Mac OS X Server Advanced Server Administration Version 10.
KKApple Inc. © 2009 Apple Inc. All rights reserved. Finder, QuickTime Broadcaster are trademarks of Apple Inc. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services. This product includes BSD (4.
Contents 11 11 12 13 14 14 15 15 Preface: About This Guide 16 16 17 18 18 20 23 Chapter 1: System Overview and Supported Standards 24 24 25 25 26 26 28 28 28 28 29 29 31 31 31 32 Chapter 2: Planning Server Usage What’s in This Guide Using Onscreen Help Document Road Map Viewing PDF Guides Onscreen Printing PDF Guides Getting Documentation Updates Getting Additional Information System Requirements for Installing Mac OS X Server v10.6 What’s New in Mac OS X Server v10.
33 34 34 35 36 36 38 38 38 39 40 41 42 42 43 44 44 46 46 47 47 48 48 48 49 49 50 51 51 52 52 52 53 53 54 54 55 55 55 56 56 4 Understanding Backup Types Understanding Backup Scheduling Understanding Restores Other Backup Policy Considerations Command-Line Backup and Restoration Tools Understanding Time Machine as a Server Backup Tool Chapter 3: Administration Tools Server Admin Opening and Authenticating in Server Admin Server Admin Interface Customizing the Server Admin Environment Server Assistant Se
8 59 59 60 60 61 61 61 62 64 65 65 66 68 68 69 69 70 70 71 71 71 72 72 72 74 74 75 75 76 77 78 Single Sign-On About Certificates, SSL, and Public Key Infrastructure Public and Private Keys Certificates About Certificate Authorities (CAs) About Identities About Self-Signed Certificates About Intermediate Trust Certificate Manager in Server Admin Readying Certificates Creating a Self-Signed Certificate Requesting a Certificate from a Certificate Authority Creating a Certificate Authority Using a CA to Creat
84 84 85 85 88 90 90 91 92 93 99 100 101 102 103 104 106 107 107 About Starting Up for Installation Before Starting Up Starting Up from the Install DVD Starting Up from an Alternate Partition Remotely Accessing the Install DVD About Server Serial Numbers for Default Installation Passwords Identifying Remote Servers When Installing Mac OS X Server Starting Up from a NetBoot Environment Preparing Disks for Installing Mac OS X Server Choosing a File System Installing Server Software Interactively Installing L
124 124 124 125 126 126 127 127 128 128 129 129 130 132 133 133 136 137 138 139 141 142 144 144 144 145 146 146 147 148 148 149 150 150 151 151 151 153 154 154 155 155 159 Chapter 7: Ongoing System Management Computers You Can Use to Administer a Server Setting Up an Administrator Computer Using a Non-Mac OS X Computer for Administration Using the Administration Tools Working with Pre-v10.6 Computers from v10.
159 160 161 161 162 162 163 164 164 166 167 168 169 169 169 Eliminating Single Points of Failure Using Xserve for High Availability Using Backup Power Setting Up Your Server for Automatic Restart Ensuring Proper Operational Conditions Providing Open Directory Replication Link Aggregation About the Link Aggregation Control Protocol (LACP) Link Aggregation Scenarios Setting Up Link Aggregation in Mac OS X Server Monitoring Link Aggregation Status Load Balancing Daemon Overview Viewing Running Daemons Using l
188 Chapter 9: Push Notification Server 188 About Push Notification Server 189 Starting and Stopping Push Notification 190 Changing a Service’s Push Notification Server 191 Index Contents 9
Contents
Preface About This Guide This guide provides a starting point for administering Mac OS X Server v10.6 using its advanced administration tools. It contains information about planning, practices, tools, installation, deployment, and more by using Server Admin. Advanced Server Administration is not the only guide you need when administering advanced mode server, but it gives you a basic overview of planning, installing, and maintaining Mac OS X Server using Server Admin.
Using Onscreen Help You can get task instructions onscreen in Help Viewer while you’re managing Mac OS X Server v10.6. You can view help on a server or an administrator computer. (An administrator computer is a Mac OS X computer with Mac OS X Server v10.6 administration software installed on it.) To get the most recent onscreen help for Mac OS X Server v10.6: mm Open Server Admin or Workgroup Manager and then: ÂÂ Use the Help menu to search for a task you want to perform.
Document Road Map Mac OS X v10.6 has a suite of guides which can cover management of individual services. Each service may be dependent on other services for maximum utility. The road map below shows some related documentation that you may need to fully configure your desired service to your specifications. You can get these guides in PDF format from the Mac OS X Server documentation website: www.apple.
Viewing PDF Guides Onscreen While reading the PDF version of a guide onscreen: ÂÂ Show bookmarks to see the guide’s outline, and click a bookmark to jump to the corresponding section. ÂÂ Search for a word or phrase to see a list of places where it appears in the document. Click a listed place to see the page where it occurs. ÂÂ Click a cross-reference to jump to the referenced section. Click a web link to visit the website in your browser.
Getting Documentation Updates Periodically, Apple posts revised help pages and new editions of guides. Some revised help pages update the latest editions of the guides. ÂÂ To view new onscreen help topics for a server application, make sure your server or administrator computer is connected to the Internet and click “Latest help topics” or “Staying current” in the main help page for the application. ÂÂ To download the latest guides in PDF format, go to the Mac OS X Server documentation website: www.
System Overview and Supported Standards 1 Mac OS X Server gives you everything you need to provide standards-based workgroup and Internet services — delivering a world-class UNIX server solution that’s easy to deploy and easy to manage. This chapter contains information to make decisions about where and how you deploy Mac OS X Server.
What’s New in Mac OS X Server v10.6 Mac OS X Server v10.6 offers major enhancements in several key areas: ÂÂ Address Book Server Mac OS X Server v10.6 introduces the first open standards-based Address Book Server Based on the emerging CardDAV specification, which uses WebDAV to exchange vCards, sharing contacts across multiple computers. ÂÂ Remote Access Mac OS X Server v10.
ÂÂ OpenCL support Mac OS X Server v10.6 supports OpenCL and makes it possible for developers to use the GPU for general computational tasks. What’s New in Server Admin Included with Mac OS X Server v10.6 is Server Admin, Apple’s powerful, flexible, fullfeatured server administration tool. Server Admin is reinforced with improvements in standards support and reliability.
The following table highlights the capabilities of each configuration tool. Service Set in initial server setup Server Preferences Server Admin Address book Optional Yes Yes Backup your data (websites, databases, calendar files, etc.
Service Set in initial server setup Server Preferences Server Admin Open Directory master (user accounts and other data) Optional Optional Yes Podcast Producer No No Yes Policies and managed preferences No Use Workgroup Manager Use Workgroup Manager Print No No Yes Push notification Automatic Automatic Yes QuickTime Streaming No No Yes RADIUS No No Yes Remote login (SSH) Optional Use System Preferences Yes Software update No No Yes Time Machine backup of client Macs O
A standards-based directory services architecture offers centralized management of network resources using any LDAP server–even proprietary servers such as Microsoft Active Directory. The open source UNIX foundation makes it easy to port and deploy existing tools to Mac OS X Server.
ÂÂ Web Technologies: Mac OS X Server is a complete AMP stack (a bundle of integrated Apache-MySQL-PHP/Perl/Python software). Mac OS X Server web technologies are based on the open source Apache web server, the most widely used HTTP server on the Internet. With performance optimized for Mac OS X Server, Apache provides fast, reliable web hosting and an extensible architecture for delivering dynamic content and sophisticated web services.
ÂÂ XMPP: Extensible Messaging and Presence Protocol (XMPP) is an open XML-based messaging protocol used for messaging and presence information. XMPP serves as the basis for Mac OS X Server’s Push Notification service, as well as iChat Server, and all publish and subscribe functions for the server. Mac OS X Server’s UNIX Heritage Mac OS X Server has a UNIX foundation built around the Mach microkernel and the latest advances from the Berkeley Software Distribution (BSD) open source community.
Planning Server Usage 2 Before installing and setting up Mac OS X Server do a little planning and become familiar with your options.
During the planning stage, you’ll also decide which installation and server setup options best suit your needs. For example, Getting Started contains an example that illustrates server installation and initial setup in a small business scenario with the server in using Server Preferences. Determining Whether to Upgrade or Migrate If you’re using a previous version of Mac OS X Server and you want to reuse data and settings, you can upgrade or migrate to v10.6. You can upgrade to Mac OS X Server v10.
If you’ve been planning to replace a Windows NT computer, consider using Mac OS X Server with its extensive built-in support for Windows clients. Make sure that administrators familiar with these other systems are part of the planning process.
ÂÂ Home folders for network users can be consolidated onto one server or distributed among various servers. Although you can move home folders, you might need to change a large number of user and share point records, so devise a strategy that will persist for a reasonable amount of time. For information about home folders, see Mac OS X Server help or Mac OS X Server Resources website at www.apple.com/server/macosx/resources/.
Defining a Migration Strategy If you’re using Mac OS X Server v10.4–10.5 or a Windows-based server, examine the opportunities for moving data and settings to Mac OS X Server v10.6. Upgrading and Migrating from an Earlier Version of Mac OS X Server If you’re using computers with Mac OS X Server v10.4 or v10.5, consider upgrading or migrating them to Mac OS X Server v10.6. If you’re using Mac OS X Server v10.5 or v10.
The first aspect primarily involves directory services integration. Identify which Mac OS X Server computers will use existing directories (such as Active Directory, LDAPv3, and NIS directories) and existing authentication setups (such as Kerberos). For options and instructions, see the additional information at Mac OS X Server Resources website at www.apple.com/server/macosx/resources/ .
For example, if you use Mac OS X Server to provide DHCP, network time, or BootP services to other servers, you should set up the servers that provide these services and initiate the services before you set up servers that depend on those services. The amount of setup infrastructure you require depends on the complexity of your site and what you want to accomplish.
Making Sure Required Server Hardware Is Available You might want to postpone setting up a server until all its hardware is in place. For example, you might not want to set up a server whose data you want to mirror until all disk drives you need for mirroring are available. You might also want to wait until a RAID subsystem is set up before setting up a home folder server or other server that will use it.
Understanding Backup and Restore Policies There are many reasons to have a backup and restore policy. Your data is subject to failure because of failed components, natural or manmade disasters, or data corruption. Sometimes data loss is beyond your control to prevent, but with a backup and restore plan, you can restore your data. You need to customize backup and restore policies to take into account your situation, what data needs to be saved, how often, and how much time and effort is used to restore it.
Your organization must determine the following: ÂÂ What must be backed up? ÂÂ What should not be backed up (as per organization policy)? ÂÂ How granular are the restoration needs? ÂÂ How often is the data backed up? ÂÂ How accessible is the data: in other words, how much time will it take to restore it? ÂÂ What processes are in place to recover from a disaster during a backup or restore? The answers to these questions are an integral part of your backup and restore policy.
Understanding Backup Scheduling Backing up files requires time and resources.
Consider the following questions: ÂÂ How long will it take to restore data at each level of granularity? For example, how long will a deleted file or email take to restore? How long will a full hard disk image take to restore? How long would it take to return the whole network to its state three days ago? ÂÂ What process is most effective for each type of restore? For example, why would you roll back the entire server for a single lost file? ÂÂ How much administrator action is necessary for each type of r
ÂÂ Capacity. If you back up only a small amount of data, low-capacity storage media can do the job. But if you need to back up large amounts of data, use high-capacity devices, such as a RAID. ÂÂ Speed. When your goal is to keep your server available most of the time, restoration speed becomes a big factor in deciding which type of media to choose. Tape backup systems can be very cost effective, but they are much slower than a RAID. ÂÂ Reliability.
For example, Time Machine doesn’t back up user and group directory records, email, DNS records, Address Book shared groups, iCal Server calendars, and so forth. It only saves the settings made in Server Preferences and Server Admin, and whether a service is on or off.
Administration Tools 3 Manage Mac OS X Server using graphical applications or command-line tools. Mac OS X Server v10.6 administration applications must be run from either Mac OS X Server v10.6 or Mac OS X v10.6. Server Admin You use Server Admin to administer services on Mac OS X Server computers. Server Admin also lets you specify settings that support multiple services, such as creating and managing SSL certificates, manage file sharing, and specifying which users and groups can access services.
Server Admin Interface The Server Admin interface is shown here, with each element explained in the following table. A B F C E G H D I J O K L M A N Server List: Shows servers, groups, smart groups, and if desired, the administered services for each server You select a group to view a status summary for all grouped computers. You select a computer for its overview and server settings. You select a server’s service to control and configure the service.
D Main Work Area: Shows status and configuration options. This looks different for each service and for each context button selected. E Available servers: Lists the local-network scanner, which you can use to discover servers to add to your server list. F All Servers: Shows all computers added to Server Admin, regardless of status. G Server: Shows the hostname of the managed server. Select to show a hardware, operating system, active service, and system status summary.
Server Assistant Server Assistant is used for: ÂÂ Remote server installations ÂÂ Initial setup of a local server ÂÂ Initial setup of remote servers ÂÂ Preparing data for automated setup The Server Assistant initial page is shown here. Server Assistant is opened from the Server menu of Server Admin.
Server Preferences Server Preferences is the simplified administration application you need for managing Mac OS X Server v10.6. You can use Server Preferences in addition to or instead of Server Admin and Workgroup Manager: ÂÂ Manage basic user and group settings.
Workgroup Manager Interface The Workgroup Manager interface is shown here, with each element explained in the following table. A B C D E F I G J H A Server Admin: Click to open the Server Admin application. B Settings Buttons: Click Accounts to view or edit account settings, or click Preferences to view or edit preference settings. C Tool Bar: Click the icons to accomplish the various commands. The toolbar is customizable. D Directory path: Use to view the directory you are editing.
Customizing the Workgroup Manager Environment There are several ways to tailor the Workgroup Manager environment: ÂÂ To open Workgroup Manager Preferences, choose Workgroup Manager > Preferences. You can configure options such as if DNS names are resolved, if the Inspector is enabled, if you need to enter a search query to list records, and what the maximum number of displayed records is. ÂÂ To customize the toolbar, choose View > Customize Toolbar.
To identify the Xserve computer to monitor, click Add Server, identify the server, and enter user name and password information for an administrator of the server. If adding the local server, use ’127.0.0.1’ for the IP address. If adding a remote server, enter the server’s LOM hostname or IP address. To specify how often you want to refresh data, use the “Update every” pop-up menu in the Info pane. To manage different lists of Xserve computers you want to monitor, choose File > Export or File > Import.
iCal Service Utility iCal Service Utility gives users access to shared information about locations and resources. Users can use iCal Service Utility to set up information about shared resources and locations for use with iCal Service. iCal Service Utility Interface The iCal Service Utility interface is shown here, with each element explained in the following table. A B C D E F A Search field: Use to search record types.
System Image Management You can use the following Mac OS X Server applications to set up and manage NetBoot and NetInstall images: ÂÂ System Image Utility creates Mac OS X disk images. It’s installed with Mac OS X Server software in the /Applications/Server/ folder. The System Image Utility interface is shown below. ÂÂ Server Admin enables and configures NetBoot service and supporting services. It’s installed with Mac OS X Server software in the /Applications/Server/ folder.
Command-Line Tools If you’re an administrator who prefers to work in a command-line environment, you can do so with Mac OS X Server. From the Terminal application in Mac OS X, you can use the built-in UNIX shells (sh, csh, tsh, zsh, bash) to use tools for installing and setting up server software and for configuring and monitoring services. You can also submit commands from a nonMac OS X computer.
Podcast Capture, Composer, and Producer Podcast Capture takes audio and video from a local or remote camera, captures screen activity, or uploads QuickTime files into Podcast Producer for encoding and distribution. Podcast Composer creates the workflow instructions for Podcast Producer. Xgrid Admin You can use Xgrid Admin to monitor local or remote Xgrid controllers, grids, and jobs. You can add controllers and agents to monitor and specify agents that have not yet joined a grid.
Apple Remote Desktop Apple Remote Desktop (ARD), which you can optionally purchase, is an easy-to-use network-computer management application. It simplifies the setup, monitoring, and maintenance of remote computers and lets you interact with users. The ARD interface is shown here. You can use ARD to: ÂÂ Control and observe computer screens. ÂÂ Configure computers and install software. ÂÂ Conduct one-to-one or one-to-many user interactions to provide help or tutoring.
Enhancing Security 4 By vigilantly adhering to security policies and practices, you can minimize the threat to system integrity and data privacy. Mac OS X Server is built on a robust UNIX foundation that contains many security features in its core architecture. State-of-the-art, standards-based technologies protect your server, network, and data.
About Network Security Network security is as important to data integrity as physical security. Although someone might immediately see the need to lock down an expensive server, he or she might not immediately see the need to restrict access to the data on that same server. The following sections provide considerations, techniques, and technologies to assist you in securing your network.
This allows an organization to provide services to the external network while protecting the internal network from being compromised by a host in the DMZ. If someone compromises a DMZ host, he or she cannot connect to the internal network. The DMZ is often used to connect servers that need to be accessible from the external network or Internet, such as mail, web, and DNS servers. Connections from the external network to the DMZ are often controlled using firewalls and address translation.
In theory, MAC filtering allows a network administrator to permit or deny network access to hosts and devices associated with the MAC address, although in practice there are methods to avoid this form of access control through address modification (spoofing) or the physical exchange of network cards between hosts. Transport Encryption Transferring data securely across a network involves encrypting the packet contents sent between computers.
Most transport encryption requires the participation of both parties in the transaction. Some services (such as SMTP mail service) can’t reliably use such techniques, so encrypting the file itself is the only method of reliably securing the file content. To learn more about file encryption, see “About File Encryption” on page 55. About File Security By default, files and folders are owned by the user who creates them.
ÂÂ Secure VM: Secure VM encrypts system virtual memory (memory data temporarily written to the hard disk), not user files. It improves system security by keeping virtual memory files from being read and exploited. ÂÂ Disk Utility: Disk Utility can create disk images whose contents are encrypted and password protected. Disk images act like removable media such as external hard disks or USB memory sticks, but they exist only as files on the computer.
In Mac OS X Server, users trying to access services (like logging in to a directory-aware workstation, or trying to mount a remote volume) must authenticate by providing a login name and password before privileges for the users can be determined. You have several options for authenticating users: ÂÂ Open Directory authentication.
ÂÂ Web Service (Apache via the SPNEGO Simple and Protected GSS-API Negotiation Mechanism protocol) ÂÂ Xgrid ÂÂ Storing passwords in user accounts. This approach might be useful when migrating user accounts from earlier server versions. However, this approach may not support clients that require network-secure authentication protocols, such as APOP. ÂÂ Non-Apple LDAPv3 authentication. This approach is available for environments that have LDAPv3 servers set up to authenticate users.
Kerberos also provides a single sign-on environment where users must authenticate only once a day, week, or other period of time, easing authentication loads for users. Mac OS X Server and Mac OS X versions 10.3 through 10.6 support Kerberos version 5. About Certificates, SSL, and Public Key Infrastructure Mac OS X Server supports services that use Secure Sockets Layer (SSL) to ensure encrypted data transfer.
Web, mail, and directory services use the public key with SSL to negotiate a shared key for the duration of the connection. For example, a mail server will send its public key to a connecting client and initiate negotiation for a secure connection. The connecting client uses the public key to encrypt a response to the negotiation. The mail server, because it has the private key, can decrypt the response.
About Identities Identities are a certificate and a private key, together. The certificate identifies the user, and the private key corresponds to the certificate. A single user can have several identities; for any given user each certificate could have a different name, email address, or issuer. These identities are used for different security contexts.
Several keychains can hold certificates: ÂÂ SystemRootCertificates: This keychain holds root certificates that ship with Mac OS X. The certificates already have trust given to them. ÂÂ System: This keychain holds certificates that the computer administrator can add. All users on a given client can read from this keychain. The trust settings of a certificate in this keychain can override those of a certificate in SystemRootCertificates.
The Server Admin interface is shown below, with Certificates selected. Certificate Manager provides integrated management of SSL certificates in Mac OS X Server for services that allow the use of SSL certificates. On installation, the server creates a self-signed certificate for immediate use from information you put in during server setup.
When certificates and keys are imported via Certificate Manager, they are put in the /etc/certificates/ directory. The directory contains four PEM formatted files for every identity: ÂÂ The certificate ÂÂ The public key ÂÂ The trust chain ÂÂ The concatenated version of the certificate plus the trust chain (for use with some services) The certificate and trust chain are owned by the root user and the wheel group, with permissions set to 644.
Creating a Self-Signed Certificate A self-signed certificate is generated at server setup. Although it is available for use, you may want to customize the information in the certificate, so you would create a new self-signed certificate. This is especially important if you plan on having a CA sign your certificate. When you create a self-signed certificate, Certificate Manager creates a private–public key pair in the System keychain with the key size specified (512 - 2048 bits).
4 Click the Action button below the certificates list and choose “Generate Certificate Signing Request (CSR).” Certificate manager creates the signing request and shows the ASCII text version in the sheet. 5 Click Save to save the CSR to the disk. Your CA will have instructions on how to transfer the CSR to the signer. Some CAs require you to use a web interface; others require sending the CSR in the body of a mail message. Follow the instructions given by the CA.
5 If you override the defaults, provide the following information in the next few screens: ÂÂ A unique serial number for the root certificate ÂÂ The number of days the CA functions before expiring ÂÂ The type of user certificate this CA is signing ÂÂ Whether to create a CA website for users to access for CA certificate distribution 6 Click Continue. 7 Provide the Certificate Assistant with the requested information and click Continue.
Using a CA to Create a Certificate for Someone Else You can use your CA certificate to issue a certificate to someone else. By doing so you are stating you want to be a trusted party that can certify the identity of the certificate holder. Before you can create a certificate for someone, that person must generate a CSR. The user can use the Certificate Assistant to generate the CSR and mail the request to you. You then use the CSR’s text to make the certificate.
7 Click the Import button. If prompted, enter the private key passphrase. Managing Certificates After you create and sign a certificate, you won’t do much more with it. Since certificates cannot be edited, you can either delete, replace, or revoke certificates after they are created. You cannot change certificates after a CA signs them. If the information a certificate possesses (such as contact information) is no longer accurate, or if you believe the private key is compromised, delete the certificate.
For instructions on how to do this, see “Replacing an Existing Certificate” on page 71. Distributing a CA Public Certificate to Clients If you’re using self-signed certificates, a warning appears in most user applications saying that the CA is not recognized. Other software, such as the LDAP client, refuses to use SSL if the server’s CA is unknown. Mac OS X Server ships only with certificates from well-known commercial CAs.
5 Click Save. Renewing an Expiring Certificate Certificates have an expiration date and must be renewed periodically. Renewing a certificate is the same as replacing a certificate with a newly generated one with an updated expiration date. To renew an expiring certificate: 1 Request a new certificate from the CA. If you are your own CA, create one using your own root certificate. 2 In Server Admin in the Server list, select the server that has the expiring certificate. 3 Click Certificates.
SSH and SSH Keys SSH is a network protocol that establishes a secure channel between your computer and a remote computer. It uses public-key cryptography to authenticate the remote computer. It also provides traffic encryption and data integrity exchanged between computers. SSH is frequently used to log in to a remote machine to execute commands, but you can also use it to create a secure data tunnel, forwarding through an arbitrary TCP port. You can also use SSH to transfer files using SFTP and SCP.
The -b flag sets the length of the keys to 1,024-bits, -t indicates to use the RSA hashing algorithm, -f sets the file name as id_rsa, and -P followed by two single-quote marks sets the private key password to be null. The null private key password allows for automated SSH connections. Keys are equivilant to passwords so you should keep them private and protected. 4 Copy the public key into the authorized key file by entering the following command: cat id_rsa.
$count = @{[$_ =~ /$match/g]}; if($count > 0) { $flag = 1; } } close SBUFF; if($flag == 1) { "ssh $server -x -o batchmode=yes shutdown -r now" } } Administration Level Security Mac OS X Server can use another level of access control for added security. Administrators can be assigned to services they can configure. These limitations are enacted on a server-by-server basis. This method can be used by an administrator with no restrictions to assign administrative duties to other admin group users.
You can determine which services other admin group users can modify. To do this, the administrator making the determination must have full, unmodified access. The process for setting administration level privileges is found in “Tiered Administration Permissions” on page 149. Service Level Security You use a Service Access Control List (SACL) to enforce who can use a service. It is not a means of authentication. It is a list of those who have access rights to use a service.
Security Best Practices Server administrators must make sure that adequate security measures are implemented to protect a server from attacks. A compromised server risks the resources and data on the server and risks the resources and data on other connected systems. The compromised system can then be used as a base to launch attacks on other systems within or outside your network.
ÂÂ Do not use administrator (UNIX “admin” group) accounts for daily use. Restrict the use of administration privileges by keeping the admin login and password separate from daily use. ÂÂ Back up critical data on the system regularly, with a copy stored at a secure off-site location. Backup media is of little use in recovery if it is destroyed with the computer during a fire. Test your backup and recovery contingency plans to ensure that recovery actually works.
Creating Complex Passwords Use the following tips to create complex passwords: ÂÂ Use a mix of alphabetic (upper and lower case), numeric, and special characters (such as ! and @). ÂÂ Don’t use words or combinations of words found in a dictionary of any language. ÂÂ Don’t append a number to an alphabetic word (for example, “wacky2”) to fulfill the constraint of having a number. ÂÂ Don’t substitute “look alike” numbers or symbols for letters (for example, “GR33N” instead of “GREEN”).
Installation and Deployment 5 Whether you install Mac OS X Server on a single server or a cluster of servers, there are tools and processes to help the installation and deployment succeed. Some computers come with Mac OS X Server software already installed. Other computers need the server software installed. For example, installing Mac OS X Server v10.6 on a computer with Mac OS X makes the computer a server with Mac OS X Server. Installing Mac OS X Server v10.6 on Mac OS X Server v10.2–v10.
Step 3: Set up the environment If you are not in complete control of the network environment (DNS servers, DHCP server, firewall, and so forth) coordinate with your network administrator before installing. A functioning DNS system with full reverse lookups and a firewall to allow configuration constitute a minimum for the setup environment. If you plan on connecting the server to an existing directory system, you must also coordinate efforts with the directory administrator.
ÂÂ “Installing Remotely with Server Assistant” on page 101 ÂÂ “Installing Remotely with Screen Sharing and VNC” on page 102 ÂÂ “Using the installer Command-Line Tool to Install Server Software” on page 104 Step 7: Set Up Services Restart from the target disk to proceed to setup. For more information about server setup, see Chapter 6, “Initial Server Setup.” System Requirements for Installing Mac OS X Server The Mac desktop computer or server where you install Mac OS X Server v10.
Setting Up Network Services Before you can install, you must set up the following for your network service: ÂÂ DNS: You must have a fully qualified domain name for each server’s IP addess in the DNS system. The DNS zone must have the reverse-lookup record for the name and address pair. Not having a stable, functioning DNS system with reverse lookup leads to service failures and unexpected behaviors. ÂÂ Static IP Address: Make sure you have a static IP address already planned and assigned to the server.
Mac OS X Server Install Disc The Install Disc has a Documentation folder with Getting Started, Installation & Setup Worksheet, and a Read Me file. It also contains an Other Installs folder, which has the following installer packages: ÂÂ ServerAdministrationSoftware.mpkg Use this package to install the administration tools on a computer running Mac OS X v10.6 to make it an administrator computer. ÂÂ iPhoneConfigurationUtility.
When you install and set up Mac OS X Server on a computer that has a display and keyboard, it’s already an administrator computer. To make a computer with Mac OS X into an administrator computer, you must install additional software. Important: If you have administrative applications and tools from Mac OS X Server v10.4 or earlier, do not use them on a computer with Mac OS X v10.6 or Mac OS X Server v10.6. To install Mac OS X Server v10.
Starting Up from the Install DVD This is the simplest method of starting the computer, if you have physical access the server and it has DVD drive. Installer application or installer tool in Terminal application If the target server is an Xserve with a built-in DVD drive, start the server using the Install DVD by following the instructions in Xserve User’s Guide for starting from a system disc. If the target server has no built-in DVD drive, you can use an external FireWire DVD drive.
However, if you are reinstalling regularly, or if you are creating an external Firewire drive-based installation to take to various computers, or if you need some other kind mass distribution (such as clustered Xserves without DVD drives installed), this method can be very efficient. This method is suited to installing on computers that you do not have easy physical access to. With sufficient preparation, this method can be modified for easy mass deployment of licensed copies of Mac OS X Server.
4 Select File > New > Disk Image from . 5 Give the image a name; select Read-only, Read/Write, or Compressed as the image type; and then click Save. 6 After the image is complete, select the image from list on the left. 7 In the menu, select Images > Scan Images for Restore. 8 Provide an administrator login and password as needed. The installer disk image can now be restored to your extra partition.
∏∏ Tip: You can use asr to restore a disk over a network, multicasting the blocks to client computers. Using the multicast server feature of asr, you could put a copy of the installer image on a partition of all computers that can receive the multicast packets. For example, restoring an image called Installer.dmg to the partition ExtraHD would be: sudo asr restore -s Installer.
This is usually the first eight characters of the server’s built-in hardware serial number. For more information about this password, see “About Server Serial Numbers for Default Installation Passwords” on page 90. To access the computer with VNC: 1 Start the target computer from the Install DVD for Mac OS X Server v10.6 or later. The procedure you use depends on the target server hardware. To learn more about startup disk options, see “About Starting Up for Installation” on page 84.
2 Identify the target server. If you don’t know the IP address and the remote server is on the local subnet, you can find servers using the comannd line. For more information about this process, see “Identifying Remote Servers When Installing Mac OS X Server” on page 90. 3 Use the Terminal to open a secure shell connection to the target server. The user name is root. 4 For the password, enter the default password for installation.
You can use the dns-sd tool to identify computers on the local subnetwhere you can install server software. Enter the following from a computer on the same local network as the server: dns-sd -B _sa-rspndr._tcp. This command returns the IP address and the EthernetID (in addition to other information) of servers on the local subnet that have started up from the installation disk. Similarly, servers awaiting setup use the service name “_svr-unconfig._tcp.
Step 1: Create a NetInstall image from the Install DVD This step doesn’t need to be done on the target computer. It can be done on an administrator computer that has enough free space to image the entire Install DVD. Step 2: Start up the computer from the NetBoot server There are four ways of doing this, depending on your environment. To create a NetInstall image from the Install DVD: 1 Launch System Image Utility from /Applications/Server/.
If you’re using an installation disc for Mac OS X Server v10.6, you can perform these tasks from another networked computer using VNC viewer software, such as Apple Remote Desktop, before beginning a clean installation. WARNING: Before partitioning a disk, creating a RAID set, or erasing a disk or partition on a server, preserve user data you want to save by copying it to another disk or partition.
A case-sensitive volume is supported as a start volume format. An HFSX file system for Mac OS X Server must be specifically selected when erasing a volume and preparing a disk before initial installation. If you are planning to use NFS, you should use case-sensitive HFSX. An HFSX volume can be case sensitive or case insensitive. Case sensitivity (or lack thereof ) is global to the volume. The setting applies to all file and directory names on the volume.
Partitioning a Disk You can use the Installer to open Disk Utility and then use Disk Utility to partition the installation target disk into desired volumes. You can erase the target volume using the Mac OS Extended format, Mac OS Extended (Journaled) format, Mac OS Extended format (Case-Sensitive) format, and Mac OS Extended (Journaled, Case-Sensitive) format. You cannot partition the active startup disk or erase the active startup volume.
Additional information about diskutil and other uses can be found in Introduction to Command-Line Administration. For complete command syntax for diskutil, consult the tool’s man page. The specific command issued depends on your disk format needs and the hardware in use. Take care to use command-line arguments that apply to your specific needs.
You can combine RAID sets to combine their benefits. For example, you can create a RAID set that combines the fast disk access of a striped RAID set and the data protection of a mirrored RAID set. To do this, create two RAID sets of one type and then create a RAID set of another type, using the first two RAID sets as the disks. The RAID sets you combine must be created with Disk Utility or diskutil in Mac OS X v10.4 or later. You cannot mix the method of partitioning used on the disks in a RAID set.
5 Drag the disks to the window. 6 Follow the instructions in the window to set parameters. 7 Click Create. You can find instructions for partitioning the hard disk into multiple volumes, creating a RAID set, and erasing the target disk or partition by viewing Disk Utility Help. To view Disk Utility Help, open Disk Utility on another Mac computer with Mac OS X v10.6 and choose Help > Disk Utility Help. From the command line You can use the diskutil command-line tool to create a RAID set.
Erasing a Disk or Partition You have several options for erasing a disk, depending on your preferred tools and your computing environment: ÂÂ Erasing a disk using Disk Utility: You can use the Installer to open Disk Utility and then use it to erase the target volume or another volume. You can erase the target and all other volumes using the Mac OS Extended format or Mac OS Extended (Journaled) format.
Installing Locally from the Installation Disc You can install Mac OS X Server directly onto a computer with a display, a keyboard, and a DVD drive attached, as shown in the following illustration: Installer application or installer tool in Terminal application If you have an Install DVD, the optical drive must be able to read DVD discs. You can also install directly onto a computer that lacks a display, keyboard, and optical drive capable of reading your installation disc.
After installation is complete, the target server restarts and you can perform initial server setup. Chapter 6, “Initial Server Setup,” on page 108 describes how.
3 Select the target server from the list of servers waiting for installation. If neither the target server nor the list appear, make sure the target server is on the same local subnet as the administrator computer. 4 If the target computer is not on the same local subnet as the administrator computer, add the server manually. a Choose Install Remote Server from the Server menu of Server Admin. b Enter the IP address or DNS name of the target server.
For detailed instructions for connecting to a computer running from an Install DVD, see “Remotely Accessing the Install DVD” on page 88. Important: If you perform an upgrade, make sure that saved setup data won’t be detected and used by the server. If saved setup data is used, the server settings are not compatible with the saved settings and can cause unintended consequences. For more information, see “How a Server Searches for Saved Setup Data Files” on page 118.
sudo shutdown -r now # Method 2 sudo systemsetup -liststartupdisks sudo systemsetup -setstartupdisk Using the installer Command-Line Tool to Install Server Software You use the installer tool to install server software on a local or remote computer from the command line. For information about installer, see the installer man page. These instructions assume you started up the computer using the Install DVD, installer partition, or NetInstall disk.
4 If you haven’t already done so, prepare the disks for installation. For more information about preparing the disks for installation, see “Preparing Disks for Installing Mac OS X Server” on page 92. If the target volume has the latest Mac OS X Server v10.5 or 10.4.11 installed, when you run installer it upgrades the server to v10.6 and preserves user files.
Installing Multiple Servers Most Efficient Methods of Installation The most efficient method of installation would be completely automated. Opening the Terminal application and using the installer tool to initiate each server software installation doesn’t accomplish this efficiently. However, scripting the command-line tool (using known values for server IP addresses, for example) to automate multiple simultaneous installations can be very efficient.
Upgrading a Computer from Mac OS X to Mac OS X Server This is not supported in Mac OS X Server v10.6. Perform a clean installation instead. How to Keep Current After you’ve set up your server, you’ll want to update it when Apple releases server software updates. There are several ways to access update releases of Mac OS X Server: ÂÂ In Server Admin, select a server in the Servers list, then click the Server Updates button.
Initial Server Setup 6 Basic characteristics of your Mac OS X Server are established during server setup. The server can operate in three different configurations: advanced, standard, and workgroup. After installing server software, the next task is to set up the server. There are several ways to set up a server: ÂÂ Set up servers interactively. ÂÂ Automate the setup by using setup data you’ve saved in a file or on a server available to the newly installed server.
If you’re setting up a server without a keyboard or display, you can enter the following in the Terminal application to shut down the server remotely: sudo shutdown now Connecting to the Network During Initial Server Setup Before setting it up for the first time, try to place a server in its final network location (subnet). If you’re concerned about preventing unauthorized or premature access during setup, you can set up a firewall to protect the server while you’re finalizing its configuration.
ÂÂ Default SSH and Apple Remote Desktop state is enabled. ÂÂ Network interfaces (ports) are configured. TCP/IP and Ethernet settings are defined for each port you want to activate. ÂÂ Network names are defined. The primary DNS name, computer name are defined by the administrator, and local hostname is derived from the computer name. For more information about names of Mac OS X Server, see “Understanding Mac OS X Server Names.” ÂÂ Basic Directory information is set up.
ÂÂ Import Users and Groups This setting connects the server to an existing Open Directory or Active Directory system, importing the users and groups from an existing directory system. You can import Open Directory users or Active Directory users. You must provide a directory administrator name and password. ÂÂ Configure Manually This setting used to set up the server to obtain directory information from a shared directory domain that’s been set up on another server.
Even if you want to change the server’s directory setup, selecting “Configure Manually” is the safest option, especially if you’re considering changing a server’s shared directory configuration. Changing from hosting a directory to using another server’s shared directory or vice versa, or migrating a shared NetInfo domain to LDAP are examples of directory usage changes you should make after server setup to preserve access to directory information about your network.
To interactively connect to an additional directory server: 1 Open the Accounts pane of System Preferences on your server. 2 Click Login Options and then click Open Directory Utility. 3 Click the Add (+) button, and then choose the directory server from the pop-up menu or enter the directory server’s DNS name or IP address. 4 If the dialog expands to show Client Computer ID, User Name, and Password fields, enter the name and password of a user account on the directory server.
The following illustration shows target servers on the same subnet as the administrator computer in one scenario and target servers on a different subnet in the other scenario. Both setup scenarios can be used to set up servers on the same and different subnets. Welcome Welcome Welcome Subnet 1 Subnet 2 If a target server is on a different subnet, you must supply its IP address or DNS name. Servers on the same subnet are listed by Server Assistant, so you select servers from the list.
If the computer you want to configure doesn’t appear in the list, you can add it manually by clicking the Add button and supplying the requested information. 6 Remove computers from the configuration list that you don’t want to set up by selecting them and clicking the Remove button. 7 Authenticate to the target server. You need authenticate for each listed server by selecting it, clicking Authenticate, and entering the server’s password.
The automatic approach is useful when you: ÂÂ Have more than a few servers to set up ÂÂ Want to prepare for setting up servers that aren’t yet available ÂÂ Want to save setup data for backup purposes ÂÂ Need to reinstall servers frequently You can keep backup copies of setup data files on a network file server. Alternatively, you can store setup data files in a local partition that won’t be erased when you reinstall server software.
You can define generic setup data that can be used to set up any server. For example, you can define generic setup data for a server that’s on order, or to configure 50 Xserve computers you want to be identically configured. You can also save setup data that’s tailored for a server. Important: When you perform an upgrade, make sure that saved setup data won’t be detected and used by the server. If saved setup data is used, existing server settings are overwritten by the saved settings.
Using Encryption with Setup Data Files Saved setup data can be encrypted for extra security. Before a server sets itself up using encrypted setup data, it must have access to the passphrase used when the data was encrypted. For interactive setup, the passphrase is entered using Server Assistant during setup. If you want to store the password for non-interactive setup, the file containing the passphrase file should be named the same as the saved setup data.
If setup data is encrypted, the server needs the correct passphrase before setting itself up. You can use Server Assistant to supply the passphrase interactively, or you can supply the passphrase in a file containing the passphrase in the same folder as the corresponding auto setup profile but with a .”pass” extension. Important: When you perform an upgrade, make sure that saved setup data won’t be detected and used by the server you’re upgrading.
To use setup data from a file remotely: 1 Create the folder for the setup file on the remote server. a Connect to the remote server. ssh root@ b Create the saved setup folder on the remote server. mkdir /Auto\ Server\ Setup 2 Copy the saved setup file from the administrator computer to the remote target computer. The password is the same for ssh connections during installation.
Handling Setup Errors When a server encounters a setup problem, Server Assistant shows a description of the setup error, and gives some opportunity to either fix it or try again. If you are setting up the target server remotely, you are given the option to share its screen and interact via the Server Assistant.
Setting Up Services After installation and initial startup, the first time you open Server Admin, you see any services that were configured during server setup listed underneath the server’s name in the server list. If no services were configured during server setup, Server Admin prompts you to select the services you want to configure on the server. You add services for administration and configure services using Server Admin and add users and groups using Workgroup Manager.
Setting Up Open Directory Unless your server must be integrated with another vendor’s directory system or the directory architecture of a server you’re upgrading needs changing immediately, you can begin using the directories you configured during server setup. The online help and Mac OS X Server Resources website at www.apple.
Ongoing System Management 7 This chapter shows you how to complete ongoing management for your systems, including setting up administrator computers, designating administrators, and maintaining service uptime.
In the following illustration, the arrows originate from administrator computers and point to servers the administrator computers might be used to manage. Mac OS X administrator computer Mac OS X Servers When you’ve installed and set up a Mac OS X Server that has a display, keyboard, and optical drive, it’s already an administrator computer. To make a computer with Mac OS X into an administrator computer, you must install additional software. Mac OS X Server v10.
Using the Administration Tools Information about administration tools can be found on the pages indicated in the following table. Use this application or tool To See Command-line tools Administer a server using a UNIX command shell. “Command-Line Tools” (page 48) iCal Service Utility Add locations and resources to your iCal server. “iCal Service Utility” (page 46) Installer Install server software or upgrade it from v10.4 or 10.5.
You can use Workgroup Manager on a v10.6 server to manage Mac OS X clients running the latest Mac OS X v10.5. However, after you edit a user record using Workgroup Manager on v10.6, you can only access it using Workgroup Manager on v10.6. Ports Used for Administration For Apple’s administration applications to function, the following ports must be enabled.
Server Admin Basics You use Server Admin to administer services on Mac OS X Server computers. Server Admin also lets you specify settings that support multiple services, such as creating and managing SSL certificates and specifying which users and groups can access services. Adding and Removing Servers in Server Admin The servers you can administer using Server Admin appear in the Servers list on the left side of the application window.
If a server in the Servers list appears gray, double-click the server or click the Connect button in the toolbar to log in again. To enable auto-reconnect the next time you open Server Admin, select the “Remember this password in my keychain” while you log in. Grouping Servers Manually Server Admin displays computers in groups in the Server List section of the application’s window. The default server list is called the All Servers list.
ÂÂ IP address ÂÂ OS version To create a server smart group: 1 Under the Server list at the bottom of the Server Admin window, click the Add (+) button. 2 Select Add Smart Group. 3 Name the smart group. 4 Define the criteria that servers will appear in the list and click OK. The group appears in the Server list. Working with Settings for a Specific Server To work with general server settings, select a server in the Servers list.
The following table contains a summary of what you find for each button: Toolbar button Shows Overview Information about the server’s hardware, software, services, and status. Logs The system log and security systems log. Graphs A pictorial history of server activity. Sharing Configuration options for defining file sharing folders, share points, and automounts. Server Updates Software updates available from Apple to update the server’s software.
Server-side file tracking for mobile home-sync is a feature of mobile home folders. For information about when to enable this feature, see the online help and Mac OS X Server Resources website at www.apple.com/server/macosx/resources/. ÂÂ Network pane: Click Network to view or change the server’s computer name or local hostname, or to see a list of network interfaces and addressing information for this server. The computer name is what a user sees when browsing the network (/Network).
The following sections give guidance regarding the types of changes will be necessary for a name or IP address change. Understanding Mac OS X Server Names Three names are used by Mac OS X Server: computer name, local hostname, and DNS name. They are used by different parts of the system for different reasons, and are not linked. Changing the computer name and the local hostname is not the same thing as changing the DNS name.
Your network configuration might have other domains, computers, and record types that are impacted by a server’s IP address change (SRV records, for instance). These other records should be examined thoroughly after any change to a server’s IP address. If the server is a DNS server, use the tool changeip to change the NS, A, and PTR records. Changing a DNS server’s IP address directly impacts any client computer that uses the DNS server.
Changing the DNS name of the directory server requires that all bound machines be rebound to the new directory name and address. If you have set up a Kerberos environment, the Kerberos realm does not change when the hostname is changed. Firewall Changing the IP address of the Firewall can significantly alter the effectiveness of the service. In Mac OS X Server v10.6, IP firewall rules are stored and referenced as address groups.
VPN VPN servers allocate IP address ranges to VPN clients and mediate DNS queries of VPN clients. Any of these can be affected by a change to the VPN server’s IP address or domain name. Additionally, the VPN server contains routing definitions based on IP addresses. A change to the IP address can make those routing addresses unreachable. Check all the VPN settings when changing the IP address of the VPN server.
MySQL In general, MySQL is not affected by changing an IP address or DNS name. However, none of the data in the databases is altered when the DNS name or IP address are changed. You are responsible for replacing references to the DNS name and address (if used) in your databases. If you set a database root password, there might be entries in the database GRANT table (database=mysql, table=user) that refer to the previous server DNS name.
For the most part, changing the network address or DNS name of a file server has no internal affect on file services. The file service processes monitor network interfaces for changes and adapt as necessary without administrator intervention. No further configuration is required. A few places might need configuration settings changed: ÂÂ SMB: The computer name defaults to the unqualified primary DNS name.
IMAP and POP Dovecot, the IMAP and POP service, loads the fully-qualified domain name at startup and configuration reload. After a change, Dovecot must be restarted or given a SIGHUP command, at a minimum). You must also restart if you manually edited the listen or ssl_listen parameters. SMTP Postfix, the SMTP service, is very sensitive to network address and identity changes. The information it stores about the DNS name, the IP address, and network interfaces is only loaded once at service startup.
Address Book Service Changing the IP address of an Address Book server does not affect new connections to the server; however, it can disconnect existing client connections. If you manually edited the BindHTTPPorts or BindSSLPorts options in the carddavd.plist file, edit them again and restart the service. Changing the DNS name of an Address Book server necessitates restarting the service. If you manually edited the ServerHostName setting in the carddavd.
Certificates for Collaboration Services AddressBook, iCal, and iChat servers that use SSL will need new certificates. You might need regenerate or repurchase the certificates. Use Server Admin to import the new certificates, then configure each service’s new certificate. Understanding IP Address or Network Identity Changes on Podcast Producer Podcast Producer is a complex service. It uses a number of other services and computers to perform its work.
To change the IP address of the Podcast Producer computer: 1 Stop the Xgrid job queue when empty (or stop and empty it). 2 Reconfigure DNS, Open Directory, DHCP, and other infrastructure services. For example, in DNS, change the A record IP address of the Podcast Producer server. 3 Use changeip to change the IP address of the Podcast Producer server. 4 Restart (or renew the DHCP leases of ) all Podcast Camera Agents.
ÂÂ Software Update Service ÂÂ Xgrid After Software Update changes the DNS name or IP address, a number of changes must be made by the clients. However, the following guidelines for the server should be followed. Print Print service needs no changes if the IP address changes. If the DNS name changes, the administrator must restart print service to re-register the service with Bonjour to publish the name change. If you made custom configurations of the cupsd.
Changing the IP Address of a Server You can change the IP address of a server using the Network pane of System Preferences or the networksetup tool. Do not turn off the primary network interface and then turn it back on with a different address. Several services will not get the needed notification to update their configuration. Changing your IP address can have significant unintended consequences, depending on the services your server provides.
You can use the scutil command-line tool to set the local hostname and local hostname. For more information, see the scutil man page. Do not use the changeip command-line tool to change computer names, even though the tool is still available. To change computer name and local hostname: mm Change the names in the Network pane of the Settings section for the server in Server Admin.
Adding and Removing Services in Server Admin Server Admin can only show you the services you are administering, hiding all other service configuration panes until needed. Before you can administer a service, it must be enabled for the specific server; then that service appears under the server name in the main Server list. To add or remove a service in Server Admin: 1 Select the server that will host the service. 2 Click the Settings button in the toolbar. 3 Click Services.
Controlling Access to Services You can use Server Admin to configure which users and groups can use services hosted by a server. You set up access to services to users and groups using SACLs. You can set up the same access to all services, or you can select a service and customize its access settings. Access controls are simple. Choose between allowing all users and groups to use services or allowing selected users and groups to use services.
Using SSL for Remote Server Administration You can control the level of security of communications between Server Admin and remote servers by choosing Server Admin > Preferences. By default, Server Admin treats communications with remote servers as encrypted using SSL. This uses a self-signed 128-bit certificate installed in /etc/servermgrd/ssl.crt when you install the server. Communications use HTTPS (port 311).
The following is the File Sharing configuration pane in Server Admin. Tiered Administration Permissions In previous releases of Mac OS X Server, there were two classes of users: admin and everyone else. Admin users could make any change to the settings of any service or change any directory data including passwords and password policies. In Mac OS X Server v10.6, you can now grant individuals and groups specific administrative permissions without adding them to the UNIX “admin” group.
Server Admin updates to reflect what operations are possible for a user’s permissions. For example, some services are hidden or the Settings pane is dimmed when you can only monitor that service. Because the feature is enforced on the server side, the permissions also impact the usage of serveradmin, dscl, dsimport, and pwpolicy command-line tools because these tools are limited to the permissions configured for the administrator in use.
The following topics describe general Workgroup Manager usage. Instructions for conducting specific administration tasks are available in Workgroup Manager help and the Mac OS X Server Resources website at www.apple.com/server/macosx/resources/. Opening and Authenticating in Workgroup Manager Workgroup Manager is installed in /Applications/Server/. You can open it in the Finder, the Dock, or by selecting View > Workgroup Manager in the menu bar of Server Admin.
The following is a sample user record configuration pane in Workgroup Manager: Initially, accounts listed are those stored in the last directory node of the server’s search path. When you use other Workgroup Manager windows, such as Preferences, click Accounts in the toolbar to return to the account window. To specify the directories that store accounts you want to work with, click the small globe icon. To work with different accounts in different Workgroup Manager windows, click New Window in the toolbar.
Defining Managed Preferences To work with managed preferences for user accounts, group accounts, or computer lists, click the Preferences icon in the Workgroup Manager toolbar. The following is the User Preference Management Overview pane in Workgroup Manager: Click Details to use the preference editor to work with preference manifests.
Working with Directory Data To work with raw directory data, use Workgroup Manager’s Inspector. The following is the record Inspector pane in Workgroup Manager: To display the inspector: 1 Choose Workgroup Manager > Preferences. 2 Enable “Show ‘All Records’ tab and inspector” and click OK. 3 Select the “All records” button (which looks like a bull’s-eye) to access the Inspector. 4 Use the pop-up menu above the Name list to select the records of interest.
Service Configuration Assistants Server Admin has configuration assistants to guide you through setting up services that require more setup than a single configuration pane. The assistants present you with all configuration panes necessary to fully enable a service. Assistants are available for the following services: ÂÂ Server Assistant: This assistant helps you configure remote servers, install Mac OS X Server remotely, and make automatic server setup data files.
Address Book Service File type Location Configuration files /etc/cardavd/cardavd.plist Data /Library/AddressBookServer/Documents/ iCal Service File type Location Configuration files /etc/caldavd/caldavd.plist Data /Library/CalendarServer/Documents/ iChat Server File type Location Configuration files /etc/jabberd/* Data mysqldump jabberd2 > jabberd2.backup.
Mail—Amavisd File type Location Configuration files /etc/amavisd.conf Data: (default locations) /var/amavis/ Mail—Clam AV File type Location Configuration files /etc/clamav.conf /etc/freshclam.conf Data: (default locations) /var/clamav/ /var/virusmails/ Mail—Mailman File type Location Configuration files /var/mailman/ Data: (default locations) /var/mailman/ Mail—SpamAssassin File type Location Configuration files /etc/mail/spamassassin/local.
Notifications File type Location Configuration files /etc/emond.d/ /etc/emond.d/rules/ /Library/Keychains/System.keychain OpenDirectory Service The entire Open Directory configuration can be saved with the archive feature. Filetype Location Configuration files /etc/openldap/slapd.
Web Service File type Location Configuration files /etc/apache2/* (for Apache 2.2) /etc/httpd/* (for Apache 1.3) /etc/webperfcache/* /Library/Keychains/System.keychain Data: (default locations) /Library/WebServer/Documents/ /Library/Logs/WebServer/* /Library/Logs/Migration/webconfigmigrator.log (Apache config migration log) The default location for web content is configurable and is most likely modified and extended to include multiple virtual host content and WebDAV directories.
Some single points of failure include: ÂÂ Computer system ÂÂ Hard disk ÂÂ Power supply Although it is almost impossible to eliminate all single points of failure, you should minimize them as much as possible. For example, using a backup computer and a file storage pool for Mac OS X Server eliminates the computer as a single point of failure. Although master and backup computers can fail at once or one after the other, the possibility of such an event happening is negligible.
Using Backup Power In the architecture of a server solution, power is a single point of failure. If power goes out, your servers go down without warning. To prevent a sudden disruption in services, consider adding a backup source of power. Depending on your application, you might choose to use a standby electrical generator or Uninterruptible Power Supply (UPS) devices to gain enough time to notify users of an impending shutdown of services.
The automatic restart options are: ÂÂ Restart automatically after a power failure. The power management unit automatically starts up the server after a power failure. ÂÂ Restart automatically if the computer freezes. The power management unit automatically starts up the server after the server stops responding, has a kernel panic, or freezes.
Link Aggregation Although not common, the failure of a switch, cable, or network interface card can cause your server to become unavailable. To eliminate these single points of failure, you can use link aggregation or trunking. This technology, also known as IEEE 802.3ad, is built into Mac OS X and Mac OS X Server. Link aggregation allows you to aggregate or combine multiple physical links connecting your Mac to a link aggregation device (a switch or another Mac) into a single logical link.
About the Link Aggregation Control Protocol (LACP) IEEE 802.3ad Link Aggregation defines a protocol called Link Aggregation Control Protocol (LACP) that is used by Mac OS X Server to aggregate (combine) multiple ports into a link aggregate (a virtual port) that can be used for TCP and UDP connections.
Computer to Switch In this scenario shown in the following illustration, you connect your server to a switch configured for 802.3ad link aggregation. server1.example.com 4 x 1 Gbit/s 10 Gbit/s Clients The switch should have bandwidth for handling incoming traffic equal to or greater than that of the link aggregate (logical link) you define on your server.
For example, you can connect two links to the master switch and the remaining links to the backup switch. As long as the master switch is active, the backup switch remains inactive. If the master switch fails, the backup switch takes over transparently. Although this scenario adds redundancy that protects the server from becoming unavailable if the switch fails, it results in decreased bandwidth.
The interface name bond assigned by the system is different from the name you give to the link aggregate port configuration. The interface name is for use at the command line, but the port configuration name is for use in the Network pane of System Preferences.
Load Balancing One factor that can cause services to become unavailable is server overload. A server has limited resources and can service a limited number of requests simultaneously. If the server gets overloaded, it slows down and can eventually crash. One way to overcome this problem is to distribute the load among a group of servers (a server farm) using a third-party load-balancing device.
Daemon Overview By the time a user logs in to a Mac OS X system, a number of processes are running. Many of these processes are known as daemons. A daemon is a background process that provides a service to users. For example, the cupsd daemon coordinates printing requests, and the httpd daemon responds to requests for web pages. Viewing Running Daemons To see the daemons running on your system, use the Activity Monitor application (in /Applications/Utilities/).
The launchctl utility is the command-line tool used to control launchd.
Monitoring Your System 8 Effective monitoring allows you to detect potential problems before they occur and gives you early warning when they occur. Detecting potential problems allows you to take steps to resolve them before they impact server availability of your servers. In addition, getting an early warning when a problem occurs allows you to take corrective action quickly and minimize disruption to your services.
Several factors can be considered for a monitoring response: ÂÂ What are relevant response methods? In other words, how will the response take place? ÂÂ What is the time to response? What is an acceptable interval between failure and response? ÂÂ What are the scaling considerations? Can the response plan work with all expected (and even unexpected) frequencies of failure? ÂÂ Are there testing monitoring systems in place? How do you know the monitoring policy is catching the data you need, and how do you
A green status indicator shows the component is OK, a yellow status indicator notes a warning, and a red status indicator notes an error. Server Monitor works for Xserves only. For more information about Server Monitor, choose Server Monitor Help from Server Monitor’s Help menu. Using RAID Admin for Server Monitoring Like Server Monitor, you can configure RAID Admin to send a mail or a page when a component is in trouble.
df -Hl Filesystem Size Used Avail Capacity Mounted on /dev/disk0s9 40G 38G 2.1G 95% / In this example, the hard disk is almost full with only 2.1 GB left. This tells you that you should act immediately to free space on your hard disk before it fills up and causes problems for your users. ÂÂ du. This command tells you how much space is used by specific folders or files. For example, the following command tells you how much space is used by each user’s home folder: sudo du -sh /Users/* 3.2M /Users/Shared 9.
If you detect an unusual number of requests coming from the same source, use Firewall service to block traffic from that source. For more information about tcpdump, see the corresponding man page. ÂÂ Consider using Ruby, Perl, shell scripts, or AppleScript to automate the monitoring process. For example, using tcpdump to monitor traffic can be time consuming, so automation is necessary.
The following shows a sample Overview pane for a single server. This overview shows basic hardware, operating system versions, active services, and graphs of CPU history, network throughput history, and disk space. mm Use the serveradmin XML web interface. a Open Safari to the following URL: https://:311/servermgr_info.html b Select getState from the pop-up menu. c Click Send Command. The web page returns an XML text version of the server overview.
When a server kernel panics it abruptly halts all normal system operations. Usually, a kernel process named panic() outputs an error message to the console and stores debugging information in nonvolitile memory to be written to a crash log file upon restarting the computer. Saving the memory contents of the core and associated debugging information is called a “core dump.
Setting Up a Core Dump Server You can use any Mac OS X v10.5 or later computer to be a core dump server that fits the following criteria. The core dump server must: ÂÂ Have a static IP address. ÂÂ Be IPv4 network-accessible to all clients using UDP port 1069. You cannot put the core dump server behind a firewall or NAT unless all clients using it are also behind it. You cannot use IPv6-only addresses for the server. ÂÂ Have enough disk storage space for multiple dumps. In general, core dumps are large.
Setting Up a Core Dump Client A core dump client sends its kernel panic debug information to the core dump server address specified in its NVRAM settings. The information is transmitted at the time of the panic, so before restarting the computer, allow some time for the data to be sent to the server. The time necessary depends on the file size of the core dump and the speed of the network connection between the client and server. For clients using v10.5 or earlier, see developer.apple.
Configuring Common Core Dump Options By default, core dumps happen using UDP port 1069 over the built-in Ethernet (en0) interface, and the resulting files are stored in /PanicDumps on the core dump server. However, you can configure the core dump to use: ÂÂ An alternate UDP port ÂÂ An alternate network interface ÂÂ An alternate file destination ÂÂ A specific network router Changing any of these options requires that you restart the computers to reload the new settings.
SNMPv2 is the default access protocol and the default read-only community string is “public.” Enabling SNMP reporting SNMP access isn’t enabled by default on Mac OS X Server. To use SNMP tools to poll your Mac OS X Server for data, you must configure and then enable the service. To enable SNMP 1 Open Server Admin. 2 Select a server, click the Settings button in the toolbar, and then click the General tab. 3 Select Network Management Server (SNMP). 4 Click Save.
To enable and configure SNMP: mm Use the /usr/bin/snmpconf command, which takes you through a basic text-based setup assistant for configuring the community name and saves the info in the configuration file. The snmp config file is located in /usr/share/snmp/snmpd.conf. SNMP Configuration Example Step 1: Customize data 1 To customize the data provided by snmpd, add an snmpd.
Step 3: Collect SNMP information from the host mm To get the SNMP-available information you added, execute this command from a host that has SNMP tools installed: /usr/bin/snmpget -c public system.sysLocation.0 Replace with the name of the target host. You should see location you provided. In this example, you would see: SNMPv2_MIB::system.sysLocation.0 = STRING:\"server_room\" The other options in the menu you were working in are: /usr/bin/snmpget -c public system.
There are two main notification daemons: syslogd and emond. ÂÂ syslogd: The syslogd daemon is a standard UNIX method of monitoring systems. It logs messages in accordance with the settings found in /etc/syslog.conf. You can examine the output files specified in that configuration by using a file printing or editing utility because they are plain text files. Administrators can edit these settings to fine-tune what is being monitored.
Logging Mac OS X Server maintains standard UNIX log files and Apple-specific process logs. Logs for the OS can be found in: ÂÂ /var/log ÂÂ /Library/Logs ÂÂ ~/Library/Logs Each process is responsible for its own logs, the log level, and verbosity. Each process or application can write its own log file or use a system standard log, like syslog. You can use the Console application (in /Applications/Utilities) to read these and other plain-text log files regardless of location.
Syslog Configuration File The Syslog configuration file can be found at /etc/syslog.conf. Each line has the following format: . Replace with the process name writing to the log. The path is the standard POSIX path to the log file. You can use asterisks (*) as wildcards. For example, the setting for the kernel is: kern.* /var/log/system.log This shows that all messages to the log of all levels from the kernel are to be written in the file /var/log/system.log.
To run slapd in debugging mode: 1 Stop and remove slapd from launchd’s watch list: launchctl unload /System/Library/LaunchDaemons/org.openldap.plist 2 Restart slapd in debug mode: sudo /usr/libexec/slapd -d 99 AFP Logging The server side of Apple File Service Protocol (AFP) keeps track of access and errors, but it does not have much debugging information. However, you can add client-side logging to AFP clients to help monitor and troubleshoot AFP connections.
Push Notification Server 9 Provide increased server responsiveness to clients and reduce server load with Push Notification Server. Mac OS X Server v10.6 uses an XMPP Pubsub architecture for the Push Notification Server. XMPP Pubsub is an open standard extention to XMPP (XEP-060) that allows servers and clients to communicate as needed, rather than clients continually asking the server for updates.
Starting and Stopping Push Notification When you start push notification on a server, the service broadcasts its availability on the local network to other services that support it. This means that when a different server turns on a service that supports push notification, the push notification server address populates the settings of the pushing service. You must still enable Push Notification support for the pushing service before it works.
Changing a Service’s Push Notification Server If push notification is configured on the server, it is listed in the location on the service’s settings pane. If another computer on the subnet is configured as a push notification server, it appears in the service’s setting pane. You can use these instructions to specify a different server. Each service that can use push notification must have push notification enabled, and can use a unique push notification server.
A access ACLs 55, 75 IMAP 139 IP address restrictions 52 Keychain Access Utility 66 LDAP 21, 58 Mac address 53, 90 remote installation 84, 88, 90, 101, 102 SACLs 75 user 132, 147 See also permissions accounts. See user accounts, Workgroup Manager ACLs (access control lists) 55, 75 Address Book service 17, 140, 156 addresses.
preparing 64 private keys 59 public keys 59 renewing 71 requesting 63, 64, 65 root 66 self-signed 61, 65 Server Admin 62, 148 services using 71 web service 137 wiki services 137 changip tool 145 chat service.
E email. See mail service emond daemon 184 encryption 54, 55, 59, 118 See also SSL Ethereal packet sniffing tool 175 Ethernet 53, 109, 166 exporting service settings 146 Extensible Messaging and Presence Protocol. See XMPP F file services 22, 137, 187 file sharing 148 file systems backing up 36 choosing 93 See also volumes, ZFS File Transfer Protocol.
server 144 static 82 See also identity IPv6 addressing 22 J journaling, file system 93 junk mail screening 139 K Kerberos 21, 57, 58, 134 kernel panic 176, 178, 179, 180 key-based authentication 72, 73 Keychain Access Utility 66 keychain services 62, 155 L LACP (Link Aggregation Control Protocol) 164 launchctl tool 36, 170 launchd daemon 36, 169 LDAP (Lightweight Directory Access Protocol) service 21 LDAPv3 access 58 link aggregation 163, 164, 165, 166, 167 Link Aggregation Control Pro
See also Open Directory OpenCL 18 OpenLDAP 21 OpenSSL 54 operating environment requirements 162 P PackageMaker 47 packets, data, filtering of 52 partitions, disk 86, 94, 95, 97, 99 passwords 77, 78, 90 permissions administrator 74, 75, 149, 150 files 55 folder 55 SACL 75 types 55 PHP (PHP Hypertext Preprocessor) 158 physical infrastructure requirements 29 PKI (public key infrastructure) 54, 59 Podcast Composer 49 Podcast Producer 17, 141 POP (Post Office Protocol) 139 portable computers
Server Admin access control 147 as administration tool 128 authentication 38 certificates 62, 148 configuration methods 18 customizing 40 notification system 175 opening 38 overview 11, 18, 38, 39 server status 175 service management 146 system imaging 47 Server Assistant 41, 101, 108, 155 Server Message Block.
U UDP (User Datagram Protocol) 52, 180 UNIX 23 updating software 107 upgrading from previous server versions 25, 28 saved setup data 117 vs. migration 25, 28 UPS (uninterruptible power supply) 161 user accounts group 153 managed preferences 153 management of 151 mobile 132 setup 123 See also users User Datagram Protocol.