com/kb/940726/en-us?wa=wsignin1.0
  Thanks,
  Simon Wu
  TechNet Community Support

• Probelm client auth from jsse client with open ssl server

  I tried to connect jsse client with a openssl server.. with clientAuth
  This is what i did ..
  Using openssl req comand i created a X509 certificate for server and imported the same to java keystore..
  The communication works fine without client authentication.
  To enable client auth i create client private/public key pair using keytool and exported the public key to a file client.public. and used it in open ssl server .
  This is how i invoke the client ..
  java
  -Djavax.net.debug=all
  -Djavax.net.ssl.trustStore=cacerts
  -Djavax.net.ssl.trustStorePassword=changeit
  -Djavax.net.private -Djavax.net.ssl.keyStorePassword=password EchoClient
  After which i get following error in server
  SSL3 alert write:fatal:handshake failure
  SSL_accept:error in SSLv3 read client certificate B
  SSL_accept:error in SSLv3 read client certificate B
  ERROR
  17246:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:1666:
  shutting down SSL
  CONNECTION CLOSED
  The client debug says it is recieving a certificate request.. what could be the problem.. can anybody help...

  i also have that problem. I was trying to configure SSL in apache in Win XP machine, but this error occurs. Is there anyone, who can help on it?

• VPN with OS X Server 10.2.8

  Is it possible to create VPN with OSX 10.2.8 ? I can´t find any issue at Mac Help or somewhere else.
  OS X Server G4   Mac OS X (10.2.x)  

  Issue resolved.

• Help!  VPN with Leopard & Leopard server isn't working!

  Hello all,
  I have tried (and tried, and tried) to get VPN to work on Leopard server v10.5.1 and I cannot get this to work no matter what I have tried. here is my setup:
  Router:
  New Airport Extreme Base station running firmware v7.1.1. I have my server open to the world (for this test)
  Server:
  Mac Mini running v10.5.1 server. Both VPN L2TP and PPTP is setup and configured. NAT is NOT turned on, the AEBS is doing DHCP for me (should the server be doing that?).
  When I try to connect via PPTP here is my log:
  2007-11-23 10:41:22 EST Incoming call... Address given to client = 192.168.4.121
  Fri Nov 23 10:41:22 2007 : Directory Services Authentication plugin initialized
  Fri Nov 23 10:41:22 2007 : Directory Services Authorization plugin initialized
  Fri Nov 23 10:41:22 2007 : PPTP incoming call in progress from '208.xxx.xxx.xxx'...
  Fri Nov 23 10:41:23 2007 : PPTP connection established.
  Fri Nov 23 10:41:23 2007 : using link 0
  Fri Nov 23 10:41:23 2007 : Using interface ppp0
  Fri Nov 23 10:41:23 2007 : Connect: ppp0 <--> socket[34:17]
  Fri Nov 23 10:41:23 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
  Fri Nov 23 10:41:26 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
  Fri Nov 23 10:41:29 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
  Fri Nov 23 10:41:32 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
  Fri Nov 23 10:41:35 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
  Fri Nov 23 10:41:38 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
  Fri Nov 23 10:41:41 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
  Fri Nov 23 10:41:44 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
  Fri Nov 23 10:41:47 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
  Fri Nov 23 10:41:50 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
  Fri Nov 23 10:41:53 2007 : LCP: timeout sending Config-Requests
  Fri Nov 23 10:41:53 2007 : Connection terminated.
  Fri Nov 23 10:41:53 2007 : PPTP disconnecting...
  Fri Nov 23 10:41:53 2007 : PPTP disconnected
  2007-11-23 10:41:53 EST --> Client with address = 192.168.4.121 has hungup
  I can see that my system is receiving the request for VPN, but my workstation isn't responding it seems. I have had this working under 10.4, but cannot get server 10.5 to work at all.
  Any ideas?

  Hi All,
  Exactly the same problem here, but with one VPN it works most of the time:
  Sun Nov 25 14:50:27 2007 : PPTP connecting to server '10.0.4.35
  10.0.4.35' (10.0.4.35)...
  Sun Nov 25 14:50:28 2007 : PPTP connection established.
  Sun Nov 25 14:50:28 2007 : using link 0
  Sun Nov 25 14:50:28 2007 : Using interface ppp0
  Sun Nov 25 14:50:28 2007 : Connect: ppp0 <--> socket[34:17]
  Sun Nov 25 14:50:28 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x52583874> <pcomp> <accomp>]
  Sun Nov 25 14:50:31 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x52583874> <pcomp> <accomp>]
  Sun Nov 25 14:50:34 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x52583874> <pcomp> <accomp>]
  Sun Nov 25 14:50:37 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x52583874> <pcomp> <accomp>]
  Sun Nov 25 14:50:40 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x52583874> <pcomp> <accomp>]
  Sun Nov 25 14:50:43 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x52583874> <pcomp> <accomp>]
  Sun Nov 25 14:50:43 2007 : rcvd [LCP ConfReq id=0x1 <asyncmap 0xffffffff> <mru 1460> <magic 0xe14a182f> <quality lqr 00 00 17 70> <auth chap MS-v2>]
  Sun Nov 25 14:50:43 2007 : lcp_reqci: returning CONFREJ.
  Sun Nov 25 14:50:43 2007 : sent [LCP ConfRej id=0x1 <quality lqr 00 00 17 70>]
  Sun Nov 25 14:50:43 2007 : rcvd [LCP ConfRej id=0x1 <pcomp> <accomp>]
  Sun Nov 25 14:50:43 2007 : sent [LCP ConfReq id=0x2 <asyncmap 0x0> <magic 0x52583874>]
  Sun Nov 25 14:50:43 2007 : rcvd [LCP ConfRej id=0x1 <pcomp> <accomp>]
  Sun Nov 25 14:50:43 2007 : rcvd [LCP ConfRej id=0x1 <pcomp> <accomp>]
  Sun Nov 25 14:50:43 2007 : rcvd [LCP ConfRej id=0x1 <pcomp> <accomp>]
  Sun Nov 25 14:50:43 2007 : rcvd [LCP ConfRej id=0x1 <pcomp> <accomp>]
  Sun Nov 25 14:50:43 2007 : rcvd [LCP ConfRej id=0x1 <pcomp> <accomp>]
  Sun Nov 25 14:50:43 2007 : rcvd [LCP ConfReq id=0x2 <asyncmap 0xffffffff> <mru 1460> <magic 0xe14a182f> <auth chap MS-v2>]
  Sun Nov 25 14:50:43 2007 : lcp_reqci: returning CONFACK.
  Sun Nov 25 14:50:43 2007 : sent [LCP ConfAck id=0x2 <asyncmap 0xffffffff> <mru 1460> <magic 0xe14a182f> <auth chap MS-v2>]
  Sun Nov 25 14:50:43 2007 : rcvd [LCP ConfAck id=0x2 <asyncmap 0x0> <magic 0x52583874>]
  Sun Nov 25 14:50:43 2007 : sent [LCP EchoReq id=0x0 magic=0x52583874]
  Sun Nov 25 14:50:43 2007 : rcvd [LCP EchoReq id=0x0 magic=0xe14a182f 00 00 00 00 e1 4a 18 2f]
  Sun Nov 25 14:50:43 2007 : sent [LCP EchoRep id=0x0 magic=0x52583874 00 00 00 00 e1 4a 18 2f]
  Sun Nov 25 14:50:43 2007 : rcvd [CHAP Challenge id=0x1 <33373237373537323934343739393131>, name = ""]
  While with other VPN it does not work most of the time:
  Sun Nov 25 14:49:52 2007 : PPTP connecting to server '*******************' (*************)...
  Sun Nov 25 14:49:52 2007 : PPTP connection established.
  Sun Nov 25 14:49:52 2007 : using link 0
  Sun Nov 25 14:49:52 2007 : Using interface ppp0
  Sun Nov 25 14:49:52 2007 : Connect: ppp0 <--> socket[34:17]
  Sun Nov 25 14:49:53 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
  Sun Nov 25 14:49:56 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
  Sun Nov 25 14:49:59 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
  Sun Nov 25 14:50:02 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
  Sun Nov 25 14:50:05 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
  Sun Nov 25 14:50:08 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
  Sun Nov 25 14:50:11 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
  Sun Nov 25 14:50:14 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
  Sun Nov 25 14:50:17 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
  Sun Nov 25 14:50:20 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
  Sun Nov 25 14:50:23 2007 : LCP: timeout sending Config-Requests
  Sun Nov 25 14:50:23 2007 : Connection terminated.
  Sun Nov 25 14:50:23 2007 : PPTP disconnecting...
  Sun Nov 25 14:50:23 2007 : PPTP disconnected

• Need help setting up VPN with OS X Server 2.2

  I just bought OS X Server in the hopes that it would be a simpler way to set up VPN for use with my iPhone.  I've tried a couple third party VPN configuration tools before with older versions of OSX but was never able to get it working.  Now I'm running 10.8.2 and Server 2.2.  I've made some progress, but I'm not quite there yet.
  Here's what I have set up in the VPN window:
  And the user I created:
  The User services show that VPN is selected:
  I let the Server app configure my Airport Extreme, and it looks like it set up the port mapping:
  Here are my iPhone settings
  -Server is set to my iMac's public IP address assigned by my ISP
  -Password is the password I gave the user account
  When I turn the VPN on in the iPhone I get:
  "Connecting..."
  "Starting..."
  "Authenticating..."
  then an error:
  "VPN Connection
  Authentification failed."
  What am I missing?
  Thanks,
  Sean

  Hi,
  1701
  UDP
  L2TP
  l2f
  Mac OS X Server VPN service
  1723
  TCP
  PPTP
  pptp
  Mac OS X Server VPN service
  Try L2TP

• Setting up VPN with OS X Server/Netgear FVS318 and remote offices

  I am a newbie to VPN and am hoping someone can help get the config right. We have an Xserve (Server 10.4) and a range of G5's (OS 10.4) in 3 remote offices and want to setup a VPN between the remote offices back to the xServe. All 3 remote office are behind their own WGT624 router. Our setup looking like this:
  Remote Office G5 (OS 10.4)
  |
  |
  Netgear WGT624 (with dynamic IP address supplied by ISP)
  |
  |
  Cable Modem
  |
  |
  **INTERNET**
  |
  |
  Cable Modem
  |
  |
  Netgear FVS318 (v1) with static IP of 61.xxx.xxx.xxx
  |
  |
  xServe (OS X 10.4 Server)
  Can someone please walk me through the setup we need at head office and how we setup the branch office.
  Thanks

  Hi,
  1701
  UDP
  L2TP
  l2f
  Mac OS X Server VPN service
  1723
  TCP
  PPTP
  pptp
  Mac OS X Server VPN service
  Try L2TP

• Trouble with opening/creating Server Model Diagrams

  I created server model diagrams by drag-and-dropping specific tables from the Server Model Navigator. Is it supposed to take a LONG time
  for this step (e.g., 3 whole minutes for one table) or should it be basically "immediate"? They eventually made it, but seemed unreasonably long!
  I saved the diagrams, quit, and come back to the repository, see the diagram names, click on a diagram, verify the elements inside, everything
  looks good -- until I try to open the diagram, it (Design Editor) locks up every time!!
  Does anybody know why I'm having either one of the above problems? Is there any setting I need to configure?
  (By the way, I'm using Designer 6i with an Oracle 8.1.7 database.)
  Thanks in advance.
  Brenda

  Could be your memory. Designer takes alot to run, as you may know. Minimum should be 256mb. Close all apps and try to open
  the diagram again. I have had lots of trouble with my designer locking up!

• Creating VPN with OS X Serve 10.4.4 from iMac Intel

  Hi all,
  Has anyone else had problems creating a VPN (PPTP) connection with a MacOS X Server (10.4.4)?
  Everytime I get the following error in my connection log (in Internet Connect)
  Received bad configure-nak/rej
  And after 1 minute the connection closes...
  Xander

  I have the same problem when connecting from home on my iMac Core Duo to a PPTP server running on Mac OS X Server 10.3.8 at my office. My iMac connects fine for at least 60 seconds but then within the next 5 seconds I get disconnected. The VPN server has been working fine for months and I can still connect with my iBook running 10.3.9 and my old Power Mac G4 running 10.3.9 worked fine too up until I replaced it with the iMac. All of these machines are using the built-in VPN client configured using Internet Connect.
  What types of VPN connections (PPTP, IPSec, etc.) and servers (OS X Server, Cisco, SonicWALL, etc.) are you all trying to connect to and what VPN client are you using?
  -- Dave

• There is a problem with the proxy server's security certificate (internal Outlook 2013 users)

  I am receiving the above message for internal Outlook 2013 users when they open Outlook. Despite this message, Outlook is fully functional. External OA users do not see this message. We are using an SRV record for our autodiscover and pointing it to the
  name on the single cert we have. I've also already changed the outlookprovider record in Exchange. Any ideas?
  TIA!

  Hi Alceryes,
  According to the error message, Outlook is unable to connect  to the proxy server (Error Code 10),
  it seems an issue on the Certificate side.
  FLAG_CERT_CN_INVALID 0x00000010
  More details to see following KB:
  http://support.microsoft.com/kb/923575
  Would you like to tell me the reason that why you are using SRV record for Autodiscover?
  I find a FAQ on Autodisocover for your reference, hope it is helpful:
  https://social.technet.microsoft.com/Forums/office/en-US/54bc6b17-9b60-46a4-9dad-584836d15a02/troubleshooting-and-introduction-for-exchange-20072010-autodiscover-details-about-test-email?forum=exchangesvrgeneral
  Thanks
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Mavis Huang
  TechNet Community Support

• Issues with VPN on 10.3 Server

  I have no problems using the VPN with 10.4 Server. I manage several of these, and the VPN works fine.
  However, with 10.3 Server it doesn't seem to work. I have two 10.3.9 servers at different offices, and with each I can connect to the VPN, I get an IP address, but I cannot access any resources through the VPN. Does anyone have any ideas about this?

  Thanks for your reply.
  I'm using PPTP. I've got it set up the same way as with 10.4 server.
  The servers are behind NAT routers, with TCP port 1723 forwarded to them.
  In each case the private IP subnet on the server is different from the one I'm connecting from.
  I'm connecting just fine to the VPN, but once I'm connected I can't connect to anything on the network.
  One thing I see in the system log when I try to make a connection is this: "Protocol-Reject for unsupported protocol."
  What do you think?

• Unable to access gateway and DNS via VPN (L2TP) with Snow Leopard Server

  Summary:
  After rebooting my VPN server, i am able to establish a VPN (L2TP) connection from outside my private network. I am able to connect (ping, SSH, …) the gateway only until the first client disconnects. Then i can perfectly access all the other computers of the private network, but i cannot access the private IP address of the gateway.
  Additionally, during my first VPN connection, my DNS server, which is on the same server, is not working properly with VPN. I can access it with the public IP address of my gateway. I can access it from inside my private network. A port scan indicates me that the port 53 is open, but a dig returns me a timeout.
  Configuration:
  Cluster of 19 Xserve3.1 - Snow Leopard Server 10.6.2
  Private network 192.168.1.0/255.255.255.0 -> domain name: cluster
  -> 1 controller, which act as a gateway for the cluster private network, with the following services activated:
  DHCP, DNS, firewall (allowing all incoming traffic for each groups for test purposes), NAT, VPN, OpenDirectory, web, software update, AFP, NFS and Xgrid controller.
  en0: fixed public IP address -> controller.example.com
  en1: 192.168.1.254 -> controller.cluster
  -> 18 agents with AFP and Xgrid agent activated:
  en1: 192.168.1.x -> nodex.cluster with x between 1 and 18
  VPN (L2TP) server distributes IP addresses between 192.168.1.201 and 192.168.1.210 (-> vpn1.cluster to vpn10.cluster). Client informations contain the private network DNS server informations (192.168.1.254, search domain: cluster).
  _*Detailed problem description:*_
  After rebooting the Xserve, my VPN server works fine except for the DNS. My client receives the correct informations:
  Configure IPv4: Using PPP
  IPv4 address: 192.168.1.201
  Subnet Mask:
  Router: 192.168.1.254
  DNS: 192.168.1.254
  Search domain: cluster
  From my VPN client, i can ping all the Xserve of my cluster (192.168.1.1 to 18 and 192.168.1.254). If i have a look in Server Admin > Settings > Network, i have three interfaces listed: en0, en1 and ppp0 of family IPv4 with address 192.168.1.254 and DNS name controller.cluster.
  The DNS server returns me timeouts when i try to do a dig from my VPN client even if i am able to access it directly from a computer inside or outside my private network.
  After i disconnect, i can see in Server Admin that the IP address of my ppp0 interface has switch to my public IP address.
  Then i can always establish a VPN (L2TP) connection, but the client receives the following informations:
  Configure IPv4: Using PPP
  IPv4 address: 192.168.1.202
  Subnet Mask:
  Router: (Public IP address of my VPN server)
  DNS: 192.168.1.254
  Search domain: cluster
  From my VPN client, i can access all the other computers of my network (192.168.1.1 to 192.168.1.18) but when i ping my gateway (192.168.1.254), it returns me timeouts.
  I have two "lazy" solutions to this problem: 1) Configure VPN and DNS servers on two differents Xserve, 2) Put the public IP address of my gateway as DNS server address, but none of these solutions are acceptable for me…
  Any help is welcome!!!

  I would suggest taking a look at:
  server admin:vpn:settings:client information:network route definitions.
  as I understand your setup it should be something like
  192.168.1.0 255.255.255.0 private.
  at least as a start. I just got done troubleshooting a similar issue but via two subnets:
  http://discussions.apple.com/thread.jspa?threadID=2292827&tstart=0

• Need Help with VPN and 10.5 Server

  I am at my wits end trying to get my VPN set-up on my X-serve running 10.5 server. Here is what I have for a set-up.
  I have set-up my X-Serve as a Standard Server install.
  I have put "pinholes" in my router using the following port info:
  1701 UDP L2TP - Mac OS X Server VPN service
  1723 TCP PPTP - Mac OS X Server VPN service
  When I try to log-in remotely, it says it is connecting and then comes back with "The Connection has failed. Please verify your settings and try again." I know my my log-in and password is correct.
  Any help or direction at all would be VERY much appreciated. I am completely out of ideas after trying for a week. Thanks!

  hi,
  i've opened ports 47/all (called GRE), 50/all (called ESP), 1701/L2TP, 500/VPN and 4500/IKE-NAT when using L2TP for VPN. i'm not sure if 47 and 50 are related to VPN or IChat, but i guess it's VPN
  the other ports you mentioned might be related to PPTP for VPN which you actually don't need. try restrict them to the ports i listed when using L2TP, try and if it doesn't work, open 47 and 50. it is important that these two ports support both TCP and UDP because actually they are not TCP nor UDP because they use something similair like ICMP (used for ping).
  br,
  günther

• DNS Server Having Intermittent Issues with Open Directory

  I work for a school and we're undertaking the large task of moving from Xserves running 10.6.8 to Mac Minis running 10.9. I have a lot of experience with OS X Server (I held ACSA up until they ditched it, and ACTC through the current OS) but I've hit a fairly large snag in configuring our DNS server. We currently run DNS via an AD server that is being retired at the end of the summer, so this is the first time our DNS will be Mac-based. That said, our network is ridiculously simple as we are a very small school. For the most part it's a flat network using the same IP range for our wired and wireless internal clients (we do have a vlan for guests but that's through Aerohive). I configured the DNS by hand, recreating the entries in our AD server (there were only about a dozen) and then adding in things that should have been there in the first place (e.g. printers and some other devices with static IPs that I'd like FQDNs for). Everything seemed to be working fine...until trying to log into Open Directory accounts.
  For some background, the DNS server running 10.9 was the first server we upgraded and it was a completely clean install. We run DHCP on another Mac Server currently running 10.6.8 and it does have the proper OD server listed. All DNS entries for the OD server match our current DNS server. The issue is that it's taking some users 5-6 tries to log in with their network accounts. The errors they receive range from the login window shaking to it stating the user cannot log in at this time. This seems to be worse on client machines running 10.9. but it's appearing on machines running 10.6.8-10.9.3.
  In my troubleshooting, I found that if I log in as a local user to one of those machines and do a dig for the OD server the results vary, this is where it gets weird. For example, if I dig ourodserver.ourdomain.org it will sometimes return host not found or it will sometimes resolve. If I ping the same thing it will sometimes work (even after stating it cannot resolve the host) and it will sometimes fail. If I then try a dig for the .local (e.g. ourodserver.local) it also yields the same varied results. However, on every machine that I've tested if I then open a Finder window and navigate to the server via the "Shared" menu and connect I have no trouble connecting and then magically my digs and pings in terminal work. If I revert DNS back to point to our old Windows server the issue goes away. I have meticulously combed through that server many many times now and am not seeing any missed entries. Any idea what could be causing this?

  You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.
  The primary DNS server used by the server must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.