diff --git a/src/directoryserver.js b/src/directoryserver.js
index d96f68873..de8e2fcd9 100644
--- a/src/directoryserver.js
+++ b/src/directoryserver.js
@@ -78,7 +78,12 @@ async function applyConfig(config) {
     const [error] = await safe(shell.promises.sudo('setLdapAllowlist', [ SET_LDAP_ALLOWLIST_CMD ], {}));
     if (error) throw new BoxError(BoxError.IPTABLES_ERROR, `Error setting ldap allowlist: ${error.message}`);
 
-    if (config.enabled) await start(); else await stop();
+    if (!config.enabled) {
+        await stop();
+        return;
+    }
+
+    if (!gServer) await start();
 }
 
 async function setConfig(directoryServerConfig) {
@@ -320,7 +325,7 @@ async function userAuth(req, res, next) {
 }
 
 async function start() {
-    if (gServer) return; // already running
+    assert(gServer === null, 'Already running');
 
     const logger = {
         trace: NOOP,
@@ -386,11 +391,13 @@ async function stop() {
 
     debug('stopping server');
 
-    gServer.close();
+    await util.promisify(gServer.close.bind(gServer))();
     gServer = null;
 }
 
 async function checkCertificate() {
+    assert(gServer !== null, 'Directory server is not running');
+
     const certificate = await reverseProxy.getDirectoryServerCertificate();
     if (certificate.cert === gCertificate.cert) {
         debug('checkCertificate: certificate has not changed');
diff --git a/src/ldap.js b/src/ldap.js
index 0d6b2e87e..0893aecb4 100644
--- a/src/ldap.js
+++ b/src/ldap.js
@@ -635,6 +635,8 @@ async function maybeRootDSE(req, res, next) {
 }
 
 async function start() {
+    assert(gServer === null, 'Already started');
+
     const logger = {
         trace: NOOP,
         debug: NOOP,
diff --git a/src/oidc.js b/src/oidc.js
index 5318ed33d..3f3136331 100644
--- a/src/oidc.js
+++ b/src/oidc.js
@@ -686,6 +686,8 @@ async function renderError(ctx, out, error) {
 }
 
 async function start() {
+    assert(gHttpServer === null, 'Already started');
+
     const app = express();
 
     gHttpServer = http.createServer(app);
@@ -826,6 +828,5 @@ async function stop() {
     if (!gHttpServer) return;
 
     await util.promisify(gHttpServer.close.bind(gHttpServer))();
-
     gHttpServer = null;
 }
diff --git a/src/routes/test/directoryserver-test.js b/src/routes/test/directoryserver-test.js
index 5498691a5..fa32b59be 100644
--- a/src/routes/test/directoryserver-test.js
+++ b/src/routes/test/directoryserver-test.js
@@ -45,6 +45,7 @@ describe('Directory Server API', function () {
 
         it('cannot set directory_server config without secret', async function () {
             let tmp = JSON.parse(JSON.stringify(defaultConfig));
+            tmp.enabled = true;
             delete tmp.secret;
 
             const response = await superagent.post(`${serverUrl}/api/v1/directory_server/config`)
@@ -103,5 +104,18 @@ describe('Directory Server API', function () {
             expect(response.statusCode).to.equal(200);
             expect(response.body).to.eql({ enabled: true, secret: 'ldapsecret', allowlist: '1.2.3.4' });
         });
+
+        // keep this last. this ensures directory server is stopped and the tests can exit
+        it('can disable directory_server config', async function () {
+            let tmp = JSON.parse(JSON.stringify(defaultConfig));
+            tmp.enabled = false;
+            tmp.secret = 'ldapsecret';
+
+            const response = await superagent.post(`${serverUrl}/api/v1/directory_server/config`)
+                .query({ access_token: owner.token })
+                .send(tmp);
+
+            expect(response.statusCode).to.equal(200);
+        });
     });
 });