Xserve going nuts - think its open directory?

Similar Messages

• How to turn off Open Directory in OS X Server 10.8.2

  I am configuring a MacPro with ML Server 10.8.2 for internal-only use.  I have DNS working on it (with the annoyance that it goes out of its way to break wildcard host names, and it doesn't know how to properly create the zone files to allow a secondary DNS server to do reverse-name-lookups properly).  I have only 2 users (admin and Time Machine), Time Machine is working for client Macs using the Time Machine user account, and File Sharing is working (using either account), sharing a RAID of internal drives an a pair of USB-attached external drives.
  I briefly turned on Open Directory, just to see if I wanted or needed to go that route.  I entered an Open Directory admin (diradmin) with a password.  Looked around the options and decided I did NOT need to use Open Directory just to get the Time Machine stuff working, and I was right.
  However, now the Server App shows Open Directory is "On."  When I go to that tab, I get a message stating that there was an error reading the settings file for Open Directory services.  I click it "Off" but it refuses to turn off.  When I come back to the tab, I get a pop-up window with a message about an error reading the settings and the Off/On switch moves back to "On" and the green light never goes off next to Open Directory in the list of services.
  I've rebooted the machine and after the reboot, sometimes, it appears as if I can add/delete/modify Users and Groups.  Other times, after the reboot, the +/- buttons are greyed out and I cannot add/edit/modify Users and Groups.  I have not yet tried to add/delete/modify users yet because I'm leery of trusting the server with this error message.
  Can anyone help me to remove anything and everything related to Open Directory so that it is "off" as if I never ever turned it on?  Or any suggestions on how to fix this short of a reinstall?
  Can I download and install the Server app on a differnt machine and then just copy the Server app over to this machine?  Will that zero out the Open Directory stuf that I'm trying to get rid of?
  Thanks in advance.

  I think I solved my problem by running the following command:
  sudo slapconfig -destroyldapserver diradmin
  diradmin is the name of the Open Directory admin account I created.
  The Open Directory Service now appears "off" and no longer had the green dot next to it in the list of services.
  Obviously, NOT a good solution to someone who was actively using Open Directory as this appears to have deleted all the data associated with Open Directory.
  Users and Groups now allow me to add/delete/modify.
  Sad to see an Apple product have such issues.

• Move user files and preferences to new open directory log in

  I have a machine that I have been using for a few months. I log in to the machine as an admin user. We just put in a new MAC OS X server and are going to be using Open Directory and probably Mobility on the users.
  Is it possible to move or duplicate current state (preferences, passwords, bookmarks, email, etc.) of my computer to a new Open Directory log in on the same computer. If i can what is going to be the easiest way.
  Both the sever and my machine are 10.5.6.

  If you're logged into the old drive, select GO from the FInder menu while holding the option key down. Select Library from the submenu. This is your Home Library.
  The Mail folder will contain all accounts, mailboxes, and account preferences.
  The Mail application preferences will be stored in the Preference folder.
  For "what files you need" , that depends on what you're trying to accomplish. What are you trying to do?

• My screen is completely white, i've tried holding lock and home buttons as seen on you tube something called 'white screen of death' its goes black (think it switches off) then back to the white screen need help fast please!

  my screen is completely white, i've tried holding lock and home buttons as seen on you tube something called 'white screen of death' its goes black (think it switches off) then back to the white screen need help fast please!

  If you have not done a factory reset on the device, I recommend doing a complete  factory reset.  
  Factory Reset  - Warning this will reset device back to original factory settings.
  This method will not erase any MDN/MIN information
  Turn off the phone 
  Press Power + Volume Up/Down at the same time and hold until display will show a triage android screen 
  Display will show: 
  Reboot system Now 
  Apply sdcard:update.zip 
  Wipe Data/Factory Reset 
  Wipe Cache Partition
  Use VOL Down key to scroll down to "Wipe Data/Factory Reset", press home icon to select option and wipe device. 
  Display shows "All user data will be wiped out", press VOLUME Up to continue or VOLUME Down to exit. 
  Press Volume Up 
  Press Home to select "Reset System Now" - device will reboot
  If the problem persist I recommend having a store technician take a look at the device.
  Copy and paste the link below into your browser's address bar for the store locator.  
  http://www.verizonwireless.com/b2c/storelocator/index.jsp

• When I install adobe acrobat XI PRO, it converts everything on my computer to an adobe icon, and when I try to open it, it open adobe acrobat. For example, I can't open word, excel, internet explorer, or any other document or program because it thinks its

  When I install adobe acrobat XI PRO, it converts everything on my computer to an adobe icon, and when I try to open it, it open adobe acrobat. For example, I can't open word, excel, internet explorer, or any other document or program because it thinks its acrobat.

  Hi Kate,
  Please refer to this KB doc. for the solution Application, file icons change to Acrobat/Reader icon
  Let me know if the issue persist.
  Regards,
  Aadesh

• "My Page" login problem, open directory issue I think

  I'm able to log into the My Page web portal for a local server account user, but not any of the user's in the Open Directory (LDAP) node. Anyone know what might be causing that? Thanks in advance.

  Is there a specific group that gets access to the web portal tools (wiki, blog, etc) that the users in the network node need to be in?

• DNS Server Having Intermittent Issues with Open Directory

  I work for a school and we're undertaking the large task of moving from Xserves running 10.6.8 to Mac Minis running 10.9. I have a lot of experience with OS X Server (I held ACSA up until they ditched it, and ACTC through the current OS) but I've hit a fairly large snag in configuring our DNS server. We currently run DNS via an AD server that is being retired at the end of the summer, so this is the first time our DNS will be Mac-based. That said, our network is ridiculously simple as we are a very small school. For the most part it's a flat network using the same IP range for our wired and wireless internal clients (we do have a vlan for guests but that's through Aerohive). I configured the DNS by hand, recreating the entries in our AD server (there were only about a dozen) and then adding in things that should have been there in the first place (e.g. printers and some other devices with static IPs that I'd like FQDNs for). Everything seemed to be working fine...until trying to log into Open Directory accounts.
  For some background, the DNS server running 10.9 was the first server we upgraded and it was a completely clean install. We run DHCP on another Mac Server currently running 10.6.8 and it does have the proper OD server listed. All DNS entries for the OD server match our current DNS server. The issue is that it's taking some users 5-6 tries to log in with their network accounts. The errors they receive range from the login window shaking to it stating the user cannot log in at this time. This seems to be worse on client machines running 10.9. but it's appearing on machines running 10.6.8-10.9.3.
  In my troubleshooting, I found that if I log in as a local user to one of those machines and do a dig for the OD server the results vary, this is where it gets weird. For example, if I dig ourodserver.ourdomain.org it will sometimes return host not found or it will sometimes resolve. If I ping the same thing it will sometimes work (even after stating it cannot resolve the host) and it will sometimes fail. If I then try a dig for the .local (e.g. ourodserver.local) it also yields the same varied results. However, on every machine that I've tested if I then open a Finder window and navigate to the server via the "Shared" menu and connect I have no trouble connecting and then magically my digs and pings in terminal work. If I revert DNS back to point to our old Windows server the issue goes away. I have meticulously combed through that server many many times now and am not seeing any missed entries. Any idea what could be causing this?

  You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.
  The primary DNS server used by the server must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

• Active Directory & Open Directory integration

  Hello,
  Here is the scenario I would like to accomplish. let me know if its possible or not.
  Currently I have a cluster of domain controllers on a fairly large Active Directory domain. We have a lot of mac clients that are running totally independant and want to get them on the domain.
  On the mac side, we want to run some mac services such as ichat server and get some of the other open directory features.
  So is it possible to do this:
  (Ad Domain) - one way replication -> (OD server) -> Mac Clients
  Basically I would like to have an OpenDirectory server for the mac workstations, is there anyway to replicate all the users from the AD server? Then be able to specify the mac related options such as ichat on the OD server? Maybe I am going at this the wrong way, let me know!
  Thanks
  Nick
  xServe   Mac OS X (10.4.6)  

  Hi dani190,
  are you using the fully qualified domain name of the network server? ie if your server is bob. and your domain is domain.company.com. then the FQDNS would typically be bob.domain.company.com or bob.company.com.
  If the FQDNS works, then have you checked in the AD to make sure the path to the network home folder uses the FQDNS?
  For the contact search path, did you put the AD at the top the list? (in directory utility)
  Did you set the WINS work group on your client computer to your domain?
  ie:Apple Menu, System Preferences, Network, Active Network Port (ethernet and or airport) , Advanced Button, WINS Tab, set workgroup to the name of your domain. ie domain.company.com and or company.com

• Open Directory or LDAP Problem with 10.5 Client and 10.4 Server

  Yesterday, the client-server setup we've been using successfully FOR YEARS decided not to work on a v10.5.8 MacBook Pro client. Did not do anything to the v10.5 client recently (other than to boot it up). Not sure if any software was updated on the server recently (where do I check for this?). Curiously, a v10.4.11 client running on a Mac Pro (tower) continues to work fine/as though nothing's changed. It appears as though the only difference is v10.4 client (working) vs. v10.5 client (not working).
  Here is what IS working:
  1) Network Home Directories on dedicated drive partition of Mac running OS X Server v10.4.11. AFP, DNS, and Open Directory are all up and running (normally, I think) as shown in Server Admin application.
  2) Mac Pro (tower) client running v10.4.11 binds to and authenticates at v10.4.11 server. Any valid user can access their home directory on the server seamlessly when logging in at this v10.4.11 client Mac.
  3) That same v10.4.11 client Mac also contains a LOCAL admin user with its home directory on the local hard drive. That LOCAL admin account is used to update software on a per machine basis (and preclude users from adding unauthorized software, needing to use a specific machine, etc.).
  Here is what IS NOT working:
  4) On a MacBook Pro client running v10.5.8, the LOCAL admin account looses access to the partition containing its local home directory. The drive partition literally disappears. The only "solution" I've been able to find (and it's not truly a solution) is to turn off the Open Directory/LDAP binding (using the Directory Utility application). With binding turned off, the LOCAL admin user has no problem accessing their home directory on the local hard drive partition. Turn binding on again (using Directory Utility application), and the LOCAL admin user can no longer see its local home directory.
  Again, binding is necessary to allow regular users to use the v10.5 MacBook Pro with Network Home Directories (as in items 1-3 above). Binding should be turned on for this reason. However, with binding on, the LOCAL admin user cannot manage the computer because the local partition containing the admin home directory disappears/is inaccessible. Turn binding off, and the partition containing the admin home directory reappears.
  Perhaps there's something in the sever logs that will help. I don't really know how to read these, so if your help involves the logs, please refer to them explicitly (e.g., "in Server Admin, go to Open Directory->Logs->LDAP log" or similar).
  Any help greatly appreceated.

  Nope. Never used sso_util.
  I try to use Apple's GUI server management tools unless absolutely necessary/at the end of my rope (i.e., last step before re-install etc.). I figure there's just too many things going on under the hood: using the command line may fix one setting, but not re-configure the two or three others that Apple NEEDS in order to have the whole thing working in harmony. Unless you really know what's going on with all the configuration files, it's best to let the GUI manage the settings.
  In my particular circumstance, I've now got ALL Leopard clients, one Leopard v10.5 server, and one Tiger v10.4 server. Everything is working fine now, but it was not a simple matter getting the Tiger v10.4 server re-integrated into the otherwise ALL Leopard environment. OD/Kerberos is on the Leopard v10.5 server. Home directories are still on the Tiger v10.4 server.
  Two keys to getting THIS/MY set-up working:
  1) Tiger v10.4 server needs to have Open Directory set to "Connected to a Directory System" and has to be joined to the Kerberos realm that was set-up on the Leopard v10.5 server (use Server Admin to do all of this).
  2) Sharepoint on Tiger v10.4 server has to have SOME, but NOT ALL checkboxes for guest access enables/checked. See:
  http://discussions.apple.com/message.jspa?messageID=10903468#10903468
  Number 2 immediately above is contrary to what Apple manual for User Management reads, but this is what worked for me/my set up, after pulling my hair out following the manual's instructions to the letter and not getting the thing to work!

• Open Directory and AFP

  Hello, I have been having some problems setting up Tiger Server to have the clients home directory hosted on the server. When the client tries to login, it gives them an error saying they are unable to log on at this time because of afp. If anyone could help or point me to a guide it would be appreciated.
  -Bobby

  Hi
  For 10.4 Server you should really post in the 10.4 OD Forum here:
  http://discussions.apple.com/forum.jspa?forumID=713
  However it does not really matter. You may find what follows useful:
  A Simplified Method for Deploying Open Directory Services
  A centralized authentication and authorization service providing automounting home folders for network users and control for service administrators using managed preferences. Ideal for Schools, Colleges, Libraries, Universities and in some cases, Private Companies
  These instructions are for the GUI only with no manual configuration and hardly any recourse for the command line. These instructions also assume that this will be the only server on the network.
  Substitute appropriately the examples given for your situation. The example used is for a pretend school called ‘High School’
  Assuming you have installed the Server Software and on restart the Server Setup Assistant has launched. We’ll use Administrator as the long name and admin as the short name with admin as the password for the default Server Administrator account (UID 501). We’ll assign a fixed IP address of 172.16.16.254, a subnet mask of 255.255.255.0 and the router/gateway IP address offering access to the internet as 172.16.16.1. Key in any ISP supplied DNS Server IP addresses in the DNS Servers field in the Network Preferences Control Panel. The server name will be server. You will see the server name in the Sharing Preferences Pane (server.local) as well as Server Admin > Computers & Services. The Server can be reached either using this name, its IP address, its loopback address and later on, after the DNS Service has been configured, its Fully Qualified Domain Name (FQDN). Don’t start any services apart from Remote Desktop, save the configuration as a text file and restart the Server. After the restart log in using the newly created System Administrator account details. Now would be a good time to test internet connectivity as well as running Software Update and installing all the updates relevant for the server.
  Start simple file services first: AFP and if necessary Windows. If there is more than one PC already on the network switch off Workgroup Master Browser and Domain Master Browser found in Server Admin > Windows > Advanced > Services. Create a test user in the local server directory (NetInfo) and test using a client computer to access the default share points: Users, Groups, Public. Don’t be tempted to delete these folders as the server will complain. If you don’t want to use these you can simply unshare the share points and create new ones. You could for example create share points on a connected XServe RAID and share these instead. Save any changes made.
  The instructions that follow are for simple DNS Settings which will do to successfully deploy an Open Directory Master
  Click on DNS Service Settings > Zones > click the + icon > General. The Server IP address will already be there, key in the Fully Qualified Domain Name (FQDN). This can either be a real world domain name or a pretend domain name. As long as it resembles fully qualified domain names it will do, avoid using .local.
  In this example we will use server.highschool.sch.org.
  Save the changes
  Now click Start Service. You will have to click Start Service twice as Server Admin does not start the service the first time as that is when the config files are written. These are kept in two locations: /etc/host.config and /var/named. The second time you click Start Service you will get the green light. Now set the Logging level to Debug and save the changes again. Launch System Preferences > Network > Configure > TCP/IP > key in the Server’s own IP address 172.16.16.254 in the DNS Servers field and remove any other IP address. Apply and save changes. Launch a web browser and see if you can get on the internet. Inspect the DNS logs in Server Admin and you will see entries starting with createfetch as well as received control command channel status: ready. By this time you should be on the internet using the server’s own IP address instead of ones supplied by your ISP or Router. Test and qualify the DNS Service by launching terminal and issuing the host command:
  host server.highschool.sch.org
  server.highschool.sch.org has address 172.16.16.254
  host 172.16.16.254
  254.16.16.172.in-addr.arpa domain name pointer host172-16-16-254.in-addr.server.highschool.sch.org
  This qualifies the forward and reverse pointers for the DNS Service
  Remember that a properly configured and qualified DNS service is crucial to the more advanced technologies available on OSX Server. Apple themselves recommend using DNS even if the Server is providing simple file services such as AFP
  If you want the Server to issue IP addresses then consider using the DHCP Service. If your router is already doing this then there is no need to bother just yet. Once you get comfortable and familiar with the Server you could look at this later on.
  Back to Server Admin
  Click on Open Directory > Settings > Select Standalone and now select Open Directory Master. As soon as you do this you will be prompted to create the Directory Administrator account, by default diradmin. You can’t use the standard administrator account. You dont have to use diradmin as the name you can use another name, but don’t be tempted to use admin. For this example we will leave it as it is as well as defining the password as diradmin. If DNS Services are correctly configured you will see the Kerberos Realm field already filled in for you and it will look like this: SERVER.HIGHSCHOOL.SCH.ORG. As you can see it will be the FQDN but in capitalized form. The search base will be automatically filled in also and it will look like this: dc=server,dc=highschool,dc=sch,dc=org.
  Save changes.
  Launch Directory Access /Applications/Utilities and click on LDAPv3, authenticate if required to do so. Inspect the configuration setting there and you should see the Server’s loopback address 127.0.0.1 has been entered as a New Configuration. This is normal and gets added upon promotion. Now launch Workgroup Manager and select the appropriate Directory Node LDAPv3/127.0.0.1. Authenticate using the newly created Directory Administrator account: diradmin. If everything has gone well you will see the Directory Administrator user (UID 1000) already there. Create a new user called Andrew Barton, short name: andybarton, UID 1025, password andyb, click Save. Select Sharing and make sure that the default Users folder is set to share, now click on Network Mount and click the lock, authenticate using the diradmin account and set the Users home folder to automount Home Directories. Click Save. Click Accounts, select Andy Barton, click Home, verify that the Home Folder path says afp://server.highschool.sch.org/Users, select this and click Create Home Now followed by Save. Navigate to the Finder, double click the Server hard drive, double click the Users folder and verify that the folder andybarton has been created. Double clicking on this folder will show the usual set of home folders with no entry signs on all of them apart from public and sites. Carry on populating the LDAP Directory Node with desired users. Once you have finished click on the Groups tab and create a group and call it Music Class, populate this group with desired users. We will look at Managed Preferences (MCX) for this group later on.
  In this example Music Class has 30 iMacs. Use the first iMac as a model for all the others. Create an administrator account on the first iMac with a strong password. Avoid using Administrator and admin as these could conflict with the Server admin account. Don’t use a User Account already created on the Server. I will use MC Administrator as the long name and mcadmin as the short name, switch off auto log-in. Install all relevant site license software on this mac. Set the iMac’s name in the Sharing Preferences Pane to iMac01, the .local part will be automatically filled in for you, save all changes. Run all software updates available for the mac, restart the mac. You can now use this mac as the ‘Golden Mac’ – a template for all the other iMacs. You can target disk mode this first mac to the second mac and after cloning change the name of the second mac to iMac02. Or you could image iMac01 to an external firewire drive, connect the drive to the server and use Apple Remote Desktop (ARD) to push out the image to all the other macs. You could also use System Image Utility, PackageMaker and NetInstall. As you can see there are numerous ways of doing this.
  Back to iMac01
  Log in using the mcadmin account, launch Directory Access (Applications/Utilities), click on the lock and authenticate, select LDAPv3, click Configure, deselect ‘Add DCHP-supplied LDAP servers to automatic search policies’, click New and key in either the IP address 172.16.16.254 or better still its FQDN. If you are going to use the Server’s FQDN then make sure the Server’s IP address is in the clients DNS Servers field. Server discovery should be fairly quick, you will see iMac01.local’s computer in the first field and you will be prompted for a network user name and password, don’t bother with this just click OK and then continue, you will then see the Server Configuration in the Services window, click OK. Click on Authentication and verify that Custom Path is displayed, you should see /LDAPv3/172.16.16.254 or the server FQDN as the second Directory Domain displayed (the first one will be the local NetInfo node and will be grayed out). Do the same for the Contacts tab, click OK and quit Directory Access, select log out from the Apple menu and you should now see a log in window displaying the local mcadmin account as well as ‘Other’. Click Other, key in andybarton as the name and andyb as the password, you should now be logged into the Home Folder for that user on the server. Launch TextEdit, type a few words and save the Untitled document to the Documents folder, now log out. Go to Workgroup Manager, select Sharing, select Users, select andybarton, select Documents and you should see the Untitled document grayed out.
  Managed Preferences or MCX
  Select the Music Class Group, click on Preferences > Finder > Views > Always > Default View and select the smallest setting for the dock size, click Done, go back to the client and log in again as andybarton and see if the dock size has changed. The order in which managed preferences take precedence are:
  User
  Computer
  Group
  If a setting is defined in Group and also defined differently in Users, the Users setting will take precedence. Managed Preferences can be accumulative also. What can be managed for Users and Groups are the same. Computer Lists are the same with the addition of Energy Saver. Play with these settings as seems appropriate to you. If you decide to manage clients using Computer Liststhen create your own (by type and location), try not to use the default lists. The same advice applies to Network Views.
  As time goes by and you become more familiar and comfortable you can start integrating the Software Update Service, NetBoot/NetInstall, Mail Services, Print Services and any other Service that seems appropriate to you.
  Hope this helps, Tony

• Connect to Open Directory

  I have a 10.6 server, which I want to connect to a 10.4 Open Directory server located on another machine. I know its not possible to make it a replica since the version differs, but I know its possible to use the existing 10.4 master for authentication to a 10.6 server. I have another 10.6 server where it works, but I just can't see what is different between the two 10.6 servers. I've checked everything I can find in the Directory utility, its the same. How is this this supposed to work? (ldap is not my key subject, quite bad at that)

  If I recall, 10.4 to 10.5 server was a NASTY update.  Apple Completely changed the way that the directory works.
  I'm pretty sure there's no way for you to replicate from 10.4 to 10.6. 
  You'd need a computer that's sole purpose was to parse information from 10.4's directory to a database that your 10.6 directory would see as a master 10.6 directory. 
  I wouldn't bother.
  If you need to replicate, you're better off purchasing a new copy of 10.6 server and upgrading your 10.4.  The setup assistant will update the netinfo database from 10.4 for you.
  If you're just looking to back up, then you should perform a database archive and save it to a backup somewhere. 
  If you just like to have said that you've done it, then take a class on Open Directory, and read all about Netinfo.  See if you can't put together something amazing! 
  I know it sounds weird, but when we got open directory to work with active directory in Apple's golden triangle situation, it was one of those things where admins were going, "this can't possibly work."  In fact, I think it was done by a guy that was working for apple at the time but was doing it as a pet project.  He posted the tech info on a discussion board somewhere...  Apple got wind of it, and said, Hey!  That's our employee!  They took it and basically branded it Apple.  Now, it's recommended by apple if you have a win server on site running Active Directory.
  2 cents worth.  

• 2 Open Directory masters: will I have Kerberos confilcts?

  In the following scenerio, will I create a conflict/problem with kerberos?
  A Faculty Server is faculty.mydomain.org and a separate Student Server is student.mydomain.org (yup, same domain). Both are Open Directory masters (10.4), both have kerberos running. Both are on the same network subnet 255.0.0.0. Both are running DNS.
  Why are they both open directory masters? Because they need not share directory information, and it seems more secure to keep them separate worlds.
  However, I'm reading the Open Directory Administration manual, and it states that if you setup an Open Directory master on a network that has an Active Directory domain, you'll then create a kerberos conflict. It doesn't address if you have 2 Open Directory masters on the same network - but the logic makes sense that you'd create the same conflict - is that true?
  Thank you!

  Jeff - thank you for your reply. I agree - I think I am going about this wrong. I'm stuck in a 6-yr old methodology - and it's time to move on. So, I now have a question about best practices. Would the following be my best scenerio - or would you, or others, suggest an alternative setup?
  450 students with 60 desktop client computers employing network home directories, plus another 35 unbound student laptop and old desktop computers not using network or portable home directories. 50 staff members with laptops and desktops that will use a mix of portable home directories, and unbound clients.
  Now, onto a 3 server setup: 1 new xServe providing Open Directory kerberos authentication services to all student and staff. 1 new MacPro running Server 10.4 for faculty home directories and services, and another identical MacPro for student home directories and services. All servers using dual ethernet aggregated links to a 1000/100 network, (servers will be 2 gigabit, wired clients will be a mix of 1000 or 100mbps, and 54mbps for wireless).
  All systems are on the same network in the same building.
  Should I go this route, or would an Open Directory replication server be the better way to go? Or, something else that I haven't thought of?
  Any constructive thoughts appreciated!
  Message was edited by: Nova
  Message was edited by: Nova

• Open Directory Replica Over VPN

  Hey All,
  I've got two servers, one in the office running as our Open Directory Master and one that I've placed in a remote data centre as our new web/e-mail box that I'm hoping to make a OD Replica before I move these services out to it.
  After a lot of blood/sweat/tears/coffee I was able to get it connected back to the office over site-to-site VPN with our Linksys RV082 in the office and using raccoon on the remote Tiger Server with the help of s2svpnadmin.
  I've got DNS configured on both and can ping back and forth, resolve back and forth, the VPN tunnel is running quite beautifully as if they were right beside each other on the same switch.
  The remote is on the 192.168.4.x subnet and our internal is on the local 192.168.1.x subnet. Really works well.
  But...
  When I try to make the remote box a replica of our OD Master things seem to go well, but shortly after it's done the initial 'replication' the remote box reverts back into standalone mode and I can't login to it using any directory users. (The local OD Master stays humming along just fine)
  I've found this post that mentions a very similar situation:
  http://discussions.apple.com/thread.jspa?threadID=1173913&tstart=221
  Basically it appears that the Directory Service doesn't like to talk over Tiger Server's own VPN implementation.
  I tried replicating the issue on a remote client's Tiger xServe connecting to their SonicWall and I was able to replicate over to them just fine and it sticks, so it makes me think it's definitely something about the VPN service on Tiger Server.
  This remote box is in a data centre so I want to avoid having to buy and install a dedicated hardware device to solve this problem if I can (not even sure if they'd let me). It seems silly that they wouldn't have tested this configuration as I have to expect that it would be a common one.
  Any help or insight you could offer would be invaluable! Thanks!

  Hey Leif,
  The remote box has a public IP and then I've created an internal duplicate running at 192.168.4.1 with itself as the 'router/gateway'. This seems to work.
  I can ping 'to' the remote box from the office side over the VPN tunnel by pinging '192.168.4.1'.
  And from the remote box I can ping back to the office but only after I add a route:
  route add -net 192.168.1.0/24 192.168.4.1
  ...on the remote machine.
  After that I can get traffic back and forth. It seems to work perfectly.
  I can connect using just about any service I want over the VPN, ex. AFP and things work as if the box was in the office, it's nice.
  My OD Master on the local side is also my Primary DNS Server, the remote box doubles as a Secondary DNS Slave.
  I use views in my DNS to handle both private and public traffic (we're a small business so getting the most out of our gear is important), I can ask both boxes about themselves in both public and private views and they respond correctly.
  Box A: (In The Office)
  (Internal)
  boxa.domain.com has address 192.168.1.170
  170.1.168.192.in-addr.arpa domain name pointer boxa.domain.com.
  (External)
  boxa.domain.com has address 215.25.xx.xx
  xx.xx.25.215.in-addr.arpa domain name pointer boxa.domain.com.
  (Testing Localhost)
  localhost has address 127.0.0.1
  1.0.0.127.in-addr.arpa domain name pointer localhost.
  Box B: (In The Datacentre)
  (Internal)
  boxb.domain.com has address 192.168.4.1
  1.4.168.192.in-addr.arpa domain name pointer boxb.domain.com.
  (External)
  boxb.domain.com has address 216.46.xx.xx
  xx.xx.46.216.in-addr.arpa domain name pointer boxb.domain.com.
  (Testing Localhost)
  localhost has address 127.0.0.1
  1.0.0.127.in-addr.arpa domain name pointer localhost.
  I'm convinced it's something on the remote box as I can get the replication to work reliably when trying another box whose VPN is handled by a dedicated device. I've seen posts like this one:
  http://blog.aaronmarks.com/?p=31
  That seem to discuss similar issues.

• Open Directory Migration Question

  Setup:
  My company has two servers, both running 10.5.6. We are migrating from the server Fubar (xserve) as it has had a lot of problems and we want to do a fresh install on it (I was not the admin who initially set it up).
  In order to get a 'fresh' OD going, we are recreating all the accounts on the new server Edoras (powerpc mac pro), making sure to preserve UID of the users.
  Problem:
  User A cannot change his password on Edoras after Directory Utility has been changed to point at it. He can change his password locally, but it does not propagate to Edoras, nor does a password change on Edoras affect his local machine.
  The questions I haven't been able to get answers for are:
  * Should the OD search string be different on Fubar and Edoras? Currently our search string is 'dc=fubar,dc=domain,dc=com'.
  * Are there other attributes that have to be setup in OD besides UID? I noticed when using the Target tab in Workgroup Manager that there is a GeneratedUID attribute, does this need to match?
  Thanks for any information/help.

  I did something like this recently. Unfortunately I couldn't get an answer on the Internet and had to re-configure Directory Access on the client machines manually.
  I moved our system from a POwerMac G4 with several upgrades (eSATA card, eSATA Coolgear Enclosure, 7200.11 (yeah I know, bad drives to use) Seagate drives, 1.8 GHz PPC 7447 upgrade, 1.5GB of ram) to a new Mac Pro with a Highpoint RAID controller. The old G4 was very unreliable and couldn't hand
  I had to go to each machine with ARD, open Directory Access, delete the LDAP entry and re-enter it. This was really annoying and confusing for me as the old server and the new server had:
  The same version of OSX (ok, one was a PPC version and I special ordered the Intel version from Apple Tech Support), but they both were running 10.4.11 with the newest security patches.
  The same OD Search Strings
  The same IP Address for the Server
  The same DNS name for the server
  and the same user IDs and group settings
  and I still had to re-do Directory Access using the client machines. Before re-doing the Directory Access re-binding I would try to login. The "other" icon would appear on the loging window, but when I would loging with the correct username and password the login windows would "shake it's head" and wouldn't let me login.
  The biggest pain was that portable directories didn't sync correct anymore, so I had to manually backup, then delete the account, then re-bind, then re-create and restore the portable directory on each laptop manually.
  Unfortunately I do not know the unix command to change directory binding to client computers using ARD. If such a command exists it would make things much easier for you. Does anyone know if a command exists?

• DNS, Open Directory, and wow my head hurts

  OK, I’m slowly pulling my ear hairs out over this.  My comprehension of the DNS world is modest at best (I know enough to get into trouble). I did not set up most of this (not the DNS parts anyway), and I’m trying to unravel what exactly is going on.  Maybe it’s exactly as it should be; but it seems awfully convoluted to me, so if you’re bored and want to show off your expertise and ability to explain it to a kindergartener, please read on…
  Let’s say my Domain is mydomain.com. (You can probably figure out what it really is, but I’d rather not sprinkle a post with it.)
  Our firewall is a Sophos UT320. It obviously supports forwarding of DNS info from our ISP.  While it’s own documentation says it does not have a full-fledged dns server, it does have something called “Static Entries” which seems to be a bare-bones dns server of sorts. I can set any static domain name (myserver.mydomain.com for example), point it to a server on our lan, and everyone internally can get to that server by using myserver.mydomain.com instead of 192.168.blah.blah.  It also supports reverse DNS, so if I issue a host 192.168.blah.blah command from my computer, I get “blah.blah.168.192.in-addr.arpa domain name pointer myserver.mydomain.com.” My guess is that it’s only serving up A records.  No one from outside our LAN can access these servers or records (unless they’re on a VPN of course).
  Now, in our lan, we have a bunch of Mac Servers.  Our Open Directory server has DNS service enabled on it, and the primary zone is set to od.mydomain.com.  It has some A records pointing to myserver.mydomain.com, myotherserver.mydomain.com, etc.
  Another server, located at, myserver.mydomain.com, has a DNS service who’s primary zone is mydomain.com (yes, it matches our external domain name). It contains A records for itself, the OD Server, and others.
  Reverse lookup works fine throughout the lan.
  All DNS Servers’ Forwarders are our router.
  I did a test where I turned off all these internal DNS servers (yes, there’s more) and pointed all the servers to the router. It seemed fine at first, I could issue HOST commands to and from every server to every other one and resolve both names and addresses.  The router seemed to be doing fine.
  After a day or so (I assume after the TTL elapsed), people started getting permissions errors on the servers, so I turned it all back on.
  This is with 10.6.8 Servers (one is running 10.9 but it doesn't seem to have DNS running).
  So here’s my questions:
  Why would my OD Server’s DNS Service’s primary zone be “od.mydomain.com” and not just “mydomain.com”?
  Does it make sense (or even matter) to have these DNS entries ending in mydomain.com when that’s our website’s address? (We host our own site and email server, btw.)
  Why would OD not work after all these DNS Servers were turned off, when HOST command shows it can get to every other machine and they can get to it?  What else, besides the A record and reverse lookup, could be included in the full-blown DNS servers that wouldn’t be in the Sophos bare-bones one, but still allow reverse lookups to function?  What else does OD want from DNS??
  Wouldn’t it be better, even if this all was necessary, to set up a single internal DNS Server (ok, maybe plus a backup)?  Why would this service be running, with a variety of A records, on almost every server we have?
  Is there a site that can explain DNS, and actually define every acronym, abbreviation, etc it uses?  Every time I try to learn something I go down a wiki rabbit hole.
  Thanks!
  Jeff

  OK, the answer to this seemed to be to not rely on Sophos' "Static Entries" DNS functionality.  Even though it allows "HOST" commands to work for both reverse and forward lookups, OD and/or Kerberos needs more.  Once I made a zone on our OD Server that listed itself, our replica server, AND our email server (which uses Kerberos), and made what I think is now a proper secondary DNS server on our replica server, and pointed the OD server's DNS to itself, the replica to itself, and kept the email server using the Sophos for DNS, it worked.