Please advice mac server & os x server for open directory ?

Similar Messages

• Authentication Delays / Slow Authentication for Open Directory Users

  I'm experiencing delays when authenticating Open Directory users and it absolutely has me at my wit's end.
  The problem is quite simple: any time an Open Directory user authenticates his password there is a delay of at least 5-10 seconds. This goes for clients that are bound to the directory server and also authenticating locally on the server. Here are some examples:
  * On the server, there is a several second delay on the Login Window screen when trying to log in using an Open Directory account. Logging in as a local user is instantaneous.
  * In Workgroup manager, authenticating as the Directory Administrator takes several seconds.
  * On a remote computer, sharing the screen using an Open Directory user take several seconds and again, a local user is instantaneous. Screen sharing takes particularly long and often temporarily shows a sheet saying it has lost the connection with the server while authenticating.
  * Connecting with AFP takes several seconds when using an Open Directory login
  * On a client computer, unlocking the screen after sleep or screen saver takes several seconds for Open Directory users
  * Connecting with SSH does NOT exhibit the behavior
  In addition to all of this, I've seen periodic random unexplainable freezes for several seconds on client computers that are bound to the directory even when logged in as a local user account (and with no other users logged in.) For example, launching applications often results in a freeze. After unbinding the computer from the directory the problem goes away entirely.
  The history of the problem:
  Used Tiger Server for over a year = no problems
  Clean install of Leopard Server 10.5.0 back in October = no problems
  Update to Leopard Server 10.5.1 = no problems
  Then, all of the sudden one day several weeks back I started having problems. The server had been up for a few weeks. I didn't install any updates. I didn't change any configuration. Literally the only thing that I had done recently was unplug the Apple Cinema Display and keyboard+mouse that was connected to the server. Then I started having problems so I plugged the display, keyboard and mouse back in to troubleshoot it. I cleared the directory services caches on my server and clients and rebooted the Airport Base Station that's serving as my router and eventually the problem went away. I wish I could tell you which of those things resolved the problem but I have no idea. It was fine for a couple more weeks (and incidentally I once again unplugged the display, keyboard and mouse from the server). Then last week I started having problems again and this time no amount of rebooting, cache clearing, rebinding, troubleshooting using information in these forums or anything else will fix the problem. I only mention the display/keyboard/mouse thing because it's literally the only thing I changed around the time the problems started happening. I truly don't think it has anything to do with it.
  So in desperation I backed up and did a clean install today. Here's the process I used:
  0. Erase the disk
  1. Install Leopard Server 10.5.0 from the install DVD
  2. In the setup assistant, use the Advanced Configuration option but I didn't enable any services. Set up network settings and host name of myserver.mydomain.private.
  3. Reboot
  4. Use Software Update to update to 10.5.1 and Security Update 2007-009 v1.1
  5. Reboot
  6. Configure DNS (see below for detailed configuration)
  7. Reboot
  8. Change role to Open Directory Master
  9. Reboot
  ... and the problem is still there. Simply logging into the server GUI with the Directory Administrator account has the delay. Authenticating in Workgroup Manager has the delay. I haven't even bothered to set up AFP or any other users yet. I'm truly at my wit's end and I'm ready to chuck the server out the window.
  I've done a lot of googling and searching of these forums looking for answers. All of the responses seem to point to a problem with DNS or with the Kerberos realm. I believe all of my setup is correct. Here it is:
  == Basic Configuration ==
  OS: Mac OS X Server 10.5.1 (9B18) with Security Update 2007-009 v.1.1
  Services Enabled:
  DNS
  Open Directory
  (All other services are not yet enabled)
  == DNS Setup ==
  Primary Zone: mydomain.private.
  Allows zone transfer: no
  Nameservers: ns.mydomain.private.
  myserver (Machine) 10.0.22.201
  ns (Alias) myserver.mydomain.private.
  Reverse Zone: 22.0.10.in-addr.arpa.
  10.0.22.201 (Reverse Mapping) myserver.mydomain.private.
  Accept recursive queries from the following networks:
  localnets
  Forwarder IP Addresses:
  208.67.222.222
  208.67.220.220
  == Open Directory Setup ==
  Role: Open Directory Master
  LDAP Search Base: dc=myserver,dc=mydomain,dc=private
  Kerberos Realm: myserver.mydomain.private
  == Network Configuration ==
  Configure: Manually
  IP Address: 10.0.22.201
  Subnet Mask: 255.255.255.0
  Router: 10.0.22.1
  DNS Server: 127.0.0.1
  Search Domains: mydomain.private
  == Other Stuff ==
  Using 'changeip -checkhostname' verifies that the hostname and DNS hostname are both myserver.mydomain.private.
  I set the realm to myserver.mydomain.private (though the default was myserver.local) based on the advice of another poster to this forum. Kerberos.app reveals something interesting: the kdc and admin servers are both myserver.local and the domains are .local and local. I tried changing all instances of 'local' to 'mydomain.private' to see if that would solve the problem. No luck.
  I verified on a client that 'host myserver' and 'host 10.0.22.201' return proper DNS and reverse DNS resolutions.
  Hopefully one of the gurus out there will be able to help me out.
  Thanks,
  jeff

  I gathered together some log information for when I try to authenticate user 'diradmin' in Workgroup Manager. You can see from the log messages that this authentication took 4 seconds. There's an interesting error message in slapd.log (see below) but it doesn't say what it's looking for in the keytab that it's not finding. Grr! I've provided a listing of the principles in my keytab. I haven't monkeyed around with it at all -- this is just what resulted from promoting the server to an Open Directory Master.
  == kdc.log ==
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  == slapd.log ==
  Dec 30 18:21:48 myserver slapd[36]: <= bdbsubstringcandidates: (authAuthority) index_param failed (18)
  Dec 30 18:21:52 myserver slapd[36]: SASL [conn=20] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
  == sudo klist -k ==
  Keytab name: FILE:/etc/krb5.keytab
  KVNO Principal
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]

• File Server Role: Slow access for "opened files" and slow Explorer browsing

  Since we migrated our fileserver from Windows Server 2008 R2 to Windows Server 2012 we are facing two major problems:
  1. Opening files which are already opened by other users takes about 1 minute before the file actually opens. This is not only for Office files such as Excel and Word, but also for other (not office) files. Again, this problem only rises when the file(s)
  is/are already opened by another user. There seems to be a sort of "Lock" check time which is about 45 to 60 seconds.
  2. The other problem is browsing via Explorer through the network drive (all clients are Windows 7 clients). Half of the time there is some kind of "hick up" with displaying the results of the folder. I cannot figure out a patern, but if there
  is no "hick up" then browsing is very fast (also in the busiest times of the working day)... If there is a "hick up" the result can take about 50 seconds to display the content of a folder.
  I suspect the SMB implementation / settings of Windows Server 2012 which are causing the problems...
  Things I tried:
  1. Changed the Oplocks wait time to 10 seconds (which is the minimum). The result is that openening files does indeed go some faster (still taking about 45 seconds).
  2. Disabled SMB2: the result is that browsing is fast... Opening files does go faster. BUT: we are then facing other problems like some files are not able to open... This setting was, after getting a lot of complaints from the users, changed back to enabled
  SMB2.
  3. Within the NIC card properties I disabled "QoS packet Scheduler", "Link-Layer Topology Discovery Mapper I/O Driver", "Link-Layer Topology Discovery Responder" and IPv6 (as we only use IPv4).
  All above with not the promising results.
  The server is a dedicated (virtual machine on vSphere 5.1) fileserver.
  Please Advice since this is not workable, and we have postponed the migration of the fileserver for our aother location.

  Hi Dave,
  I suggest you disable all third party applications like Anti-Virus application to test if it could reduce the waiting time when accessing a file.
  Here are some related threads below that could be useful to you:
  DFS Slowness when Opening Microsoft Documents and Excel Spreadsheets
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/61ec9a99-0027-44cb-815c-0da9276c1c96/dfs-slowness-when-opening-microsoft-documents-and-excel-spreadsheets?forum=winservergen
  Opening files over network takes long time
  http://social.technet.microsoft.com/Forums/windows/en-US/c8ddb65f-8a17-4cee-afd4-dfc09e99d562/opening-files-over-network-takes-long-time?forum=w7itpronetworking
  opening folder or file takes over a minute on Windows 2008R2 File server
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/b9aa98c4-3ef7-4e6d-810d-6099e72b33f6/opening-folder-or-file-takes-over-a-minute-on-windows-2008r2-file-server?forum=winserverfiles
  Best Regards,
  Amy Wang

• DNS Server Having Intermittent Issues with Open Directory

  I work for a school and we're undertaking the large task of moving from Xserves running 10.6.8 to Mac Minis running 10.9. I have a lot of experience with OS X Server (I held ACSA up until they ditched it, and ACTC through the current OS) but I've hit a fairly large snag in configuring our DNS server. We currently run DNS via an AD server that is being retired at the end of the summer, so this is the first time our DNS will be Mac-based. That said, our network is ridiculously simple as we are a very small school. For the most part it's a flat network using the same IP range for our wired and wireless internal clients (we do have a vlan for guests but that's through Aerohive). I configured the DNS by hand, recreating the entries in our AD server (there were only about a dozen) and then adding in things that should have been there in the first place (e.g. printers and some other devices with static IPs that I'd like FQDNs for). Everything seemed to be working fine...until trying to log into Open Directory accounts.
  For some background, the DNS server running 10.9 was the first server we upgraded and it was a completely clean install. We run DHCP on another Mac Server currently running 10.6.8 and it does have the proper OD server listed. All DNS entries for the OD server match our current DNS server. The issue is that it's taking some users 5-6 tries to log in with their network accounts. The errors they receive range from the login window shaking to it stating the user cannot log in at this time. This seems to be worse on client machines running 10.9. but it's appearing on machines running 10.6.8-10.9.3.
  In my troubleshooting, I found that if I log in as a local user to one of those machines and do a dig for the OD server the results vary, this is where it gets weird. For example, if I dig ourodserver.ourdomain.org it will sometimes return host not found or it will sometimes resolve. If I ping the same thing it will sometimes work (even after stating it cannot resolve the host) and it will sometimes fail. If I then try a dig for the .local (e.g. ourodserver.local) it also yields the same varied results. However, on every machine that I've tested if I then open a Finder window and navigate to the server via the "Shared" menu and connect I have no trouble connecting and then magically my digs and pings in terminal work. If I revert DNS back to point to our old Windows server the issue goes away. I have meticulously combed through that server many many times now and am not seeing any missed entries. Any idea what could be causing this?

  You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.
  The primary DNS server used by the server must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

• Help with mail users and setup 10.6 mail server bound to 10.8 Open Directory

  We have a 10.7 Open Directory server which was upgraded from 10.6.  We have had some Open Directory issues since the upgrade.  I am manually creating a 10.8 server as a replacement for the 10.7 server.  All settings for services are running as expected and we are ready to turn over to the new server except for a problem with the ability to receive email.
  Setup in both the original and the replacement has the OD server with DNS running with a correct MX record pointing to our 10.6 mail server.
  In the replacement OD server the mail users were created as network users, with no userhome, with access to the mail service, and email addresses given. 
  The mail server was unbound from the original OD server, bound to the replacement OD server without SSL exactly as with the original, and restarted.
  Initially the mail service said that mail clients had the wrong name or password.  Opened WGM 10.6 on the MAIL server and checked the OD records.  They showed the mail users not having the checkbox saying they were set up to receive mail selected.  Selected the checkbox to receive mail.
  Now the mail client seems to connect to the server correctly but does not show the emails in the system for the users.  It is as though there is no email and the account is brand new.
  Unbind the mail server from the replacement OD server, rebind it to the original OD server, and restart.
  Mail clients connect and receive the mail in the accounts as expected.
  Any ideas?
  Thanks

  I figured out what the mail server is doing.  It has created new email stores for each of the new users.  If we bind to the original OD it uses the original set of email stores.  If we bind to the replacement OD it uses the new set of email stores.
  I have tried to make sure that the userIDs match in each OD but that did not help.
  The server is working for each OD.  Does anyone know if I can tell the 10.6 mail server to use the old emails in the mailstore for the new user in the new OD?
  If nothing else I can solve the problem by archiving the emails and copying them into the new user when running the new OD.

• Mac Os 9 using 10.4 Open directory

  Hey guys, I am trying to get some of my older mac os 9 computers to see the open directory server, I am using the net boot image that apple gives out for the os 9 net-boot, (It's the apple one)
  Any help on this? Just Need to get this netboot img to see the server, for the open directory

  The migration guide for moving into Server 10.4 says that you can only support OS 9 clients if you migrate from 10.3. \[I think this is because the tools you need for central Server administration (macintosh manager) are not included by default in 10.4.]
  OS 9 computers owe their allegiance to the Server through the use of the OS 9 Multiple Users Control Panel, with the additional setting of "User accounts on the Server" rather than the default "User accounts on this Mac".
  Does any of this sound familiar?

• Configuring DNS for Open Directory

  I'm reading Mac OS X Server Essentials, A Guide to Using and Supporting Mac OS X Server 10.4 and in the Open Directory section it says Make sure your server is resolving DNS correctly. If not, you may need to stop and start DNS.
  I don't have DNS set up on our Xserve so I started reading the section about DNS.
  We don't serve any web or mail services from this Xserve and I don't want to screw up the Custom DNS service provided by our web host/nic provider. If I enter my domain in the DNS admin area will that affect anything outside our LAN?

  It says: "Make sure it is resolving DNS correclty. ...". It ain't saying: "DNS has to be running on the OD server itself. ...".
  So if your network provides does handle dns for you that perfectly fine. Just check that they have forward and reverse records in place.
  -Ralph

• Please Advice  me which Exam to choose for  OCA

  Which of the below exam shall i choose for certification which is important and good for my career.
  1Z0-001
  Introduction to Oracle: SQL® and PL/SQL™
  or
  1Z0-007
  Introduction to Oracle9i SQL®
  or
  1Z0-047
  Oracle Database SQL Expert
  or
  1Z0-051
  Oracle Database 11g: SQL Fundamentals
  Thanks in Advance

  user10946311 wrote:
  Which of the below exam shall i choose for certification which is important and good for my career.
  Improving SQL skills will often be a good thing for a large range of people.
  Checkout [www.oracle.com/education/certification] and particularly 'View all certification' to help you choose.
  Also Drill down from the that link for exam topics, training and authorized practice exams.
  A better way of choosing the question is what set of skills would do I think I can and would like to master,
  Where do I think these skills will help me in a career,
  What training will I need to master those skills,
  And what certification will should that I have mastered them.
  If you have already a little/experience I suggest 1z0-047 for Oracle Database: SQL Certified Expert* perhaps ought to be exam of choice, as this ought to be useful for the widest range of jobs. However I might actually suggest going for 1z0-051 first as a possibly easier target stepping stone. Incidently I have not taken 1z0-047 myself.
  1Z0-001
  Introduction to Oracle: SQL® and PL/SQL™This exam is about to be retired and is therefore probably bad choice.
  1Z0-047
  Oracle Database SQL ExpertCannot be taken online, perhaps a good thing. May lead to an OCE certification. May be harder to study for and marginally more expensive
  1Z0-007
  Introduction to Oracle9i SQL®
  1Z0-051
  Oracle Database 11g: SQL Fundamentals 1Both can be taken online and are adequate component of a number of certifications. 11g is obviously more up to date. Both, I believe, are not subject to a 14 day retake if you fail.
  The osbourne/oracle press ISBN-13: 978-0071597869: OCA Oracle Database 11g SQL Fundamentals I Exam Guide: Exam 1Z0-051 (Osborne Oracle Press Series) does a good job of covering 1z0-051 if your starting with some experience of SQL but I suggest you should suppliment that with quality (eg Oracle) training if necessary
  Also
  Checkout the following sticky posts about the forum blog and faq
  [ Oracle Certification Blog |http://forums.oracle.com/forums/ann.jspa?annID=801]
  [Answers to Frequently Asked Questions on this Forum |http://forums.oracle.com/forums/ann.jspa?annID=794]
  Please also be aware you may be offered braindumps and unauthorized learning material .... please study the links above to see why you should avoid them.
  Good Luck - bigdelboy
  NB: checkout also Additional 10g OCA Exam - Which One
  Edited by: bigdelboy on 29-Mar-2009 16:08

• Server 4: open directory entry for server reports wrong IP address

  I'm running Server 4 on a Mac Mini (late 2012) running OS X 10.10.
  The server is configured as a stand-alone machine providing services to users connecting over its fixed IP public address.  The server uses Open Directory to keep record of authorised users of the services provided (mail, calendar, wiki, contacts, some file sharing), and the machine is configured as an OD master.
  I've noticed that the entry relating to the server on the Server 4 panel for Open Directory (the only entry showing by the way) lists three IP addresses below the name of the machine.  My concern is that these IP addresses are not related to the IP address being used by the machine, and there does not appear to be any simple way to change them.  The IPs reported are 10.37.129.2, 10.0.1.2, 10.211.55.2.  The server's fixed IP is in the range 45.146.x.x and the local network running below our router that the server connects to has IPs in the range 192.168.1.x.  So It is not clear where these IPs might be coming from.
  What do these numbers relate to?  If they are important, should they point to the IP address occupied by the server?  If so, how do I make this change in settings?
  Thanks a lot in advance for any help that you can provide.

  <bump>

• Client Macs lose connection to server after Sleep

  Ok, so my previous issues with disk I/O erroros with contacts/Mail etc appears to be resolved after I re-installed ML Server and ML clients on all my macs -- not entirely sure why but now I have new problem where client macs lose connection to the server after sleep
  So my current setup is as follows:
  Server Mac
  Mac Mini Server running ML 10.8.2 Server
  Client Macs
  2 x MBAs with 10.8.2 (Core2Duo & iCore5)
  1 x Mac Mini running 10.8.2 (Core2Due, 4GB 2.4 Ghz etc)
  Issue:
  If I leave the client Mini logged in say, as me and either the mini goes to sleep (or if I put it to sleep) and then I wake the mini up, I appear to lose connection to the server - so whilst I am still logged in as me, I've lost my connection to my home directory e.g. Doc/Music/Pics (I can see instantly my desktop picture defaults to ML galaxy picture, opposed to something I've chosen) folders are no longer present. So obviously as mailbox,iphoto & itunes libraries are missing, Mail, iPhoto & iTunes fail to operate and I my only course of action is to log out and log back in and everything is fine.
  I get the same issue - although not as frequent - on MBA's when you close it and results in having to log out and in again to resolve the issue. I also saw the same problem when it was running Lion as well.
  A couple of things to note:
    - Server Mini is never asleep and is running 24x7 (as its a media streamer as well)
    - Its only occured when in deep sleep -  so if I wake the mac up after a few seconds of sleep, its just fine but if say I leave it overnight and wake it in the morning, its no longer connected.
  Any pointers will be welcome and given that it appear to have occured on a client Mac with Lion as well, it would imply its an issue with the server rather the individual client Macs. Also note, I don;t recall the problem when running Lion Server.
  Thanks
  Rob

  Have you tried looking at the server logs, particularly the 'System' & 'Open Directory' log sets?
  Anything seen in there?
  Also logs on the client machines using the Console app. It's a bit tedious going though logs but they can be very illuminating.

• Changing the Name of an Open Directory Server while preserving users, etc.

  Hi Everyone,
  Not an emergency - but I have been wrestling with this dilemma for almost a year now.
  The good news is nothing has to be done right away. But I will ultimately need a solution.
  We have inherited a server system at a traditional elementary school from a previous IT person who was immature to say the least.
  When he set up the server system, he named the open directory server something that, while innocuous is inappropriate for a school setting.  I am sure he thought it was clever and cheeky at the time. But a few years later it is simply unprofessional. And we are being expected to ultimately be able to change it so something like "XXXdirectory.domainname.edu" The more it hangs around - the longer it looks like we did this and it makes us look unprofessional.
  So here is my dilemma. 
  This is an OD Master with iCal and network homes attached to it. It also runs DNS.
  I would like to set up a new server and name it "xxxdirectory.schooldomainname.edu"
  Setting up the new server is easy and getting all the client machines to bind to it - no problem.
  The problem is how to migrate all the users to the new server.  It seems a restore wont work because if the new server is named differently, the restore will fail. I also can't do a server migration because the stupid name migrates to the new server.
  My old server is 10.5.8 Server.  The new one is 10.7.1 Server . But could be 10.6.8 Server if need be. 
  The main problem is how do I get all the accounts onto a new server with a new OD master name?
  I don't mind command line stuff. So throw whatever you got at me.
  Thanks in advance for your help everyone.  Don't worry - I won't be a pain in the butt or argue.  I just need some good solid guidance, even if it is a "Not possible" answer - at least I have something to tell the administration when they want to know why we can't change the OD Master name from mcnugget.schoolname.edu.
  Please let me know if you need more details.  I am happy to provide.
  Thanks again.
  Tony

  If you don't mind resetting everybodies password then you can export the users and groups and wipe the server for a clean install or turn it into a standalone server then back into od master  then import the users and groups.

• How to turn off Open Directory in OS X Server 10.8.2

  I am configuring a MacPro with ML Server 10.8.2 for internal-only use.  I have DNS working on it (with the annoyance that it goes out of its way to break wildcard host names, and it doesn't know how to properly create the zone files to allow a secondary DNS server to do reverse-name-lookups properly).  I have only 2 users (admin and Time Machine), Time Machine is working for client Macs using the Time Machine user account, and File Sharing is working (using either account), sharing a RAID of internal drives an a pair of USB-attached external drives.
  I briefly turned on Open Directory, just to see if I wanted or needed to go that route.  I entered an Open Directory admin (diradmin) with a password.  Looked around the options and decided I did NOT need to use Open Directory just to get the Time Machine stuff working, and I was right.
  However, now the Server App shows Open Directory is "On."  When I go to that tab, I get a message stating that there was an error reading the settings file for Open Directory services.  I click it "Off" but it refuses to turn off.  When I come back to the tab, I get a pop-up window with a message about an error reading the settings and the Off/On switch moves back to "On" and the green light never goes off next to Open Directory in the list of services.
  I've rebooted the machine and after the reboot, sometimes, it appears as if I can add/delete/modify Users and Groups.  Other times, after the reboot, the +/- buttons are greyed out and I cannot add/edit/modify Users and Groups.  I have not yet tried to add/delete/modify users yet because I'm leery of trusting the server with this error message.
  Can anyone help me to remove anything and everything related to Open Directory so that it is "off" as if I never ever turned it on?  Or any suggestions on how to fix this short of a reinstall?
  Can I download and install the Server app on a differnt machine and then just copy the Server app over to this machine?  Will that zero out the Open Directory stuf that I'm trying to get rid of?
  Thanks in advance.

  I think I solved my problem by running the following command:
  sudo slapconfig -destroyldapserver diradmin
  diradmin is the name of the Open Directory admin account I created.
  The Open Directory Service now appears "off" and no longer had the green dot next to it in the list of services.
  Obviously, NOT a good solution to someone who was actively using Open Directory as this appears to have deleted all the data associated with Open Directory.
  Users and Groups now allow me to add/delete/modify.
  Sad to see an Apple product have such issues.

• 10.6 Client and 10.7 Server Open Directory

  I´ve got an Mac Mini running Lion Server. It´s configured as an Open Directory Server.
  And I´ve got some 10.6 Clients running on the same local network.
  All Clients have the Mini Server as DNS Server.
  And now I want to use NetworkAccounts form the 10.7 Server on the 10.6 Clients.
  I´ve connected the 10.6 Clients to the Server (without SSL) and all Clients say "Network Accounts available".
  But if I try to log in on the Client it just shakes the login window. I´ve tried it on all my Clients with different Accounts but nothing worked.
  It just won´t work! But why? Can you please help me?
  What I´m doing wrong? Or is the combination of 10.6 Clients and 10.7 Server not Supported by OpenDirectory on 10.7 Server ?
  Thank you !

  Check your authentication against the server from one of the clients using the following command:
  dscl /LDAPv3/<server name or IP> authonly <shortname of an account that cannot login>
       The server name should be the same name or IP you used when binding your 10.6 client to a 10.7 server.
  If you get the response "Failed to authenticate user <shortname> (tDirStatus: -14103)" you are having the same issue I was having. I found an answer to this, but you are not going to like it.
  Apparently Workgroup manager and Server.app deal with accounts differently. If you are using Workgroup Manager to import a long list of accounts, don't. Server.app needs to write an addition setting that is not part of Workgroup manager or in Passenger I doesn't work correctly with accounts that have home folders that are not local. Here are the steps I used to resolve the issue:
  Export all your accounts and groups
  Using Server Admin, demote your OD to a standalone directory
  Once the demotion is complete, use Server.app to promote your server to an OD Master
  Update: I've not found it to make a difference if you use server.app or Server Admin to configure your Open Directory Master.
  Once the server is again an Open Directory Master, import the users that you exported using Server.app instead of Workgroup Manager.
  If you are importing groups, set the Home Directory by editing the account in Server.app before importing groups to avoid overwriting your group settings. Thankfully, you can select multiple accounts at a time.
  Import your groups using Server.app
  Verify group membership and test the loginsIf you test the login using the dscl command from above, you should get no error after entering the password, but as long as you have a bound client, you should be able to login at this point.
  Hope this reaches you in time to help.

• Can connect with Server Admin and Server Prefs, not Screen Sharing or ARD

  Just set up 10.5 server on my G5, and trying to connect from 10.5 on my iMac. I have tried both with the server System Preferences set to allow Screen Sharing via VNC, and with Remote Management enabled for ARD. In both cases, I get authentication errors when trying to connect from home. I have tried with both the full username, and with the short name of the only account on the server. My assumption is that, since this is the administrator account, I don't need to setup explicit privs for it on the server.
  I can authenticate without any trouble with both Server Admin and Server Preferences.
  The Firewall is not enabled on either machine, although I am behind a NAT router at home -- is it necessary to open any special ports to enable screen sharing? Is it possible that having these ports closed would produce an authentication error?
  Thanks for any help.

  Hi
  I'm going to assume you configured your Server in Standard Configuration and not Workgroup or Advanced?
  When using Standard in setting up the server DNS is automatically configured for as well as the Server taking an Open Directory Master Role. The admin account created at the beginning is for administering the Open Directory. Unknown to you and not documented at all - as far as I can see - is the 'Local Administrator' (localadmin) account.
  You only become aware of this account if for some reason you have a problem with the Server which involves demoting to Standalone (ie not an Open Directory Master) once this happens you find you can't log on to the Server anymore or communicate with any of the Server applications because it won't accept any username or password other than root and localadmin for the name and the password defined for the original admin account you created right at the beginning.
  Sometimes it does not even take demotion to find yourself locked out of the Server. Some have experienced this problem when running the Security Update or when some other problem has occured.
  Part of the process of creating an Open Directory Master involves the creation of a 'special' directory administrator account. This account is used for administering the LDAP node. If demotion takes place this account gets blown away along with all users and group accounts that exist in the LDAP node, in fact everything to do with Open Directory is destroyed apart from Users' home folders.
  Why demote if this happens? Sometimes the LDAP database gets damaged/corrupted beyond a point where normal troubleshooting methods fail. This can happen for a whole variety of reasons but more often than not is due to a poorly configured DNS Service. You basically only have two options once you reach that stage. A server reinstall involving a format and rebuild or a demotion to Standalone. Which option would you choose? Prior to demotion you can (if you have the chance) export users and groups or even archive the LDAP database itself for restoration later on. This is a useful option as everything to do with the LDAP Server is retained - passwords, users, groups etc. The other method of saving users etc does not retain passwords.
  As time goes on and you become more familiar with your server you will find more and more of this information out for yourself. Hopefully the simple advice I've given helps you understand Open Directory a little better.
  Hope this helps, Tony

• Open Directory: After enabling of SSL encryption the Open Directory server is not reachable anymore! What's wrong?

  After enabling of SSL encrypton on LDAP I can't connect anymore to the LDAB. I think the Lions Server supports now the SSL encrypton for Open Directory.

  .....