Mac OS X Server: Problems creating Replicas in 10.4.2

Under certain circumstances, a replica that you're trying to create may turn back to Stand Alone, or you see errors in the /Library/Logs/slapconfig.log on the replica, such as:

Authentication failed error is -14098

or

GetReplicaSetup = -14103

This can happen after you set a computer from replica, to Stand Alone, then back to replica. To change the replicas back to Stand Alone and clean up the databases, follow the steps below. All commands run from the Terminal must be as root.

1. Make sure the Kerberos server is running on the master. Check the General tab in Server Admin, Open Directory. If it's not, you will need to fix this first.
2. Change the role of the replica back to Stand Alone.
3. For the old replica, check Workgroup Manager and make sure there are no Local users with Open Directory password types (the admin may have been set to use such a password). If you find any with Open Directory passwords, change them to use Shadow passwords.
4. Make sure you have a directory admin that does not have the same short name or user ID (UID) as the local admin. This normally only happens if the server has been upgraded. If you don't, create a new admin in the LDAP domain to use as the directory admin when creating replicas.
5. Run the following commands as root on the replica, ignoring the message, "No such process - nothing found to load," after entering the NeST command:
   

   NeST -stoppasswordserver
    mv /var/db/authserver  /var/db/authserver.old
    mv /var/db/krb5kdc /var/db/krb5kdc.old
    mv /etc/krb5.keytab /etc/krb5.keytab.old
    mv /Library/Preferences/edu.mit.Kerberos /Library/Preferences/edu.mit.Kerberos.old
   

6. On the master, open Preferences in Workgroup Manager.
7. Select "Show all records Tab and Inspector."
8. Click the Accounts icon, then the target tab.
   
   
   
   
9. From the pop-up menu, choose Config.
10. Remove any passwordserver_XXXXX records (where "XXXXX" is any number), but keep the copy that's named "passwordserver" (without a number appended).
11. In the passwordserver record, remove any references to the replica in the PasswordServerList. To do this:
    1. Select PasswordServerList.
    2. Click Edit.
    3. Remove the text (see below for the text example).
    4. Click OK.
    5. Save.
12. Go to Config / ldapreplicas, then to LDAPReadReplicas.
13. If you see more than one replica, open each to see if it lists its IP address. If it does, select it and press Delete on your keyboard. Do not click the Delete icon, as this will delete the "ldapreplica" record. Click Save.
14. On the master, back up your var/db/authserver/authserverreplicas file:
    

    cp /var/db/authserver/authserverreplicas /var/db/authserver/authserverreplicas.backup
    

15. Stop the PasswordService:
    

    NeST -stoppasswordserver
    

16. Remove the replica (or replicas) from the /var/db/authserver/authserverreplicas file. In the following example text, the portion shown in red can be safely removed. Note that you delete the first red line, <key>Replicas</key>, only if you are going to delete all replicas from the list. If you leave any replica in the list, you must also leave this line. In most cases, you will only delete one of the replicas, so you would leave the line. However, in the example below, the line would be deleted because both replicas are being removed:
    

    	<?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    	<key>ID</key>
    	<string>BF0AB54BD2C8D84CE5BC4DFC4D726762</string>
    	<key>Parent</key>
    	<dict>
    		<key>DNS</key>
    		<string>ehsodm.eastonsd.org</string>
    		<key>IDRangeBegin</key>
    		<string>0x000000000000000000000000000010ea</string>
    		<key>IDRangeEnd</key>
    		<string>0x000000000000000000000000000012de</string>
    		<key>IP</key>
    		<string>10.90.10.20</string>
    		<key>LastSyncDate</key>
    		<date>2005-08-22T04:00:57Z</date>
    		<key>ReplicaPolicy</key>
    		<string>SyncAnytime</string>
    	</dict>
    	<key>Replicas</key>
    	<array>
    		<dict>
    			<key>IDRangeBegin</key>
    			<string>0x000000000000000000000000000012f2</string>
    			<key>IDRangeEnd</key>
    			<string>0x000000000000000000000000000014e6</string>
    			<key>IP</key>
    			<string>10.90.10.21</string>
    			<key>LastSyncDate</key>
    			<date>2005-08-22T04:00:57Z</date>
    			<key>LastSyncFailedAttempt</key>
    			<date>2005-06-14T01:41:17Z</date>
    			<key>ReplicaName</key>
    			<string>Replica1</string>
    		</dict>
    	</array>
    	<array>
    		<dict>
    			<key>IDRangeBegin</key>
    			<string>0x000000000000000000000000000014e8</string>
    			<key>IDRangeEnd</key>
    			<string>0x000000000000000000000000000016d6</string>
    			<key>IP</key>
    			<string>10.90.10.24</string>
    			<key>LastSyncDate</key>
    			<date>2005-08-22T04:00:57Z</date>
    			<key>LastSyncFailedAttempt</key>
    			<date>2005-06-14T01:41:17Z</date>
    			<key>ReplicaName</key>
    			<string>Replica2</string>
    		</dict>
    	</array>
    	<key>Status</key>
    	<string>AllowReplication</string>
    </dict>
    </plist>
    

17. On the master, restart the PasswordService:
    

    NeST -startpasswordserver

18. Make sure that the /var/db/authserver/authserverreplicas file is correct and not empty:
    

    more /var/db/authserver/authserverreplicas

    If there is an issue, use the /var/db/authserver/authserverreplicas.backup file and repeat steps 16 to 18. Recheck.