I'm working for a charter middle school with a 1-to-1 MacBook initiative. We've got one lone Xserve supporting about 200 MacBook Airs for students, as well as 15 MacBook Pros and 4 iMacs for staff. It's my first experience being a server admin for an OS X Server -- my background is in Windows Server with mixed-OS clients. I have to say that I am not at all impressed. Anyway, getting to the issue, the server randomly denies AFP connections going to its FQDN (xserve.arsnc.private). As a result, students get errors upon login when it tries to mount their network home / sync their mobile account, and encounter great difficulty accessing other sharepoints. Oddly enough, AFP connections *always* work when using the IP address (192.168.2.200). Aside from that, Open Directory has been randomly removing users from their groups, randomly changing service access settings for users, and occasionally dropping user passwords. I've had to reboot the server on several occasions because it refuses any and all authentication requests -- meaning nobody can log in at all. I've spoken to a few people about the AFP issue. Most point to DNS -- "you shouldn't use .private," "you probably have multiple A records," etc. Unfortunately, the Apple consultant that upgraded the server to 10.7 chose the .private domain, and there's no way I can reimage or reconfigure every single MacBook until next summer. I've wiped out all the DNS settings and started over from scratch. Running both dig and nslookup return correct results. There seems to be no rhyme or reason to which users have problems. In the logs, the two most common messages are "Misconfiguration in the hash 'Kerberos'," and "Client response doesn't match what we generated." Can anyone point me toward a solution? I've spent days Googling the issues. As far as I've been able to tell, it's just a common issue in Lion Server and there is no resolution.