If a network user can't be created after you upgrade or migrate to OS X Server

After upgrading or migrating to OS X Server, a "password change denied" alert might appear and network users might not be able to log in.

Check DNS

Check for proper DNS name resolution on the Open Directory Server before performing other steps. Improperly configured DNS settings can introduce this issue. You need to know the IP Address currently assigned to the server and the fully qualified domain name of the server.

  1. Open Terminal and type hostname to verify the name of your server. 
  2. Open Server.app and select your server in the sidebar.
  3. Select the Overview tab. Your server's fully qualified domain name should be displayed in the Host Name field.

    If the qualified domain name in the Server window doesn't match the results of the hostname command, you need to correct this before proceeding with the next steps in this article. If you are certain the Fully Qualified Domain Name assigned to your server's IP address is correct, use the change hostname assistant in Server to set the correct hostname for your server.

  4. Open System Preferences and click the Network icon.
  5. Select the network interface that has been configured for your server. Your server's IP address is listed here.
  6. Note the DNS Servers listed.

If you have configured the DNS server on your server and DNS records have been created for this server, your server should be listed as (not the server's IP address).

If another server on your network is hosting DNS records for your server, that server's IP Address should be listed in the DNS Servers field.

If this information is not correct, click the “Advanced…” button and then the DNS tab. The correct DNS server address(es) can be set here.

Testing your DNS settings

You can use the Terminal to test your name to IP address resolution. Open Terminal (/Applications/Utilities/Terminal.app) and use the following commands:

Use the “host” command to test name to ip address resolution:

host <your server's fully qualified domain name>

The expected output is <your server's fully qualified domain name> has address <your ip address>

You can also use the "host" command to test IP address to name resolution:

host <your ip address>

The expected output is <your ip address>.in-addr.arpa domain name pointer <your server's fully qualified domain name>

If the output of the host commands above do not provide the expected output you might need to make corrections to your DNS settings, or the server's Host Name ( the fully qualified domain name). Do this before attempting to rekerberize your server.

Rekerberize your server

After you have confirmed or corrected your DNS information, close System Preferences and quit Server.app. Then, use the Terminal commands for the version of OS X you're using to rekerberize your server.,

OS X Yosemite

For OS X Yosemite, Use the following Terminal commands on the Open Directory Server.

sudo mkdir /var/db/openldap/migration/ 
sudo touch /var/db/openldap/migration/.rekerberize 
sudo slapconfig -firstboot

Open Server.app and make sure your network users can log in.

OS X Mavericks

For OS X Mavericks, Use the following Terminal commands on the Open Directory Server.

sudo mkdir /var/db/openldap/migration/ 
sudo touch /var/db/openldap/migration/.rekerberize 
sudo killall PasswordService 

Open Server.app and make sure your network users can log in.