Apple Mac OS X Server (early) Advanced Administration User Manual V10.6 Admin

Apple-Snow-Leopard-10-6-Users-Manual-418494 apple-snow-leopard-10-6-users-manual-418494

10.6 to the manual 3fb688d4-bc6a-4479-a5b4-ca066e971a2c

2009-08-27

User Manual: Apple Mac OS X Server (early) Mac OS X Server v10.6 - Advanced Server Administration

Open the PDF directly: View PDF PDF.
Page Count: 197 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Mac OS X Server
Advanced Server Administration
Version 10.6 Snow Leopard
Apple Inc. K
© 2009 Apple Inc. All rights reserved.
The owner or authorized user of a valid copy of
Mac OS X Server software may reproduce this
publication for the purpose of learning to use such
software. No part of this publication may be reproduced
or transmitted for commercial purposes, such as selling
copies of this publication or for providing paid-for
support services.
Every eort has been made to ensure that the
information in this manual is accurate. Apple is not
responsible for printing or clerical errors.
Apple
1 Innite Loop
Cupertino, CA 95014-2084
www.apple.com
The Apple logo is a trademark of Apple Inc., registered
in the U.S. and other countries. Use of the “keyboard”
Apple logo (Option-Shift-K) for commercial purposes
without the prior written consent of Apple may
constitute trademark infringement and unfair
competition in violation of federal and state laws.
Apple, the Apple logo, AirPort, AirPort Express, AirPort
Extreme, Apple Remote Desktop, AppleScript, Bonjour,
the Bonjour logo, iCal, iPod, iPhone, Mac, Macintosh,
Mac OS, QuickTime, Safari, Snow Leopard, Tiger,
Time Capsule, Time Machine, Xcode, Xgrid, Xsan,
and Xserve are trademarks of Apple Inc., registered in
the U.S. and other countries.
Finder, QuickTime Broadcaster are trademarks of
Apple Inc.
This product includes BSD (4.4 Lite) developed by
the University of California, Berkeley, FreeBSD, Inc.,
The NetBSD Foundation, Inc., and their respective
contributors.
Intel, Intel Core, and Xeon are trademarks of Intel Corp.
in the U.S. and other countries.
OpenSSL is software developed by the OpenSSL
Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
UNIX® is a registered trademark of The Open Group.
X Window System is a trademark of the Massachusetts
Institute of Technology.
Other company and product names mentioned herein
are trademarks of their respective companies. Mention
of third-party products is for informational purposes
only and constitutes neither an endorsement nor a
recommendation. Apple assumes no responsibility with
regard to the performance or use of these products.
019-1410/2009-08-15
11 Preface: About This Guide
11 What’s in This Guide
12 Using Onscreen Help
13 Document Road Map
14 Viewing PDF Guides Onscreen
14 Printing PDF Guides
15 Getting Documentation Updates
15 Getting Additional Information
16 Chapter 1: System Overview and Supported Standards
16 System Requirements for Installing Mac OS X Server v10.6
17 What’s New in Mac OS X Server v10.6
18 What’s New in Server Admin
18 Understanding Server Conguration Methods
20 Supported Standards
23 Mac OS X Server’s UNIX Heritage
24 Chapter 2: Planning Server Usage
24 Determining Your Server Needs
25 Determining Whether to Upgrade or Migrate
25 Setting Up a Planning Team
26 Identifying Servers to Set Up
26 Determining Services to Host on Each Server
28 Dening a Migration Strategy
28 Upgrading and Migrating from an Earlier Version of Mac OS X Server
28 Migrating from Windows
28 Dening an Integration Strategy
29 Dening Physical Infrastructure Requirements
29 Dening Server Setup Infrastructure Requirements
31 Making Sure Required Server Hardware Is Available
31 Minimizing the Need to Relocate Servers After Setup
31 Dening Backup and Restore Policies
32 Understanding Backup and Restore Policies
3
Contents
4 Contents
33 Understanding Backup Types
34 Understanding Backup Scheduling
34 Understanding Restores
35 Other Backup Policy Considerations
36 Command-Line Backup and Restoration Tools
36 Understanding Time Machine as a Server Backup Tool
38 Chapter 3: Administration Tools
38 Server Admin
38 Opening and Authenticating in Server Admin
39 Server Admin Interface
40 Customizing the Server Admin Environment
41 Server Assistant
42 Server Preferences
42 Workgroup Manager
43 Workgroup Manager Interface
44 Customizing the Workgroup Manager Environment
44 Server Monitor
46 iCal Service Utility
46 iCal Service Utility Interface
47 System Image Management
47 Media Streaming Management
48 Command-Line Tools
48 Server Status Widget
48 RAID Admin
49 Podcast Capture, Composer, and Producer
49 Xgrid Admin
50 Apple Remote Desktop
51 Chapter 4: Enhancing Security
51 About Physical Security
52 About Network Security
52 Firewalls and Packet Filters
52 Network DMZ
53 VLANs
53 MAC Filtering
54 Transport Encryption
54 Payload Encryption
55 About File Security
55 File and Folder Permissions
55 About File Encryption
56 Secure Delete
56 About Authentication and Authorization
Contents 5
58 Single Sign-On
59 About Certicates, SSL, and Public Key Infrastructure
59 Public and Private Keys
60 Certicates
60 About Certicate Authorities (CAs)
61 About Identities
61 About Self-Signed Certicates
61 About Intermediate Trust
62 Certicate Manager in Server Admin
64 Readying Certicates
65 Creating a Self-Signed Certicate
65 Requesting a Certicate from a Certicate Authority
66 Creating a Certicate Authority
68 Using a CA to Create a Certicate for Someone Else
68 Importing a Certicate Identity
69 Managing Certicates
69 Editing a Certicate
70 Distributing a CA Public Certicate to Clients
70 Deleting a Certicate
71 Renewing an Expiring Certicate
71 Replacing an Existing Certicate
71 Using Certicates
72 SSH and SSH Keys
72 Key-Based SSH Login
72 Generating a Key Pair for SSH
74 Administration Level Security
74 Setting Administration Level Privileges
75 Service Level Security
75 Setting SACL Permissions
76 Security Best Practices
77 Password Guidelines
78 Creating Complex Passwords
79 Chapter 5: Installation and Deployment
79 Installation Overview
81 System Requirements for Installing Mac OS X Server
81 Hardware-Specic Instructions for Installing Mac OS X Server
81 Gathering the Information You Need
82 Setting Up Network Services
82 Connecting to the Directory During Installation
82 SSH During Installation
82 About the Server Install Disc
83 Preparing an Administrator Computer
6 Contents
84 About Starting Up for Installation
84 Before Starting Up
85 Starting Up from the Install DVD
85 Starting Up from an Alternate Partition
88 Remotely Accessing the Install DVD
90 About Server Serial Numbers for Default Installation Passwords
90 Identifying Remote Servers When Installing Mac OS X Server
91 Starting Up from a NetBoot Environment
92 Preparing Disks for Installing Mac OS X Server
93 Choosing a File System
99 Installing Server Software Interactively
100 Installing Locally from the Installation Disc
101 Installing Remotely with Server Assistant
102 Installing Remotely with Screen Sharing and VNC
103 Changing a Remote Computer’s Startup Disk
104 Using the installer Command-Line Tool to Install Server Software
106 Installing Multiple Servers
107 Upgrading a Computer from Mac OS X to Mac OS X Server
107 How to Keep Current
108 Chapter 6: Initial Server Setup
108 Information You Need
108 Postponing Server Setup Following Installation
109 Connecting to the Network During Initial Server Setup
109 Conguring Servers with Multiple Ethernet Ports
109 About Settings Established During Initial Server Setup
110 Specifying Initial Open Directory Usage
111 Not Changing Directory Usage When Upgrading
112 Setting Up a Server as a Standalone Server
112 Binding a Server to Multiple Directory Servers
113 Setting up Servers Interactively
115 Using Automatic Server Setup
116 Creating and Saving Setup Data
118 Using Encryption with Setup Data Files
118 How a Server Searches for Saved Setup Data Files
119 Setting Up Servers Automatically Using Data Saved in a File
120 Setting a Mac OS X Server Serial Number from the Command Line
121 Handling Setup Errors
122 Setting Up Services
122 Adding Services to the Server View
123 Setting Up Open Directory
123 Setting Up User Management
123 Setting Up All Other Services
Contents 7
124 Chapter 7: Ongoing System Management
124 Computers You Can Use to Administer a Server
124 Setting Up an Administrator Computer
125 Using a Non-Mac OS X Computer for Administration
126 Using the Administration Tools
126 Working with Pre-v10.6 Computers from v10.6 Servers
127 Ports Used for Administration
127 Ports Open By Default
128 Server Admin Basics
128 Adding and Removing Servers in Server Admin
129 Grouping Servers Manually
129 Grouping Servers Using Smart Groups
130 Working with Settings for a Specic Server
132 Understanding Changes to the Server IP Address or Network Identity
133 Understanding Mac OS X Server Names
133 Understanding IP Address or Network Identity Changes on Infrastructure Services
136 Understanding IP Address or Network Identity Changes on Web and Wiki Services
137 Understanding IP Address or Network Identity Changes on File Services
138 Understanding IP Address or Network Identity Changes on Mail Services
139 Understanding IP Address or Network Identity Changes on Collaboration Services
141 Understanding IP Address or Network Identity Changes on Podcast Producer
142 Understanding IP Address or Network Identity Changes on Other Services
144 Changing the IP Address of a Server
144 Changing the Servers DNS Name After Setup
144 Changing the Servers Computer Name and the Local Hostname
145 Administering Services
146 Adding and Removing Services in Server Admin
146 Importing and Exporting Service Settings
147 Controlling Access to Services
148 Using SSL for Remote Server Administration
148 Managing Sharing
149 Tiered Administration Permissions
150 Dening Administrative Permissions
150 Workgroup Manager Basics
151 Opening and Authenticating in Workgroup Manager
151 Administering Accounts
151 Working with Users and Groups
153 Dening Managed Preferences
154 Working with Directory Data
154 Customizing the Workgroup Manager Environment
155 Service Conguration Assistants
155 Critical Conguration and Data Files
159 Improving Service Availability
8 Contents
159 Eliminating Single Points of Failure
160 Using Xserve for High Availability
161 Using Backup Power
161 Setting Up Your Server for Automatic Restart
162 Ensuring Proper Operational Conditions
162 Providing Open Directory Replication
163 Link Aggregation
164 About the Link Aggregation Control Protocol (LACP)
164 Link Aggregation Scenarios
166 Setting Up Link Aggregation in Mac OS X Server
167 Monitoring Link Aggregation Status
168 Load Balancing
169 Daemon Overview
169 Viewing Running Daemons
169 Using launchd for Daemon Control
171 Chapter 8: Monitoring Your System
171 Planning a Monitoring Policy
171 Planning Monitoring Response
172 Using with Server Status Widget
172 Using Server Monitor
173 Using RAID Admin for Server Monitoring
173 Using Console for Server Monitoring
173 Using Disk Monitoring Tools
174 Using Network Monitoring Tools
175 Using Server Status Notication in Server Admin
175 Monitoring Server Status Overviews Using Server Admin
176 Using Remote Kernel Core Dumps
178 Setting Up a Core Dump Server
179 Setting Up a Core Dump Client
180 Conguring Common Core Dump Options
180 About Simple Network Management Protocol (SNMP)
181 Enabling SNMP reporting
181 Conguring snmpd
183 Additional Information about SNMP
183 Tools to Use with SNMP
183 About Notication and Event Monitoring Daemons
185 Logging
185 Syslog
186 Directory Service Debug Logging
186 Open Directory Logging
187 AFP Logging
187 Additional Monitoring Aids
Contents 9
188 Chapter 9: Push Notication Server
188 About Push Notication Server
189 Starting and Stopping Push Notication
190 Changing a Services Push Notication Server
191 Index
10 Contents
11
This guide provides a starting point for administering
Mac OS X Server v10.6 using its advanced administration
tools. It contains information about planning, practices, tools,
installation, deployment, and more by using Server Admin.
Advanced Server Administration is not the only guide you need when administering
advanced mode server, but it gives you a basic overview of planning, installing,
and maintaining Mac OS X Server using Server Admin.
What’s in This Guide
This guide includes the following chapters:
Chapter Â1,System Overview and Supported Standards,” provides an overview of
Mac OS X Server systems and standards.
Chapter Â2,Planning Server Usage,” gives you advice for planning Mac OS X Server
deployment.
Chapter Â3,Administration Tools,” is a reference guide for the tools used to
administer servers.
Chapter Â4,Enhancing Security,” is a brief guide to security policies and practices.
Chapter Â5,Installation and Deployment,” is an installation guide for Mac OS X Server.
Chapter Â6,Initial Server Setup,” provides a guide to setting up your server after
installation.
Chapter Â7,Ongoing System Management,” explains how to work with
Mac OS X Server and services.
Chapter Â8,Monitoring Your System,” shows you how to monitor and log into
Mac OS X Server.
Note: Because Apple periodically releases new versions and updates to its software,
images shown in this book may be dierent from what you see on your screen.
Preface
About This Guide
12 Preface About This Guide
Using Onscreen Help
You can get task instructions onscreen in Help Viewer while youre managing
Mac OS X Server v10.6. You can view help on a server or an administrator computer.
(An administrator computer is a Mac OS X computer with Mac OS X Server v10.6
administration software installed on it.)
To get the most recent onscreen help for Mac OS X Server v10.6:
Open Server Admin or Workgroup Manager and then: m
Use the Help menu to search for a task you want to perform. Â
Choose Help > Server Admin Help or Help > Workgroup Manager Help to browse Â
and search the help topics.
The onscreen help contains instructions taken from Advanced Server Administration
and other advanced administration guides described later.
To see the most recent server help topics:
Make sure the server or administrator computer is connected to the Internet while m
you’re getting help.
Help Viewer automatically retrieves and caches the most recent server help topics
from the Internet. When not connected to the Internet, Help Viewer displays cached
help topics.
Preface About This Guide 13
Document Road Map
Mac OS X v10.6 has a suite of guides which can cover management of individual
services. Each service may be dependent on other services for maximum utility.
The road map below shows some related documentation that you may need to fully
congure your desired service to your specications. You can get these guides in
PDF format from the Mac OS X Server documentation website:
www.apple.com/server/resources/
Introduction to
Command-Line
Administration
Explains how to use
UNIX shell commands to
configure and manage
servers and services.
Server
Administration Guides
Each guide covers using
Server Admin and
command-line tools to
configure advanced
settings for a particular
service.
Advanced Server
Administration
Describes using Server
Admin to install, configure,
and administer server
software and services.
Includes best practices and
advice for system planning,
security, backing up,
and monitoring.
Server Admin Help
Provides onscreen
instructions and answers
when you’re using Server
Admin to manage servers.
Also contains the latest
documentation updates.
Server
Preferences Help
Provides onscreen
instructions and answers
when you’re using
Server Preferences
to manage servers.
Getting Started
Covers basic installation,
setup, and management
using Server Preferences
instead of Server Admin.
Recommended for
novice administrators.
Information
Technologies
Dictionary
Provides onscreen
definitions of
server terminology.
14 Preface About This Guide
Viewing PDF Guides Onscreen
While reading the PDF version of a guide onscreen:
Show bookmarks to see the guide’s outline, and click a bookmark to jump to the Â
corresponding section.
Search for a word or phrase to see a list of places where it appears in the document. Â
Click a listed place to see the page where it occurs.
Click a cross-reference to jump to the referenced section. Click a web link to visit the Â
website in your browser.
Printing PDF Guides
If you want to print a guide, you can take these steps to save paper and ink:
Save ink or toner by not printing the cover page. Â
Save color ink on a color printer by looking in the panes of the Print dialog for an Â
option to print in grays or black and white.
Reduce the bulk of the printed document and save paper by printing more than Â
one page per sheet of paper. In the Print dialog, change Scale to 115% (155%
for Getting Started). Then choose Layout from the untitled pop-up menu. If your
printer supports two-sided (duplex) printing, select one of the Two-Sided options.
Otherwise, choose 2 from the Pages per Sheet pop-up menu, and optionally choose
Single Hairline from the Border menu. (If you’re using Mac OS X v10.4 or earlier, the
Scale setting is in the Page Setup dialog and the Layout settings are in the Print
dialog.)
You may want to enlarge the printed pages even if you don’t print double sided,
because the PDF page size is smaller than standard printer paper. In the Print dialog
or Page Setup dialog, try changing Scale to 115% (155% for Getting Started, which has
CD-size pages).
Preface About This Guide 15
Getting Documentation Updates
Periodically, Apple posts revised help pages and new editions of guides. Some revised
help pages update the latest editions of the guides.
To view new onscreen help topics for a server application, make sure your server or Â
administrator computer is connected to the Internet and click “Latest help topics” or
“Staying current” in the main help page for the application.
To download the latest guides in PDF format, go to the Mac OS X Server Â
documentation website:
www.apple.com/server/resources/
An RSS feed listing the latest updates to Mac OS X Server documentation and Â
onscreen help is available. To view the feed use an RSS reader application, such as
Safari or Mail:
feed://helposx.apple.com/rss/snowleopard/serverdocupdates.xml
Getting Additional Information
For more information, consult these resources:
ÂRead Me documents—get important updates and special information. Look for them
on the server discs.
ÂMac OS X Server website (www.apple.com/server/macosx/)—enter the gateway to
extensive product and technology information.
ÂMac OS X Server Support website (www.apple.com/support/macosxserver/)—access
hundreds of articles from Apple’s support organization.
ÂApple Discussions website (discussions.apple.com/)—share questions, knowledge,
and advice with other administrators.
ÂApple Mailing Lists website (www.lists.apple.com/)—subscribe to mailing lists so you
can communicate with other administrators using email.
ÂApple Training and Certication website (www.apple.com/training/)—hone
your server administration skills with instructor-led or self-paced training,
and dierentiate yourself with certication.
16
Mac OS X Server gives you everything you need to provide
standards-based workgroup and Internet services —
delivering a world-class UNIX server solution that’s easy to
deploy and easy to manage.
This chapter contains information to make decisions about where and how you deploy
Mac OS X Server. It contains general information about conguration options, standard
protocols used, its UNIX roots, and network and rewall congurations necessary for
Mac OS X Server administration.
System Requirements for Installing Mac OS X Server v10.6
The Macintosh desktop computer or server onto which you install
Mac OS X Server v10.6 must have:
An Intel processor Â
At least 2 gigabytes (GB) of random access memory (RAM) Â
At least 10 gigabytes (GB) of available disk space Â
A new serial number for Mac OS X Server v10.6 Â
The serial number used with any previous version of Mac OS X Server will not allow
registration for v10.6.
A built-in DVD drive is convenient but not required.
A display and keyboard are optional. You can install server software on a computer
that has no display and keyboard by using an administrator computer. For more
information, see “Setting Up an Administrator Computer on page 124 .
If you’re using an installation disc for Mac OS X Server v10.6, you can control
installation from another computer using VNC viewer software. Open-source VNC
viewer software is available. Apple Remote Desktop, described on Apple Remote
Desktop (page 50), includes VNC viewer capability.
1
System Overview and Supported
Standards
Chapter 1 System Overview and Supported Standards 17
What’s New in Mac OS X Server v10.6
Mac OS X Server v10.6 oers major enhancements in several key areas:
Address Book Server Â
Mac OS X Server v10.6 introduces the rst open standards-based Address Book
Server Based on the emerging CardDAV specication, which uses WebDAV to
exchange vCards, sharing contacts across multiple computers.
Remote Access Â
Mac OS X Server v10.6 delivers push notications to users outside your rewall, and
a proxy service gives them secure remote access to email, address book contacts,
calendars, and specied internal websites.
Collaboration services improvements Â
Mac OS X Server v10.6 augments collaboration features with wiki and blog
templates optimized for viewing on iPhone; provides content searching across
multiple wikis; and enables attachment viewing in Quick Look. It also introduces
My Page, which gives users one convenient place to access web applications,
receive notications, and view activity streams across wikis.
iCal Server 2 Â
Mac OS X Server v10.6 has a new iCal Server which includes shared calendars, push
notications, the ability to send email invitations to non-iCal Server users, and a
browser-based application for using calendars with many supported browsers.
Podcast Producer 2 Â
Mac OS X Server v10.6 has a new Podcast Producer which features an intuitive new
workow editor, support for dual-video source capture, and Podcast Library, which
lets you host locally stored podcasts and make them available for subscription by
category via Atom web feeds.
Mail Server improvements Â
Mac OS X Server v10.6 mail service increases its performance and scalability using
a new engine designed to handle thousands of simultaneous connections. Mail
services have been enhanced to include server-side email rules and vacation
messages.
Multicore optimizations Â
Mac OS X Server v10.6 supports “Grand Central,” a new set of built-in technologies
that makes all of Mac OS X Server multicore aware and optimizes it for allocating
tasks across multiple cores and processors.
64-bit support Â
Mac OS X Server v10.6 use 64-bit kernel technology to support up to 16 TB of
memory.
OpenCL support Â
Mac OS X Server v10.6 supports OpenCL and makes it possible for developers to use
the GPU for general computational tasks.
What’s New in Server Admin
Included with Mac OS X Server v10.6 is Server Admin, Apple’s powerful, exible, full-
featured server administration tool. Server Admin is reinforced with improvements
in standards support and reliability. Server Admin also delivers a number of
enhancements:
Newly rened, streamlined, and integrated Server Assistant Â
Smoother interaction with Server Preferences settings Â
Improved user interface Â
Understanding Server Conguration Methods
You can congure and manage Mac OS X Server using two conguration
methods: Server Preferences, or the advanced conguration tool suite, which includes
Server Admin and its command-line utilities.
Servers administered using the advanced tool suite are the most exible and require
the most skill to administer. Servers administered by Server Preferences have fewer
conguration options, but most conguration details are set by Server Preferences,
without additional skill or labor. You can customize your server for a variety of
purposes using either method.
Using Server Admin and the rest of the advanced conguration tool suite, the
experienced system administrator has complete control of each service’s conguration
to accommodate a wide variety of needs. After performing initial setup with Setup
Assistant, you use powerful administration applications such as Server Admin and
Workgroup Manager, or command-line tools, to congure advanced settings for
services the server must provide.
Using Server Preferences, you can get standard congurations of Mac OS X Server
features using automated setup and simplied administration. For more information
about using Server Preferences to administer your server, see Getting Started.
You can switch between Server Admin and Server Preferences. The setting changes
in one application are reected in the other’s settings. However, some advanced or
custom congurations can’t be inspected or changed in Server Preferences, due to
Server Preferences’ simplied interface.
18 Chapter 1 System Overview and Supported Standards
Chapter 1 System Overview and Supported Standards 19
The following table highlights the capabilities of each conguration tool.
Service Set in initial server
setup
Server Preferences Server Admin
Address book Optional Yes Yes
Backup your data
(websites, databases,
calendar les, etc.)
No No, use command-line
tools and third-party
backup solutions
No, use command-line
tools and third-party
backup solutions
Computer account
and computer group
management
No Use Workgroup
Manager
Use Workgroup
Manager
DHCP, DNS, NAT Automatic No Yes
File sharing (AFP and
SMB protocols)
Optional Yes Yes
File sharing (FTP and
NFS protocols)
No No Yes
Firewall (application
rewall)
Automatic Use System Preferences Use System Preferences
Firewall (IP rewall) Automatic Yes Yes
Gateway (NAT, DNS,
DHCP)
Optional No Yes
iCal (calendar sharing,
event scheduling)
Optional Yes Yes
iChat (instant
messaging)
Optional Yes Yes
Mail with spam and
virus ltering
Optional Yes Yes
Mobile access No No Yes
MySQL No No Yes
NetBoot and NetInstall
(system imaging)
No No Yes
Network time Automatic No Yes
Network management
(SNMP)
No No Yes
NFS No No Yes
Service Set in initial server
setup
Server Preferences Server Admin
Open Directory master
(user accounts and
other data)
Optional Optional Yes
Podcast Producer No No Yes
Policies and managed
preferences
No Use Workgroup
Manager
Use Workgroup
Manager
Print No No Yes
Push notication Automatic Automatic Yes
QuickTime Streaming No No Yes
RADIUS No No Yes
Remote login (SSH) Optional Use System Preferences Yes
Software update No No Yes
Time Machine backup
of client Macs
Optional Yes Yes
Time Machine backup
of server
No Use System Preferences Use System Preferences
User and Group
creation
Optional Yes Yes
VPN (secure remote
access)
No Yes Yes
Web (wikis, blogs,
webmail)
Optional Yes Yes
Xgrid (computational
clustering)
No No Yes, and also use Xgrid
Admin
Xserve diagnostics No Use Server Monitor Use Server Monitor
Supported Standards
Mac OS X Server provides standards-based workgroup and Internet services. Instead of
developing proprietary server technologies, Apple has built on the best open source
projects: Samba 3, OpenLDAP, Kerberos, Dovecot, Apache, Jabber, SpamAssassin, and
more. Mac OS X Server integrates these robust technologies and enhances them with
a unied, consistent management interface.
Because it is built on open standards, Mac OS X Server is compatible with existing
network and computing infrastructures. It uses native protocols to deliver directory
services, le and printer sharing, and secure network access to Mac, Windows, and
Linux clients.
20 Chapter 1 System Overview and Supported Standards
Chapter 1 System Overview and Supported Standards 21
A standards-based directory services architecture oers centralized management of
network resources using any LDAP server–even proprietary servers such as Microsoft
Active Directory. The open source UNIX foundation makes it easy to port and deploy
existing tools to Mac OS X Server.
The following standards-based technologies power Mac OS X Server:
ÂKerberos: Mac OS X Server integrates an authentication authority based on MITs
Kerberos technology (RFC 1964) to provide users with single sign-on access to
secure network resources.
Using strong Kerberos authentication, single sign-on maximizes the security of
network resources while providing users with easier access to a broad range of
Kerberos-enabled network services.
For services that have not yet been Kerberized, the integrated SASL service
negotiates the strongest possible authentication protocol.
ÂOpenLDAP: Mac OS X Server includes a robust LDAP directory server and a secure
Kerberos password server to provide directory and authentication services to Mac,
Windows, and Linux clients.
Apple has built the Open Directory server around OpenLDAP, the most widely
deployed open source LDAP server, so it can deliver directory services for both
Mac-only and mixed-platform environments.
LDAP provides a common language for directory access, enabling administrators to
consolidate information from dierent platforms and dene one namespace for all
network resources. This means there is a single directory for all Mac, Windows, and
Linux systems on the network.
ÂRADIUS: Remote Authentication Dial-In User Service (RADIUS) is an authentication,
authorization, and accounting protocol used by the 802.1x security standard for
controlling network access by clients in mobile or xed congurations. Mac OS X
Server uses RADIUS to integrate with AirPort Base Stations serving as a central MAC
address lter database. By conguring RADIUS and Open Directory, you can control
who has access to your wireless network.
Mac OS X Server uses the FreeRADIUS Server Project. FreeRADIUS supports
the requirements of a RADIUS server, shipping with support for LDAP, MySQL,
PostgreSQL, Oracle databases, EAP, EAP-MD5, EAP-SIM, EAP-TLS, EAP-TTLS, EAP-PEAP,
and Cisco LEAP subtypes. Mac OS X Server supports proxying, with failover and load
balancing.
ÂMail Service: Mac OS X Server uses robust technologies from the open source
community to deliver comprehensive, easy-to-use mail server solutions. Full support
for Internet mail protocols—Internet Message Access Protocol (IMAP), Post Oce
Protocol (POP), and Simple Mail Transfer Protocol (SMTP)—ensures compatibility
with standards-based mail clients on Mac, Windows, and Linux systems.
ÂWeb Technologies: Mac OS X Server is a complete AMP stack (a bundle of
integrated Apache-MySQL-PHP/Perl/Python software). Mac OS X Server web
technologies are based on the open source Apache web server, the most widely
used HTTP server on the Internet.
With performance optimized for Mac OS X Server, Apache provides fast, reliable
web hosting and an extensible architecture for delivering dynamic content and
sophisticated web services. Because web service in Mac OS X Server is based on
Apache, you can add advanced features with plug-in modules.
Mac OS X Server includes everything professional web masters need to deploy
sophisticated web services: integrated tools for collaborative publishing, inline
scripting, Apache modules, custom CGIs, and JavaServer Pages and Java Servlets.
Database-driven sites can be linked to the included MySQL database. ODBC and
JDBC connectivity to other database solutions is also supported.
Web service also includes support for Web-based Distributed Authoring and
Versioning, known as WebDAV.
ÂFile Services: You can congure Mac OS X Server le services to allow clients to
access shared les, applications, and other resources over a network. Mac OS X
Server supports most major service protocols for maximum compatibility, including:
ÂApple Filing Protocol (AFP), to share resources with clients who use Macintosh
computers.
ÂServer Message Block (SMB), a protocol to share resources with clients who use
Windows computers. This protocol is provided by the Samba open source project.
ÂNetwork File System (NFS), to share les and folders with UNIX clients.
ÂFile Transfer Protocol (FTP), to share les with anyone using FTP client software.
ÂIPv6 (RFC 2460): IPv6 is the Internets next-generation protocol designed to replace
the current Internet Protocol, IPv4 (or IP).
IPv6 improves routing and network autoconguration. It increases the number
of network addresses to over 3 x1038, and eliminates the need for NAT-provided
addressing. IPv6 is expected to gradually replace IPv4 over a number of years, with
the two coexisting during the transition.
Mac OS X Server’s network services are fully IPv6 capable and ready to transition to
the next generation addressing as well as being fully able to operate with IPv4.
ÂSNMP: Simple Network Management Protocol (SNMP) is used to monitor network-
attached devices operational status. It is a set of IETF-designed standards for
network management, including an Application Layer protocol, a database schema,
and a set of data objects.
Mac OS X Server uses the open source net-snmp suite to provide SNMPv3
(RFCs 3411-3418) service.
22 Chapter 1 System Overview and Supported Standards
Chapter 1 System Overview and Supported Standards 23
ÂXMPP: Extensible Messaging and Presence Protocol (XMPP) is an open XML-based
messaging protocol used for messaging and presence information. XMPP serves as
the basis for Mac OS X Servers Push Notication service, as well as iChat Server,
and all publish and subscribe functions for the server.
Mac OS X Servers UNIX Heritage
Mac OS X Server has a UNIX foundation built around the Mach microkernel and the
latest advances from the Berkeley Software Distribution (BSD) open source community.
This foundation provides Mac OS X Server with a stable, high-performance, 64-bit
computing platform for deploying server-based applications and services.
Mac OS X Server is built on an open source operating system called Darwin, which is
part of the BSD family of UNIX-like systems. BSD is a family of UNIX variants descended
from Berkeleys version of UNIX. Also, Mac OS X Server incorporates more than
100 open source projects in addition to proprietary enhancements and extended
functionality created by Apple.
The BSD portion of the Mac OS X kernel is derived primarily from FreeBSD, a version
of 4.4BSD that oers advanced networking, performance, security, and compatibility
features.
In general, BSD variants are derived (sometimes indirectly) from 4.4BSD-Lite Release 2
from the Computer Systems Research Group (CSRG) at the University of California at
Berkeley.
Although the BSD portion of Mac OS X is primarily derived from FreeBSD, some
changes have been made. To nd out more about the low-level changes made,
see Apples Developer documentation for Darwin.
24
Before installing and setting up Mac OS X Server do a little
planning and become familiar with your options.
The major goals of the planning phase are to make sure that:
Server user and administrator needs are addressed by the servers you deploy Â
Server and service prerequisites that aect installation and initial setup are Â
identied
Installation planning is especially important if you’re integrating Mac OS X Server into
an existing network, migrating from earlier versions of Mac OS X Server, or preparing
to set up multiple servers. But even single-server environments can benet from a
brief assessment of the needs you want a server to address.
Use this chapter to stimulate your thinking. It doesn’t present a rigorous planning
guide, nor does it provide the details you need to determine whether to implement a
particular service and assess its resource requirements. Instead, view this chapter as an
opportunity to think about how to maximize the benets of Mac OS X Server in your
environment.
Planning, like design, isn’t necessarily a linear process. The sections in this chapter don’t
require you to follow a mandatory sequence. Dierent sections in this chapter present
suggestions that could be implemented simultaneously or iteratively.
Determining Your Server Needs
During the planning stage, determine how you want to use Mac OS X Server and
identify whether theres anything you need to accomplish before setting it up.
For example, you might want to convert an existing server to v10.6 and continue
hosting directory, le, and mail services for clients on your network.
Before you install server software, you might need to prepare data to migrate to your
new server, and perhaps consider whether its a good time to implement a dierent
directory services solution.
2
Planning Server Usage
Chapter 2 Planning Server Usage 25
During the planning stage, you’ll also decide which installation and server setup
options best suit your needs. For example, Getting Started contains an example that
illustrates server installation and initial setup in a small business scenario with the
server in using Server Preferences.
Determining Whether to Upgrade or Migrate
If you’re using a previous version of Mac OS X Server and you want to reuse data and
settings, you can upgrade or migrate to v10.6.
You can upgrade to Mac OS X Server v10.6 if you’re using the latest update of
Mac OS X Server v10.5 Leopard or Mac OS X Server v10.4.11 on Mac OS X servers with
Intel processors.
Upgrading is simple because it preserves existing settings and data. You can perform
an upgrade using any of the installation methods described in this chapter or the
advanced methods described in this guide.
If you can’t perform an upgrade, for example when you need to reformat the startup
disk or replace your server hardware, you can migrate data and settings to a computer
that you’ve installed Mac OS X Server v10.6 on.
Migration is supported from the latest update of Mac OS X Server v10.5 Leopard
or Mac OS X Server v10.4.11 Tiger. For complete information about migrating data
and settings to a dierent Mac or Xserve, see the onscreen help or Mac OS X Server
Resources website at www.apple.com/server/macosx/resources/.
Setting Up a Planning Team
Involve individuals in the installation planning process who represent various points of
view, and who can help answer the following questions:
What day-to-day user requirements must a server meet? What activities do server Â
users and workgroups depend on the server for?
If the server is used in a classroom, make sure the instructor who manages its
services and administers it daily provides input.
What user management requirements must be met? Will user computers be diskless Â
and need to be started up using NetBoot? Will Macintosh client management and
network home folders be required?
Individuals with server administration experience should work with server users
who might not have a technical background, so they’ll understand how specic
services might benet them.
What existing non-Apple services, such as Active Directory, must the server integrate Â
with?
If you’ve been planning to replace a Windows NT computer, consider using
Mac OS X Server with its extensive built-in support for Windows clients. Make
sure that administrators familiar with these other systems are part of the planning
process.
What are the characteristics of the network into which the server will be installed? Â
Do you need to upgrade power supplies, switches, or other network components?
Is it time to streamline the layout of facilities that house your servers?
An individual with systems and networking knowledge can help with these details
as well as completing the Installation & Setup Worksheet on the Mac OS X Server
Install Disc or Administration Tools CD.
Identifying Servers to Set Up
Conduct a server inventory:
How many servers do you have? Â
How are they used? Â
How can you streamline the use of servers you want to keep? Â
Do existing servers need to be retired? Which servers can Mac OS X Server replace? Â
Which non-Apple servers will Mac OS X Server need to be integrated with? Why? Â
Do you have Mac OS X Server computers that need to be upgraded to version 10.6? Â
How many new Mac OS X Server computers will you need to set up? Â
Determining Services to Host on Each Server
Identify which services you want to host on each Mac OS X Server and non-Apple
server you decide to use.
Distributing services among servers requires an understanding of users and services.
Here are a few examples of how service options and hardware and software
requirements can inuence what you put on servers:
Directory services implementations can range from using directories and Kerberos Â
authentication hosted by non-Apple servers to setting up Open Directory directories
on servers distributed throughout the world.
Directory services require thoughtful analysis and planning.
The additional information at Mac OS X Server Resources website
at www.apple.com/server/macosx/resources/ can help you understand
the options and opportunities.
26 Chapter 2 Planning Server Usage
Chapter 2 Planning Server Usage 27
Home folders for network users can be consolidated onto one server or distributed Â
among various servers. Although you can move home folders, you might need
to change a large number of user and share point records, so devise a strategy
that will persist for a reasonable amount of time. For information about home
folders, see Mac OS X Server help or Mac OS X Server Resources website at
www.apple.com/server/macosx/resources/.
Some services oer ways to control the amount of disk space used by individual Â
users. For example, you can set up home folder and mail quotas for users. Consider
whether using quotas will oer a way to maximize the disk usage on a server
that stores home folders and mail databases. The additional information at
Mac OS X Server Resources website at www.apple.com/server/macosx/resources/
describes home folder and user mail quotas, and service-wide mail quotas.
Disk space requirements are also aected by the type of les a server hosts. Â
Creative environments need high-capacity storage to accommodate large
media les, but elementary school classrooms have more modest le storage
needs. The additional information at Mac OS X Server Resources website at
www.apple.com/server/macosx/resources/ describe le sharing.
If you’re setting up a streaming media server, allocate enough disk space to Â
accommodate a specic number of hours of streamed video or audio. For
hardware and software requirements and for a setup example, see additional
information in online help or at Mac OS X Server Resources website at
www.apple.com/server/macosx/resources/ .
The number of NetBoot client computers you can connect to a server depends on Â
the servers Ethernet connections, the number of users, the amount of available
RAM and disk space, and other factors. DHCP service needs to be available to the
clients and can be provided by a dierent server than the NetBoot server. For
NetBoot capacity planning guidelines, see additional information at Mac OS X Server
Resources website at www.apple.com/server/macosx/resources/ .
Mac OS X Server oers extensive support for Windows users. You can consolidate Â
Windows user support on servers that provide PDC services, or you can distribute
services for Windows users among dierent servers.
If you want to use software RAID to stripe or mirror disks, you’ll need two or more Â
drives (but not FireWire drives) on a server. For more information, see online Disk
Utility Help.
Before nalizing decisions about which servers will host specic services, familiarize
yourself with information in the administration guides for the services you want to
deploy.
Dening a Migration Strategy
If you’re using Mac OS X Server v10.4–10.5 or a Windows-based server, examine the
opportunities for moving data and settings to Mac OS X Server v10.6.
Upgrading and Migrating from an Earlier Version of
Mac OS X Server
If you’re using computers with Mac OS X Server v10.4 or v10.5, consider upgrading or
migrating them to Mac OS X Server v10.6.
If you’re using Mac OS X Server v10.5 or v10.4 and you don’t need to move to Intel-
processor based hardware, you can perform an upgrade installation. Upgrading is
simple because it preserves your existing settings and data.
When you can’t use the upgrade approach, you can migrate data and settings.
You’ll need to migrate, not upgrade, when:
A version 10.4 or 10.5 server’s hard disk needs reformatting or the server doesn’t Â
meet the minimum Mac OS X Server v10.6 system requirements. For more
information, “System Requirements for Installing Mac OS X Server v10.6” on page 16.
You want to move data and settings you’ve been using on a v10.4 or 10.5 server to Â
dierent server hardware.
Migration is supported from the latest versions of Mac OS X Server v10.5 and v10.4.
When you migrate, you install and set up Mac OS X Server v10.6, then restore les onto
it from the earlier server, and then make manual adjustments as required.
For complete information, read the additional information at Mac OS X Server
Resources website at www.apple.com/server/macosx/resources/ .
Migrating from Windows
Mac OS X Server v10.6 can provide a variety of services to users of Microsoft Windows
computers. By providing these services, Mac OS X Server v10.6 can replace Windows
servers in small workgroups.
For information about migrating users, groups, les, and more from a Windows-
based server to Mac OS X Server, see the additional information at Mac OS X Server
Resources website at www.apple.com/server/macosx/resources/ .
Dening an Integration Strategy
Integrating Mac OS X Server into a heterogeneous environment has two aspects:
Conguring Mac OS X Server to take advantage of existing services Â
Conguring non-Apple computers to use Mac OS X Server Â
28 Chapter 2 Planning Server Usage
Chapter 2 Planning Server Usage 29
The rst aspect primarily involves directory services integration. Identify which
Mac OS X Server computers will use existing directories (such as Active Directory,
LDAPv3, and NIS directories) and existing authentication setups (such as Kerberos).
For options and instructions, see the additional information at Mac OS X Server
Resources website at www.apple.com/server/macosx/resources/ . Integration can be
as easy as enabling a Directory Utility option, or it might involve adjusting existing
services and Mac OS X Server settings.
The second aspect is largely a matter of determining the support you want
Mac OS X Server to provide to non-Apple computer users. The additional information
at Mac OS X Server Resources website at www.apple.com/server/macosx/resources/
tell you what’s available.
Dening Physical Infrastructure Requirements
Determine whether you need to make site or network topology adjustments before
installing and setting up servers.
Who will administer the server, and what kind of server access will administrators Â
need?
Classroom servers might need to be conveniently accessible for instructors, while
servers that host network-wide directory information should be secured with
restricted physical access in a district oce building or centralized computer facility.
Because Mac OS X Server administration tools oer complete remote server
administration support, there are few times when an administrator should need
physical access to a server.
Are there air conditioning or power requirements that must be met? For this kind of Â
information, see the documentation that comes with server hardware.
Are you considering upgrading elements such as cables, switches, and power Â
supplies? Now may be a good time to do it.
Have you congured your TCP/IP network and subnets to support the services and Â
servers you want to deploy?
Are you considering moving your servers to dierent IP addresses or hostnames? Â
Now may be a good time to do it.
Dening Server Setup Infrastructure Requirements
The server setup infrastructure consists of the services and servers you set up in
advance because other services or servers depend on them.
For example, if you use Mac OS X Server to provide DHCP, network time, or BootP
services to other servers, you should set up the servers that provide these services and
initiate the services before you set up servers that depend on those services.
The amount of setup infrastructure you require depends on the complexity of your
site and what you want to accomplish. In general, DHCP, DNS, and directory services
are recommended or required for medium and large server networks:
The most fundamental infrastructure layer comprises network services like DHCP Â
and DNS.
All services run better if DNS is on the network, and many services require DNS to
work properly. If youre not hosting DNS, work with the administrator responsible
for the DNS server you’ll use when you set up your servers. DNS requirements for
services are published in the service-specic administration guides.
The DHCP setup reects your physical network topology.
Another crucial infrastructure component is directory services, required for sharing Â
data among services, servers, and user computers.
The most common shared data in a directory is for users and groups, but
conguration information such as mount records and other directory data is also
shared. A directory services infrastructure is necessary to host cross-platform
authentication and when you want services to share the same names and
passwords.
Heres an example of the sequence in which you might set up a server infrastructure
that includes DNS, DHCP, and directory services. You can set up the services on the
same server or on dierent servers:
Setting up basic server infrastructure:
1 Set up the DNS server, populating the DNS with the host names of the desired servers
and services.
2 Set up DHCP, conguring it to specify the DNS server address so it can be served to
DHCP clients.
If desired, set up DHCP-managed static IP address for the servers.
3 Set up a directory server, including Windows PDC service if required, and populate the
directory with data, such as users, groups, and home folder data.
This process can involve importing users and groups, setting up share points, setting
up managed preferences, and so forth.
4 Congure DHCP to specify the address of the directory server so it can be served to
DHCP clients.
Your specic needs can aect this sequence. For example, to use VPN, NAT, or IP
Firewall services, include their setup with the DNS and DHCP setups.
30 Chapter 2 Planning Server Usage
Chapter 2 Planning Server Usage 31
Making Sure Required Server Hardware Is Available
You might want to postpone setting up a server until all its hardware is in place.
For example, you might not want to set up a server whose data you want to mirror
until all disk drives you need for mirroring are available. You might also want to wait
until a RAID subsystem is set up before setting up a home folder server or other server
that will use it.
Minimizing the Need to Relocate Servers After Setup
Before setting up a server, try to place it in its nal network location (IP subnet).
If you’re concerned about preventing unauthorized or premature access during setup,
set up a rewall to protect the server while nalizing its conguration.
If you can’t avoid moving a server after initial setup, you must change settings that are
sensitive to network location before you can use the server. For example, the server’s IP
address and DNS name, stored in directories and conguration les on the server, must
be updated.
When you move a server, follow these guidelines:
Minimize the time the server is in its temporary location so the amount of Â
information you need to change is limited.
Postpone conguring services that depend on network settings until the server is in Â
its nal location. Such services include Open Directory replication, Apache settings
(such as virtual domains), DHCP, and other network infrastructure settings that other
computers depend on.
Wait to import nal user accounts. Limit accounts to test accounts so you minimize Â
the user-specic network information (such as home folder location) that you must
change after the move.
After you move the server, you can change its IP address in the Network pane of Â
System Preferences (or use the networksetup tool).
You probably will need to manually adjust service and system settings. For more
information on how to do this, see “Understanding Changes to the Server IP Address
or Network Identity on page 132 .
Recongure the search policy of computers (such as user computers and DHCP Â
servers) that have been congured to use the server in its original location.
Dening Backup and Restore Policies
All storage systems can fail eventually. Either through equipment wear and tear,
accident, or disaster, your data and conguration settings are vulnerable to loss.
You should have a plan in place to prevent or minimize your data loss.
Understanding Backup and Restore Policies
There are many reasons to have a backup and restore policy. Your data is subject
to failure because of failed components, natural or manmade disasters, or data
corruption. Sometimes data loss is beyond your control to prevent, but with a backup
and restore plan, you can restore your data.
You need to customize backup and restore policies to take into account your situation,
what data needs to be saved, how often, and how much time and eort is used to
restore it. Your policy species the procedures and practices that fulll your restoration
needs.
Backups are an investment of time, money, and administration eort, and they can
aect performance. However, there is a clear return on investment in the form of data
integrity. You can avoid substantial nancial, legal, and organizational costs with a well-
planned, well-executed backup and restore policy.
There are essentially three kinds of restoration needs:
Restoring a deleted or corrupt le Â
Recovering from disk failure (or catastrophic le deletion) Â
Archiving data for an organization need (nancial, legal, or other need) Â
Each restoration need determines the type, frequency, and method you use to back up
your data.
You might want to keep daily backups of les. This allows for quick restoration of
overwritten or deleted les. In such a case you have le-level granularity every
day: any single le can be restored the following day.
There are other levels of granularity as well. For example, you might need to restore
a full day’s data. This is a daily snapshot-level granularity: you can restore your
organizations data as it was on a given day.
These daily snapshots might not be practical to maintain every day, so you might
choose to keep a set of rolling snapshots that give you daily snapshot-level granularity
for only the preceding month.
Other levels of restoration you might want or need could be quarterly or semiannually.
You might also need archival storage, which is data stored only to be accessed in
uncommon circumstances. Archival storage can be permanent, meaning the data is
kept for the foreseeable future.
32 Chapter 2 Planning Server Usage
Chapter 2 Planning Server Usage 33
Your organization must determine the following:
What must be backed up? Â
What should not be backed up (as per organization policy)? Â
How granular are the restoration needs? Â
How often is the data backed up? Â
How accessible is the data: in other words, how much time will it take to restore it? Â
What processes are in place to recover from a disaster during a backup or restore? Â
The answers to these questions are an integral part of your backup and restore policy.
Understanding Backup Types
There are many types of backup les (explained below), and within each type are
many formats and methods. Each backup type serves a unique purpose and has its
own considerations.
ÂFull Images: Full images are byte-level copies of data. They capture the state of the
hard disk down to the most basic storage unit. These backups also keep copies of
the disk lesystem and the unused or erased portion of the disk in question.They
can be used for forensic study of the source disk medium. Such detail often makes
le restoration unwieldy. Full Image backups are often compressed and are only
decompressed to restore the entire le set.
ÂFull File-level Copies: Full le-level copies are backups that are kept as duplicates.
They do not capture the nest detail of unused portions of the source disk, but they
do provide a full record of the les as they existed at the time of backup. If a le
changes, the next full le-level backup copies the entire data set in addition to the
le that changed.
ÂIncremental Backups: Incremental backups start with le-level copies, but they
only copy les changed since the last backup. This saves storage space and captures
changes as they happen.
ÂSnapshots: Snapshots are copies of data as it was in the past. You can make
snapshots from collections of les, or more often from links to other les in a backup
le set. Snapshots are useful for making backups of volatile data (data that changes
quickly), like databases in use or mail servers sending and receiving mail.
These backup types are not mutually exclusive. They exemplify dierent approaches
to copying data for backup purposes. For example, Time Machine uses a full le-level
copy as a base backup; then it uses incremental backups to create snapshots of a
computer’s data on a given day.
Understanding Backup Scheduling
Backing up les requires time and resources. Before deciding on a backup plan,
consider the following questions:
How much data will be backed up? Â
How much time will the backup take? Â
When does the backup need to happen? Â
What else is the computer doing during that time? Â
What sort of resource allocation will be necessary? Â
For example, how much network bandwidth is necessary to accommodate the load?
How much space on backup drives, or how many backup tapes are required? What
sort of drain on computing resources will occur during backup? What personnel are
necessary for the backup?
You will nd that dierent kinds of backup require dierent answers to these
questions. For example, an incremental le copy might take less time and copy less
data than a full le copy (because only a fraction of any given data set will have
changed since the last backup).
Therefore an incremental backup might be scheduled during a normal use period
because the impact to users and systems may be very low. However, a full image
backup might have a very strong impact for users and systems, if done during the
normal use period.
Choosing a Backup Rotation Scheme
A backup rotation scheme determines the most ecient way to back up data over a
specic period of time. An example of a rotation scheme is the grandfather-father-son
rotation scheme. In this scheme, you perform incremental daily backups (son), and full
weekly (father) and monthly (grandfather) backups.
In the grandfather-father-son rotation scheme, the number of media sets you use for
backup determines how much backup history you have. For example, if you use eight
backup sets for daily backups, you have eight days of daily backup history because
you’ll recycle media sets every eight days.
Understanding Restores
No backup policy or solution is complete without having accompanying plans for data
restoration. Depending on what is being restored, you may have dierent practices
and procedures. For example, your organization may have specic tolerances for how
long critical systems can be out of use while the data is restored.
34 Chapter 2 Planning Server Usage
Chapter 2 Planning Server Usage 35
Consider the following questions:
How long will it take to restore data at each level of granularity? Â
For example, how long will a deleted le or email take to restore? How long will a
full hard disk image take to restore? How long would it take to return the whole
network to its state three days ago?
What process is most eective for each type of restore? Â
For example, why would you roll back the entire server for a single lost le?
How much administrator action is necessary for each type of restore? How much Â
automation must be developed to best use administrators’ time?
Under what circumstances are restores initiated? Who and what can start a restore Â
and for what reasons?
Restore practices and procedures must be tested regularly. A backup data set that
does not restore correctly cannot be considered a trustworthy backup. Backup
integrity is measured by restore delity.
Dening a Backup Verication Mechanism
You should have a strategy for regularly conducting test restorations. Some third-
party software providers support this functionality. However, if you’re using your own
backup solution, you should develop the necessary test procedures.
Other Backup Policy Considerations
Consider the following additional items for your backup policy:
Should le compression be used? If so, what kind? Â
Are there onsite and osite backups and archives? Â
Are there any special considerations for the type of data being stored? For example, Â
for Mac OS X les, can the backup utility preserve le metadata, resource forks, and
Access Control List (ACL) privileges?
Is there sensitive data, such as passwords, social security numbers, phone numbers, Â
medical records, or other legally protected information, that requires special
treatment, and that must not be backed up without understanding where the data
will ow and be stored?
Choosing Backup Media Type
Several factors help you determine what type of media to choose:
ÂCost. Use cost per GB to determine what media to choose. For example, if your
storage needs are limited, you can justify higher cost per GB, but if you need a large
amount of storage, cost becomes a big factor in your decision.
One of the most cost-eective storage solutions is a hard drive RAID. It provides you
with a low cost per GB, and it doesn’t require the special handling needed by other
cost-eective storage types, such as tape drives.
ÂCapacity. If you back up only a small amount of data, low-capacity storage media
can do the job. But if you need to back up large amounts of data, use high-capacity
devices, such as a RAID.
ÂSpeed. When your goal is to keep your server available most of the time, restoration
speed becomes a big factor in deciding which type of media to choose. Tape
backup systems can be very cost eective, but they are much slower than a RAID.
ÂReliability. Successful restoration is the goal of a good backup strategy. If you can’t
restore lost data, all the eort and cost you spent in backing up data is wasted and
the availability of your services is compromised.
Therefore, its important that you choose highly reliable media to prevent data loss.
For example, tapes are more reliable than hard disks because they don’t contain
moving parts.
ÂArchive life. You never know when you’ll need your backed up data. Therefore,
choose media that is designed to last for a long time. Dust, humidity, and other
factors can damage storage media and result in data loss.
Command-Line Backup and Restoration Tools
Mac OS X Server provides several command-line tools for data backup and restoration,
which include:
Ârsync. Use to keep a backup copy of your data in sync with the original. The tool
rsync only copies the les that have changed. By default rsync does not preserve
extended attributes in les necessary for many Mac OS X Server services.
Âditto. Use to perform full backups.
Âtar. Use to perform full backups.
Âasr. Use to back up and restore a volume in block copy mode. If the tool is in le
copy mode, it does not preserve all necessary extended attributes in les.
For more information about these commands, see their respective man pages.
Note: You can use the launchctl command to automate data backup using these
commands. For more information about using launchctl and launchd, see their
respective man pages.
Understanding Time Machine as a Server Backup Tool
At its core, Time Machine is a le-level backup solution that runs at regular intervals
and archives le changes from the initial le set. Time Machine makes use of UNIX le
linking to eciently store backup intervals as separate browsable le systems, but uses
no compression.
Time Machine is a limited tool for data backup and restoration of
Mac OS X Server v10.6. It can back up some server conguration settings and the
service state. Time Machine does not back up service data.
36 Chapter 2 Planning Server Usage
Chapter 2 Planning Server Usage 37
For example, Time Machine doesn’t back up user and group directory records, email,
DNS records, Address Book shared groups, iCal Server calendars, and so forth. It only
saves the settings made in Server Preferences and Server Admin, and whether a
service is on or o. The following service settings and statuses are preserved:
Address Book Server Â
DHCP Â
DNS Â
File Services (AFP, SMB, NFS, and FTP) Â
Firewall Â
iCal Server Â
iChat Server Â
Mail Â
Mobile Access Â
MySQL Â
NAT Â
Network Settings Â
Podcast Producer Â
Print Â
Push Notication Â
QTSS Â
RADIUS Â
Remote Access Settings Â
Software Update Â
VPN Â
Web Â
Wiki Â
Xgrid Â
For more information about where the necessary data les are stored for backup via
other means, see Critical Conguration and Data Files on page 155.
Note: You can use the launchctl command to automate data backup using the
aforementioned commands. For more information about using launchctl and
launchd, see their respective man pages.
38
Manage Mac OS X Server using graphical applications or
command-line tools.
Mac OS X Server v10.6 administration applications must be run from either
Mac OS X Server v10.6 or Mac OS X v10.6.
Server Admin
You use Server Admin to administer services on Mac OS X Server computers. Server
Admin also lets you specify settings that support multiple services, such as creating
and managing SSL certicates, manage le sharing, and specifying which users and
groups can access services.
The version of Server Admin included with Mac OS X Server v10.6 can be used to
administer the latest version of Mac OS X Server v10.5. However, the current version of
Server Admin isn’t compatible with administering DNS service or manage certicates
in Mac OS X Server v10.5. Use the version of Server Admin that came with Mac OS X
Server v10.5 on a computer running Mac OS X Server v10.5 or Mac OS X v10.5.
Information about using Server Admin to manage services appears in the individual
administration guides and in onscreen information accessible by using the Help menu
in Server Admin.
Opening and Authenticating in Server Admin
Server Admin is installed in /Applications/Server/, from which you can open it in the
Finder. Or you can open Server Admin by clicking the Server Admin icon in the Dock
or clicking the Server Admin button on the Workgroup Manager toolbar.
To select a server to work with, enter its IP address or DNS name in the login dialog
box or click Available Servers to choose from a list of servers. Specify the user name
and password for a server administrator, then click Connect.
3
Administration Tools
Chapter 3 Administration Tools 39
Server Admin Interface
The Server Admin interface is shown here, with each element explained in the
following table.
O
K
D
C
A
Server List: Shows servers, groups, smart groups, and if desired, the administered services for
each server
You select a group to view a status summary for all grouped computers.
You select a computer for its overview and server settings.
You select a server’s service to control and congure the service.
B
Context Buttons: Shows available information and conguration panes.
C
Tool Bar: Shows available context buttons. If a button is grayed out or can’t be clicked, you
do not have the administrative permissions to access it.
D
Main Work Area: Shows status and conguration options. This looks dierent for each
service and for each context button selected.
E
Available servers: Lists the local-network scanner, which you can use to discover servers to
add to your server list.
F
All Servers: Shows all computers added to Server Admin, regardless of status.
G
Server: Shows the hostname of the managed server. Select to show a hardware, operating
system, active service, and system status summary.
H
Service: Shows an administered service for a server. Select to get service status, logs, and
conguration options.
I
Group: Shows an administrator created group of servers. Select to view a status summary for
all grouped computers
For more information, see “Grouping Servers Manually on page 129.
J
Smart Group: Shows an automatic group, populated with servers that meet a
predetermined criteria.
For more information, see “Grouping Servers Using Smart Groups on page 12 9.
K
Add button: Shows a pop-up menu of items to add to the Server list: servers, groups, and
smart groups.
L
Action button: Shows a pop-up menu of actions possible for a selected service, or server,
including disconnect server, share the server’s screen, and so forth.
M
Refresh button: Allows you to send a status request to all computers visible in the Server list.
N
Service Start/Stop button: When a service is selected, this button allows you to start or stop
the service, as appropriate.
O
Action bar: Shows buttons and pop-up menus with commands to act on selected servers
or services in the Server list. Click this to save or revert setting changes you’ve made. This
contains the Add button, Action button, service start and stop buttons, and save and revert
buttons.
Customizing the Server Admin Environment
To control the Server Admin environment, you have the following options.
To control the list of services to administer, see ÂAdding and Removing Servers in
Server Admin” on page 12 8.
To control the appearance of Server Admin lists, refresh rates, and other behaviors, Â
choose Server Admin > Preferences.
To group and sort servers available for administration, make groups and smart Â
groups. See “Grouping Servers Manually” on page 129 and “Grouping Servers Using
Smart Groups” on page 129.
40 Chapter 3 Administration Tools
Chapter 3 Administration Tools 41
Server Assistant
Server Assistant is used for:
Remote server installations Â
Initial setup of a local server Â
Initial setup of remote servers Â
Preparing data for automated setup Â
The Server Assistant initial page is shown here.
Server Assistant is opened from the Server menu of Server Admin. The following menu
items open the assistant:
Install Remote Server Â
Set Up Remote Server Â
Create Auto Server Setup Prole Â
For information about using Server Assistant, use its Help buttons, or see
Chapter 6,Initial Server Setup.”
Server Preferences
Server Preferences is the simplied administration application you need for managing
Mac OS X Server v10.6. You can use Server Preferences in addition to or instead of
Server Admin and Workgroup Manager:
Manage basic user and group settings. Â
Congure essential service settings such as: le sharing service, Address Book Â
service, iCal calendar service, iChat instant messaging service, mail service, network
security, web services, VPN remote access service, and Time Machine backup for
users’ computers.
Check the status of the server and services. Â
You can use Server Preferences on any server you want to manage, or you can use it
remotely from an administrator computer or another server.
For information about using Server Preferences, see Getting Started or Server
Preferences Help.
Workgroup Manager
Mac OS X Server includes Workgroup Manager, a user management tool you can use
to create and manage user, group, computer, and computer group accounts. You also
use it to access the Inspector, an advanced feature that lets you do raw editing of
Open Directory entries.
Workgroup Manager is installed in /Applications/Server/, which you can open it in the
Finder. Or you can open Workgroup Manager by clicking View > Workgroup Manager
in the Server Admin menu bar.
Workgroup Manager works closely with a directory domain. Directory domains are
like databases, and are geared towards storing account information and handling
authentication.
Information about using Workgroup Manager appears in several documents at the
Mac OS X Server Resources website at www.apple.com/server/macosx/resources/.
After opening Workgroup Manager, you can open a Workgroup Manager window by
choosing Server > New Workgroup Manager Window.
Important: When connecting to a server or authenticating in Workgroup Manager,
make sure the capitalization of the name you enter matches the name of a server
administrator or domain administrator account.
42 Chapter 3 Administration Tools
Chapter 3 Administration Tools 43
Workgroup Manager Interface
The Workgroup Manager interface is shown here, with each element explained in the
following table.
I
G
D
A
A
Server Admin: Click to open the Server Admin application.
B
Settings Buttons: Click Accounts to view or edit account settings, or click Preferences to
view or edit preference settings.
C
Tool Bar: Click the icons to accomplish the various commands. The toolbar is customizable.
D
Directory path: Use to view the directory you are editing. Click the globe icon to select a
directory domain. Click the lock to authenticate.
E
Record Type tabs: Use to view records for users, groups, and computer groups. If the
Inspector is enabled, this also contains the Inspector tab.
F
Text lters: Use to enter text to lter record names.
G
Record list display: Use to view names for a selected record type.
H
Selection bar: Use to view the number of records found and selected.
I
Main Work Area: Use to work with account, preference, and conguration options. This looks
dierent for each user, group, or preference type.
J
Action zone: Use to save and revert changes, and to make and apply preset congurations
to selected records.
Customizing the Workgroup Manager Environment
There are several ways to tailor the Workgroup Manager environment:
To open Workgroup Manager Preferences, choose Workgroup Manager > Â
Preferences.
You can congure options such as if DNS names are resolved, if the Inspector is
enabled, if you need to enter a search query to list records, and what the maximum
number of displayed records is.
To customize the toolbar, choose View > Customize Toolbar. Â
To include predened users and groups in the user and group lists, choose View > Â
Show System Users and Groups.
To open Server Admin, click the Server Admin toolbar button. Â
Server Monitor
You use Server Monitor to monitor local or remote Xserve hardware and trigger
mail notications when circumstances warrant attention. Server Monitor provides
information about the installed operating system, drives, power supply, enclosure and
processor temperature, cooling blowers, security, and network.
The Server Monitor interface is shown below.
Server Monitor is installed in /Applications/Server/ when you install your server or set
up an administrator computer. To open Server Monitor, click the Server Monitor icon in
the Dock or double-click the Server Monitor icon in /Applications/Server/. From within
Server Admin, choose View > Server Monitor.
44 Chapter 3 Administration Tools
Chapter 3 Administration Tools 45
To identify the Xserve computer to monitor, click Add Server, identify the server, and
enter user name and password information for an administrator of the server. If adding
the local server, use ’127.0.0.1’ for the IP address. If adding a remote server, enter the
servers LOM hostname or IP address.
To specify how often you want to refresh data, use the “Update every pop-up menu in
the Info pane.
To manage dierent lists of Xserve computers you want to monitor, choose File >
Export or File > Import. To consolidate lists into one, choose File > Merge.
The system identier lights on the front and back of an Xserve computer light when
service is required. Use Server Monitor to understand why the lights are on. You can
also turn the lights on to identify a specic Xserve computer in a rack of servers by
selecting the server and clicking “System identier light” in the Info pane.
To set up Server Monitor to notify you by mail when an Xserve computers status
changes, click Edit Notications. For each server, you set up the conditions that
you want notication for. The mail message can come from Server Monitor or from
the server.
Server Monitor keeps logs of Server Monitor activity for each Xserve computer. To view
a log, click Show Log. The log shows, for example, Server Monitor attempts to contact
the server and whether a connection was successful. The log also shows server status
changes. (The logs don’t include system activity on the server.)
For additional information, see Server Monitor Help.
iCal Service Utility
iCal Service Utility gives users access to shared information about locations and
resources. Users can use iCal Service Utility to set up information about shared
resources and locations for use with iCal Service.
iCal Service Utility Interface
The iCal Service Utility interface is shown here, with each element explained in the
following table.
F
D
B
A
Search eld: Use to search record types. Numbers appear at the left of the Record Type
buttons to indicate the number of matching records.
B
Record Type buttons: Click to show the type of directory records desired.
C
Results list: Use to view the results of the record search.
D
Record view: Use to view the record selected in the Results list.
E
Add button: Use to location or resource record.
F
Save button: Click to save changes to the selected record.
For information about how to use iCal Service Utility, see the onscreen help for iCal
Service Utility.
46 Chapter 3 Administration Tools
Chapter 3 Administration Tools 47
System Image Management
You can use the following Mac OS X Server applications to set up and manage
NetBoot and NetInstall images:
ÂSystem Image Utility creates Mac OS X disk images. It’s installed with Mac OS X Server
software in the /Applications/Server/ folder.
The System Image Utility interface is shown below.
ÂServer Admin enables and congures NetBoot service and supporting services.
Its installed with Mac OS X Server software in the /Applications/Server/ folder.
ÂPackageMaker creates package les that you use to add software to disk images.
Access PackageMaker from Xcode Tools. An installer for Xcode Tools is on the server
Install DVD in the Other Installs folder.
ÂProperty List Editor edits property lists such as NBImageInfo.plist. Access Property List
Editor from Xcode Tools.
The online help and Mac OS X Server Resources website at
www.apple.com/server/macosx/resources/ provide instructions for using
all these applications.
Media Streaming Management
The online help and Mac OS X Server Resources website at
www.apple.com/server/macosx/resources/ provide instructions for administering
QuickTime Streaming Server (QTSS) using Server Admin and QuickTime Broadcaster.
Command-Line Tools
If you’re an administrator who prefers to work in a command-line environment,
you can do so with Mac OS X Server.
From the Terminal application in Mac OS X, you can use the built-in UNIX shells
(sh, csh, tsh, zsh, bash) to use tools for installing and setting up server software and
for conguring and monitoring services. You can also submit commands from a non-
Mac OS X computer.
Mac OS X Server has a command-line version of Server Admin called serveradmin that
you use to administer the services that Server Admin manages. It is run on the server
to be administered over a remote connection.
When managing remote servers, you conduct secure administration by working in a
Secure Shell (SSH) session.
Server Status Widget
The Server Status widget lets you monitor Mac OS X Server v10.6 activity from any
computer with Mac OS X v10.6 or Mac OS X Server v10.6. Server Status shows you
graphs of processor activity, network load, and disk usage.
For information about using the Server Status widget, see Getting Started or Server
Preferences Help.
RAID Admin
RAID Admin is a tool to administer and monitor Xserve RAID devices. You use RAID
Admin to set up Xserve RAID hardware, including:
Creating, deleting, and expanding RAID arrays Â
Monitoring the status of Xserve RAID systems Â
Adjusting settings, including system name and password, network address for each Â
RAID controller, bre channel communication speed, drive cache, and controller
cache
Setting up email notication for system alerts Â
Implementing advanced features, such as dividing arrays into slices and updating Â
the rmware of an Xserve RAID system.
48 Chapter 3 Administration Tools
Chapter 3 Administration Tools 49
Podcast Capture, Composer, and Producer
Podcast Capture takes audio and video from a local or remote camera, captures
screen activity, or uploads QuickTime les into Podcast Producer for encoding and
distribution. Podcast Composer creates the workow instructions for Podcast Producer.
Xgrid Admin
You can use Xgrid Admin to monitor local or remote Xgrid controllers, grids, and jobs.
You can add controllers and agents to monitor and specify agents that have not yet
joined a grid. You also use Xgrid Admin to pause, stop, or restart jobs.
The Xgrid Admin interface is shown here.
Xgrid Admin is installed in /Applications/Server/ when you install your server or set up
an administrator computer. To open Xgrid Admin, double-click the Xgrid Admin icon in
/Applications/Server/.
For additional information, see Xgrid Admin help.
Apple Remote Desktop
Apple Remote Desktop (ARD), which you can optionally purchase, is an easy-to-use
network-computer management application. It simplies the setup, monitoring, and
maintenance of remote computers and lets you interact with users.
The ARD interface is shown here.
You can use ARD to:
Control and observe computer screens. Â
Congure computers and install software. Â
Conduct one-to-one or one-to-many user interactions to provide help or tutoring. Â
Perform basic network troubleshooting. Â
Generate reports that audit computer hardware characteristics and installed Â
software.
You can also use ARD to control installation on a computer that you start up from an
installation disc for Mac OS X Server v10.5 or later, because ARD includes VNC viewer
capability.
For more information about Apple Remote Desktop, see
www.apple.com/remotedesktop/.
50 Chapter 3 Administration Tools
51
By vigilantly adhering to security policies and practices, you
can minimize the threat to system integrity and data privacy.
Mac OS X Server is built on a robust UNIX foundation that contains many security
features in its core architecture. State-of-the-art, standards-based technologies protect
your server, network, and data. These technologies include a built-in rewall with
stateful packet analysis, strong encryption and authentication services, data security
architectures, and support for access control lists (ACLs).
Use this chapter to stimulate your thinking. It doesn’t present a rigorous planning
outline, nor does it provide the details you need to determine whether to implement
a particular security policy and assess its resource requirements. Instead, view this
chapter as an opportunity to plan and institute the security policies necessary for your
environment.
About Physical Security
The physical security of a server is an often overlooked aspect of computer security.
Anyone with physical access to a computer (for example, to open the case, or plug in
a keyboard, and so forth) has almost full control over the computer and the data on it.
For example, someone with physical access to a computer can:
Restart the computer from another external disc, bypassing any existing login Â
mechanism.
Remove hard disks and use forensic data recovery techniques to retrieve data. Â
Install hardware-based key-loggers on the local administration keyboard. Â
In your own organization and environment, you must decide which precautions are
necessary, eective, and cost-eective to protect the value of your data and network.
For example, in an organization where oor-to-ceiling barriers might be needed to
protect a server room, securing the air ducts leading to the room might also need
to be considered. Other organizations might only need a locked server rack or an
rmware password.
4
Enhancing Security
About Network Security
Network security is as important to data integrity as physical security. Although
someone might immediately see the need to lock down an expensive server, he or she
might not immediately see the need to restrict access to the data on that same server.
The following sections provide considerations, techniques, and technologies to assist
you in securing your network.
Firewalls and Packet Filters
Much like a physical rewall that acts as a physical barrier to provide heat and heat
damage protection in a building or for a vehicle, a network rewall acts as a barrier for
your network assets, preventing data tampering from external sources.
Mac OS X Server’s Firewall service is software that protects the network applications
running on your Mac OS X Server.
Turning on Firewall service is similar to erecting a wall to limit access. The service scans
incoming IP packets and rejects or accepts packets based on the rules you create.
You can restrict access to any IP service running on the server, and you can customize
rules for incoming clients or a range of client IP addresses. Services such as Web and
FTP services are identied on your server by a Transmission Control Protocol (TCP) or
User Datagram Protocol (UDP) port number.
When a computer tries to connect to a service, Firewall service scans the rule list for
a matching rule. When a packet matches a rule, the action specied in the rule (such
as allow or deny) is taken. Then, depending on the action, additional rules might be
applied.
If the server gets its Internet connection through an AirPort Extreme Base Station
(802.11n) or a Time Capsule, you can use it instead of the servers rewall to protect
the network. You can automatically manage the base station or Time Capsule in the
Security pane of Server Preferences. AirPort automanagement isn’t available using
Server Admin.
You can also protect a small network with other kinds of Internet sharing routers,
but you must manage them manually. For more information, see Mac OS X Server
Getting Started.
Network DMZ
In computer network security, a demilitarized zone (DMZ) is a network area
(a subnetwork) that is between an organizations internal network and an external
network like the Internet.
You can make connections from the internal and external network to the DMZ, and
you can make connections from the DMZ to the external network, but you cannot
make connections from the DMZ to the internal network.
52 Chapter 4 Enhancing Security
Chapter 4 Enhancing Security 53
This allows an organization to provide services to the external network while
protecting the internal network from being compromised by a host in the DMZ. If
someone compromises a DMZ host, he or she cannot connect to the internal network.
The DMZ is often used to connect servers that need to be accessible from the external
network or Internet, such as mail, web, and DNS servers.
Connections from the external network to the DMZ are often controlled using rewalls
and address translation.
You can create a DMZ by conguring your rewall. Each network is connected to a
dierent port on the rewall, called a three-legged rewall setup. This is simple to
implement but creates a single point of failure.
Another approach is to use two rewalls with the DMZ in the middle, connected to
both rewalls, and with one rewall connected to the internal network and the other
to the external network. This is called a screened-subnet rewall.
This setup provides protection in case of rewall misconguration, allowing access
from the external network to the internal network.
VLANs
Mac OS X Server provides 802.1q Virtual Local Area Network (VLAN) support on the
Ethernet ports and secondary PCI gigabit Ethernet cards available or included with
Xserves.
VLAN allows multiple computers on dierent physical LANs to communicate with
each other as if they were on the same LAN. Benets include more ecient network
bandwidth utilization and greater security, because broadcast or multicast trac is
only sent to computers on the common network segment. Xserve VLAN support
conforms to the IEEE 802.1q standard.
MAC Filtering
MAC ltering (or layer 2 address ltering) refers to a security access control where a
network interface’s MAC address, or Ethernet address (the 42-bit address assigned to
each network interface), is used to determine access to the network.
MAC addresses are unique to each card, so using MAC ltering on a network permits
and denies network access to specic devices, rather than to specic users or network
trac types. Individual users are not identied by a MAC address, only a device, so an
authorized person must have an allowed list of devices that he or she would use to
access the network.
In theory, MAC ltering allows a network administrator to permit or deny network
access to hosts and devices associated with the MAC address, although in practice
there are methods to avoid this form of access control through address modication
(spoong) or the physical exchange of network cards between hosts.
Transport Encryption
Transferring data securely across a network involves encrypting the packet contents
sent between computers. Mac OS X Server can provide Transport Layer Security (TLS)
and its predecessor, Secure Sockets Layer (SSL) as the cryptographic protocols that
provide secure communications on the Internet for such things as web browsing, mail,
and other data transfers.
These encryption protocols allow client and server applications to communicate in a
way that helps prevent eavesdropping, tampering, and message forgery.
TLS provides endpoint authentication and communications privacy over the Internet
using cryptography. These encrypted connections authenticate the server (so its
identity is ensured) but the client remains unauthenticated.
To have mutual authentication (where each side of the connection is assured of the
identity of the other), use a public key infrastructure (PKI) for the connecting clients.
Mac OS X Server makes use of OpenSSL and has integrated transport encryption into
the following tools and services:
Server administration using Server Admin and Server Preferences Â
User and group management using Workgroup Manager. Â
Address Book Server Â
iCal Server Â
iChat Server Â
Mail Service Â
Open Directory Â
Podcast Producer Â
RADIUS Â
SSH Â
VPN (L2TP) Â
Web service Â
Payload Encryption
Rather than encrypting the transfer of a le across the network, you can encrypt the
contents of the le instead. Files with strong encryption might be captured in transit,
but would still be unreadable.
54 Chapter 4 Enhancing Security
Chapter 4 Enhancing Security 55
Most transport encryption requires the participation of both parties in the transaction.
Some services (such as SMTP mail service) can’t reliably use such techniques, so
encrypting the le itself is the only method of reliably securing the le content.
To learn more about le encryption, see About File Encryption” on page 55.
About File Security
By default, les and folders are owned by the user who creates them. After theyre
created, items keep their privileges (a combination of ownership and permissions)
even when moved, unless the privileges are explicitly changed by their owners or
an administrator. Therefore, les and folders you create are not accessible if they are
created in a folder that the users don’t have privileges for.
When setting up share points, make sure that items allow appropriate access privileges
for the users you want to share them with.
File and Folder Permissions
Mac OS X Server supports the following le and folder permissions:
Standard Portable Operating System Interface (POSIX) permissions Â
Access Control Lists (ACLs) Â
POSIX permissions let you control access to les and folders based on three categories
of users: Owner, Group, and Everyone Else.
Although these permissions control who can access a le or a folder, they lack the
exibility and granularity that many organizations require to deal with elaborate user
environments.
ACL permissions provide an extended set of permissions for les or folders and allow
you to set multiple users and groups as owners. In addition, ACLs are compatible with
Windows Server 2003 and Windows XP, giving you added exibility in a multiplatform
environment.
For more information about le permissions, see the online help and Mac OS X Server
Resources website at www.apple.com/server/macosx/resources/
About File Encryption
Mac OS X has a number of technologies that can perform le encryption, including:
ÂFileVault: FileVault performs on-the-y encryption on each users home folder.
This encrypts the entire directory in one virtual volume, which is mounted, and
the data is unencrypted as needed.
ÂSecure VM: Secure VM encrypts system virtual memory (memory data temporarily
written to the hard disk), not user les. It improves system security by keeping
virtual memory les from being read and exploited.
ÂDisk Utility: Disk Utility can create disk images whose contents are encrypted and
password protected. Disk images act like removable media such as external hard
disks or USB memory sticks, but they exist only as les on the computer. After you
create an encrypted disk image, double-click it to mount it. Files you drag onto the
mounted image are encrypted and stored on the disk image. You can send this disk
image to other Mac OS X users. With the unlocking password, they can retrieve the
les you locked in the disk image.
Secure Delete
When a le is put in the Trash and the Trash is emptied, or when a le is removed
using the rm UNIX tool, the les are not removed from disk. Instead, they are removed
from the list of les the operating system (OS) tracks and does not write over.
Any space on your hard disk that is free space (places the OS can put a le) most likely
contains previously deleted les. Such les can be retrieved using undelete utilities
and forensic analysis.
To truly remove the data from disk, you must use a more secure delete method.
Security experts advise writing over deleted les and free space multiple times with
random data.
Mac OS X Server provides the following tools to allow you to securely delete les:
Secure Empty Trash (a command in the Finder menu to use instead of “Empty Trash Â
Âsrm (a UNIX utility that securely deletes les, used in place of “rm”)
About Authentication and Authorization
Authentication is verifying a person’s identity, but authorization is verifying that
an authenticated person is allowed to perform a certain action. Authentication is
necessary for authorization.
In a computing context, when you provide a login name and password, you are
authenticated to the computer because it assumes only one person (you) knows the
login name and the password. After you are authenticated, the operating system
checks lists of people who are permitted to access certain les, and if you are
authorized to access them, you are permitted to.
Because authorization can’t occur without authentication, authorization is sometimes
used to mean the combination of authentication and authorization.
56 Chapter 4 Enhancing Security
Chapter 4 Enhancing Security 57
In Mac OS X Server, users trying to access services (like logging in to a directory-aware
workstation, or trying to mount a remote volume) must authenticate by providing a
login name and password before privileges for the users can be determined.
You have several options for authenticating users:
ÂOpen Directory authentication. Based on the standard Simple Authentication
and Security Layer (SASL) protocol, Open Directory authentication supports many
authentication methods, including CRAM-MD5, APOP, WebDAV, SHA-1, LAN Manager,
NTLMv2, and Kerberos.
Open Directory authentication lets you set up password policies for individual users
or for all users whose records are stored in a directory, with exceptions if required.
Open Directory authentication also lets you specify password policies for individual
directory replicas.
For example, you can specify a minimum password length or require a user to
change the password the next time he or she logs in. You can also disable login for
inactive accounts or after a specied number of failed login attempts.
ÂKerberos v5 authentication. Using Kerberos authentication allows integration
into existing Kerberos environments. The Key Distribution Center (KDC) on
Mac OS X Server oers full support for password policies you set up on the server.
Using Kerberos also provides a feature known as single sign-on, described in the next
section.
The following services on Mac OS X Server support Kerberos authentication:
Address Book Server Â
Apple Filing Protocol (AFP) Â
File Transfer Protocol (FTP) Â
iCal Server Â
iChat Server Â
Login window Â
Mail Services Â
Network Filing Protocol (NFS) Â
Open Directory (LDAPv3) Â
Printing (IPP) Â
Screen saver Â
Secure Shell (SSH) Â
Server Message Block le service (SMB) Â
Virtual Private Network (VPN) Â
Virtual Network Computing (VNC, known as Screen Sharing in Mac OS X Server) Â
Web Service (Apache via the SPNEGO Simple and Protected GSS-API Negotiation Â
Mechanism protocol)
Xgrid Â
ÂStoring passwords in user accounts. This approach might be useful when migrating
user accounts from earlier server versions. However, this approach may not support
clients that require network-secure authentication protocols, such as APOP.
ÂNon-Apple LDAPv3 authentication. This approach is available for environments
that have LDAPv3 servers set up to authenticate users.
ÂRADIUS (an authentication protocol for controlling network access by clients
in mobile or xed congurations). For more information about RADIUS in
Mac OS X Server, see the online help and Mac OS X Server Resources website at
www.apple.com/server/macosx/resources/.
Single Sign-On
Mac OS X Server uses Kerberos for single sign-on authentication, which relieves users
from entering a user name and password separately for every service. With single sign-
on, a user always enters a user name and password in the login window. Thereafter,
the user does not need to enter a name and password for Apple le service, mail
service, or other services that use Kerberos authentication.
To use single sign-on, users and services must be Kerberized—congured for Kerberos
authentication—and must use the same Kerberos Key Distribution Center (KDC) server.
User accounts that reside in an LDAP directory of Mac OS X Server and have a
password type of Open Directory use the servers built-in KDC. These user accounts are
congured for Kerberos and single sign-on.
This servers Kerberized services also use the server’s built-in KDC and are congured
for single sign-on. This Mac OS X Server KDC can also authenticate users for services
provided by other servers. Having additional servers with Mac OS X Server use the
Mac OS X Server KDC requires minimal conguration.
Kerberos was developed at MIT to provide secure authentication and communication
over open networks like the Internet. Kerberos provides proof of identity for two
parties. It enables you to prove who you are to network services you want to use.
It also proves to your applications that network services are genuine, not spoofed.
Like other authentication systems, Kerberos does not provide authorization. Each
network service determines for itself what it will allow you to do based on your proven
identity.
Kerberos allows a client and a server to unambiguously identify each other much
more securely than the typical challenge-response password authentication methods
traditionally deployed.
58 Chapter 4 Enhancing Security
Chapter 4 Enhancing Security 59
Kerberos also provides a single sign-on environment where users must authenticate
only once a day, week, or other period of time, easing authentication loads for users.
Mac OS X Server and Mac OS X versions 10.3 through 10.6 support Kerberos version 5.
About Certicates, SSL, and Public Key Infrastructure
Mac OS X Server supports services that use Secure Sockets Layer (SSL) to ensure
encrypted data transfer. It uses a Public Key Infrastructure (PKI) system to generate and
maintain certicates for use with SSL-enabled services.
PKI systems allow the two parties in a data transaction to be authenticated to each
other and to use encryption keys and other information in identity certicates to
encrypt and decrypt messages traveling between them.
PKI enables multiple communicating parties to establish condentiality, message
integrity, and message source authentication without exchanging secret information
in advance.
SSL technology relies on a PKI system for secure data transmission and user
authentication. It creates an initial secure communication channel to negotiate a
faster, secret key transmission. Mac OS X Server uses SSL to provide encrypted data
transmission for mail, web, and directory services.
The following sections contain more background information about key aspects of PKI.
Public and Private Keys
Within a PKI, two digital keys are created: the public key and the private key.
The private key isn’t distributed to anyone and is often encrypted by a passphrase.
The public key is distributed to other communicating parties.
Basic key capabilities can be summed up as follows:
Key type Capabilities
Public ÂCan encrypt messages that can only by
decrypted by the holder of the corresponding
Private key.
ÂCan verify the signature on a message to
ensure that it is coming from a Private key.
Private ÂCan digitally sign a message or certicate,
claiming authenticity.
ÂCan decrypt messages that were encrypted
with the Public key.
ÂCan encrypt messages that can only be
decrypted by the private key.
Web, mail, and directory services use the public key with SSL to negotiate a shared key
for the duration of the connection.
For example, a mail server will send its public key to a connecting client and initiate
negotiation for a secure connection. The connecting client uses the public key to
encrypt a response to the negotiation. The mail server, because it has the private key,
can decrypt the response. The negotiation continues until the mail server and the
client have a shared secret to encrypt trac between computers.
Certicates
A certicate is an electronic document that contains a public key with identication
information (name, organzation, email address, and so on). In a public key
environment, a certicate is digitally signed by a Certicate Authority, or its own
private key (the latter being a self-signed certicate).
A public key certicate is a le in a specied format (Mac OS X Server uses the x.509
format) that contains:
The public key half of a public-private key pair Â
The key users identity information, such as a person’s name and contact information Â
A validity period (how long the certicate can be trusted to be accurate) Â
The URL of someone with the power to revoke the certicate (its Ârevocation center)
The digital signature of a CA, or the key user Â
About Certicate Authorities (CAs)
A CA is an entity that signs and issues digital identity certicates claiming that a party
is correctly identied. In this sense, a CA is a trusted third party used by other parties
when performing transactions.
In x.509 systems such as Mac OS X, CAs are hierarchical, with CAs being certied by
higher CAs, until you reach a root authority. A root authority is a CA thats trusted by
the parties, so it doesn’t need to be authenticated by another CA. The hierarchy of
certicates is top-down, with the root authoritys certicate at the top.
A CA can be a company that signs and issues a public key certicate. The certicate
attests that the public key belongs to the owner recorded in the certicate.
In a sense, a CA is a digital notary public. You request a certicate by providing the CA
with your identity information, contact information, and the public key. The CA then
veries your information so users can trust certicates issued for you by the CA.
60 Chapter 4 Enhancing Security
Chapter 4 Enhancing Security 61
About Identities
Identities are a certicate and a private key, together. The certicate identies the
user, and the private key corresponds to the certicate. A single user can have several
identities; for any given user each certicate could have a dierent name, email
address, or issuer.
These identities are used for dierent security contexts. For example, one could be
used to sign others’ certicates, and one could be used to identify the user by email,
and these do not need to be the same identity.
In the context of the Mac OS X Server Certicate Manager, identities include a signed
certicate and both keys of a PKI key pair. The identities are used by the system
keychain and are available for use by various services that support SSL.
About Self-Signed Certicates
Self-signed certicates are digitally signed by the private key corresponding to
the public key included in the certicate. This is done in place of a CA signing the
certicate. By self-signing a certicate, you’re attesting that you are who you say you
are. No trusted third party is involved.
About Intermediate Trust
If you are your own CA, and your certicates are not trusted by the default shipping
root certicates in Mac OS X, your clients can still be congured to trust your
certicates through an intermediate trust.
Trust is the ability of a client to believe the identity of a server when it connects.
A trusted server is a known server that the client can transact with securely, without
interference from outside and unknown parties.
Mac OS X clients follow x.509 trust validation when accepting certicates, meaning
they follow the chain of certicate signers back until they nd a trusted root certicate.
Mac OS X lets you specify a trusted anchor (in other words, a certicate that is not a
root CA certicate, but that you trust). A client can trust a certicate closer in the chain
of trust, or even just the submitted certicate itself. Trusting a certicate that isn’t a
shipping root anchor is intermediate trust.
To accomplish this, trust needs to be bestowed on certicates instead of to keychains
(as was done previously). In v10.4, trust was given to certicates in the keychain
called “X509Anchors.” The X509Anchors keychain was deprecated starting with
Mac OS X v10.5.
Several keychains can hold certicates:
ÂSystemRootCerticates: This keychain holds root certicates that ship with
Mac OS X. The certicates already have trust given to them.
ÂSystem: This keychain holds certicates that the computer administrator can add. All
users on a given client can read from this keychain. The trust settings of a certicate
in this keychain can override those of a certicate in SystemRootCerticates.
ÂAny other keychain: This holds certicates for a given user and is only accessible to
that user. The trust settings of a certicate in this keychain can override those of a
certicate in SystemRootCerticates or System.
Trusted certicates can be in any of these locations, but to trust a certicate,
trust settings must be given explicitly to a certicate.
To congure clients to trust a certicate:
1 Copy the self-signed CA certicate (the le named ca.crt) onto each client computer.
This is preferably distributed using nonrewritable media, such as a CD-R. Using
nonrewritable media prevents the certicate from being corrupted.
2 Open the Keychain Access tool by double-clicking the ca.crt icon where the certicate
was copied onto the client computer.
3 Drag the certicate to the System keychain using Keychain Access.
Authenticate as an administrator, if requested.
4 Double-click the certicate to get the certicate details.
5 In the details window, click the Trust disclosure triangle.
6 From the pop-up menu next to When using this certicate,” select Always Trust
You have now added trust to this certicate, regardless of who it is signed by.
From the command line
After copying the certicate to the target client computer, perform the following,
replacing <certicate> with the le path to the certicate:
sudo /usr/bin/security add-trusted-cert -d -k /Library/Keychains/System.
keychain <certificate>
You can use the security tool to save and restore trust settings as well. For more
information on using the security command-line tool, see the security man page.
Certicate Manager in Server Admin
Mac OS X Server’s Certicate Manager is integrated into Server Admin to help you
create, use, and maintain identities for SSL-enabled services.
62 Chapter 4 Enhancing Security
Chapter 4 Enhancing Security 63
The Server Admin interface is shown below, with Certicates selected.
Certicate Manager provides integrated management of SSL certicates in
Mac OS X Server for services that allow the use of SSL certicates. On installation,
the server creates a self-signed certicate for immediate use from information you
put in during server setup.
Certicate Manager uses Mac OS X’s Certicate Assistant to create self-signed
certicates and certicate-signing requests (CSRs) to obtain certicates signed by a
CA. The certicates, self-signed or signed by a CA, are then accessible by services that
support SSL.
Certicate Manager in Server Admin doesn’t allow you to sign and issue certicates
as a CA, nor does it allow you to sign and issue certicates as a root authority. If you
need these functions, you can use Certicate Assistant in Keychain Access (located in
/Applications/Utilities/). It provides these capabilities and others for working with x.509
certicates.
Identities that were created and stored in OpenSSL les can also be imported into
Certicate Manager. They are accessible to services that support SSL. Self-signed and
CA-issued certicates you created in CA Assistant can be used in Certicate Manager
by importing the certicate.
Certicate Manager displays the following for each certicate:
The domain name the certicate was issued for Â
The expiration date of the certicate Â
When selected, the detailed contents of the certicate Â
When certicates and keys are imported via Certicate Manager, they are put in the
/etc/certicates/ directory. The directory contains four PEM formatted les for every
identity:
The certicate Â
The public key Â
The trust chain Â
The concatenated version of the certicate plus the trust chain (for use with some Â
services)
The certicate and trust chain are owned by the root user and the wheel group, with
permissions set to 644. The public key and concatenation le are owned by the root
user and the certusers group, with permissions set to 640.
Each le has the following naming convention:
<common name>.<SHA1 hash of the certicate>.<cert | chain | concat | key>.pem
For example, the certicate for a web server at example.com might look like this:
www.example.com.C42504D03B3D70F551A3C982CFA315595831A2E3.cert.pem
Readying Certicates
Before you can use SSL in Mac OS X Servers services, you must create or import
certicates. You can create self-signed certicates, create certicates and then generate
a Certicate Signing Request (CSR) to send to a CA, or import certicates previously
created with OpenSSL.
If you have previously generated certicates for SSL, you can import them for use by
Mac OS X Server services. The OpenSSL keys and certicates must be in PEM format.
Select a CA to sign your certicate request. If you don’t have a CA to sign your request,
consider becoming your own CA and then import your CA certicates into the root
trust database of your managed machines.
When you set up Mac OS X Server, the Server Assistant creates a self-signed certicate
based on information you provided when its rst installed. It can be used for any
service that supports SSL. When your clients choose to trust the certicate, SSL
connections can be used without user interaction from that point on.
This initial self-signed certicate is used by Server Admin and Server Preferences to
encrypt administrative functions.
64 Chapter 4 Enhancing Security
Chapter 4 Enhancing Security 65
Creating a Self-Signed Certicate
A self-signed certicate is generated at server setup. Although it is available for use,
you may want to customize the information in the certicate, so you would create a
new self-signed certicate. This is especially important if you plan on having a CA sign
your certicate.
When you create a self-signed certicate, Certicate Manager creates a private–public
key pair in the System keychain with the key size specied (512 - 2048 bits). It then
creates the corresponding self-signed certicate.
If you’re using a self-signed certicate, consider using an intermediate trust for it and
import the certicate into the System keychain on all client computers (if you have
control of the computers). For more information about using intermediate trust,
see About Intermediate Trust” on page 61.
To create a self-signed certicate:
1 In Server Admin, select the server that has services that support SSL.
2 Click Certicates.
3 Click the Add (+) button and choose Create a Certicate Identity.
Certicate Assistant launches, populated with information needed to generate the
certicate.
4 If you override the defaults, choose “Let me override defaults and follow the onscreen
instructions.
5 When nished, click Continue.
6 Conrm the certicate creation by clicking Continue.
The Certicate Assistant generates a key pair and certicate. Certicate Manager
encrypts the les with a random passphrase, puts the passphrase in the System
keychain, and puts the resulting PEM les in /etc/certicates/.
Requesting a Certicate from a Certicate Authority
Certicate Manager helps you create a CSR to send to your designated CA.
You need a certicate for the CA to sign. You can use the one that was generated at
server setup, but more likely you will want to generate one that has all the details
the CA requires before signing. If you need to generate a certicate before getting it
signed, see Creating a Self-Signed Certicate on page 65.
To request a signed certicate:
1 In Server Admin, select the server that has services that support SSL.
2 Click Certicates.
3 Select the certicate you want signed.
4 Click the Action button below the certicates list and choose “Generate Certicate
Signing Request (CSR).”
Certicate manager creates the signing request and shows the ASCII text version in
the sheet.
5 Click Save to save the CSR to the disk.
Your CA will have instructions on how to transfer the CSR to the signer. Some CAs
require you to use a web interface; others require sending the CSR in the body of a
mail message. Follow the instructions given by the CA.
The CA will return a newly signed certicate, which replaces the one you generated.
For instructions on what to do now with your newly signed certicate, see Replacing
an Existing Certicate on page 71.
Creating a Certicate Authority
To sign another users certicate, you must create a CA. Sometimes a CA certicate
is referred to as a root or anchor certicate. By signing a certicate with the root
certicate, you become the trusted third party in that certicate’s transactions,
vouching for the identity of the certicate holder.
If you are a large organization, you might decide to issue or sign certicates for people
in your organization to use the security benets of certicates. However, external
organizations might not trust or recognize your signing authority.
To create a CA:
1 Start Keychain Access.
Keychain Access is found in the /Applications/Utilities/ directory.
2 In the Keychain Access menu, select Certicate Assistant > Create a Certicate
Authority.
The Certicate Assistant starts. It will guide you through the process of making the CA.
3 Choose to create a Self Signed Root CA.
4 Provide the Certicate Assistant with the requested information and click Continue.
You need the following information to create a CA:
An email address Â
The name of the issuing authority (you or your organization) Â
You also decide if you want to override the defaults and whether to make this CA the
organizations default CA. If you do not have a default CA for the organization, allow
the Certicate Assistant to make this CA the default.
In most circumstances, do not override the defaults. If you do not override the defaults,
skip to step 16.
66 Chapter 4 Enhancing Security
Chapter 4 Enhancing Security 67
5 If you override the defaults, provide the following information in the next few screens:
A unique serial number for the root certicate Â
The number of days the CA functions before expiring Â
The type of user certicate this CA is signing Â
Whether to create a CA website for users to access for CA certicate distribution Â
6 Click Continue.
7 Provide the Certicate Assistant with the requested information and click Continue.
You need the following information to create a CA:
An email address of the responsible party for certicates Â
The name of the issuing authority (you or your organization) Â
The organization name Â
The organization unit name Â
The location of the issuing authority Â
8 Select a key size and an encryption algorithm for the CA certicate and then click
Continue.
A larger key size is more computationally intensive to use, but much more secure. The
algorithm you choose depends more on your organizational needs than a technical
consideration.
DSA and RSA are strong encryption algorithms. DSA is a United States Federal
Government standard for digital signatures.
9 Select a key size and an encryption algorithm for the certicates to be signed,
and then click Continue.
10 Select the Key Usage Extensions you need for the CA certicate and then click
Continue.
At a minimum, you must select Signature and Certicate Signing.
11 Select the Key Usage Extensions you need for the certicates to be signed and then
click Continue.
Default key use selections are based on the type of key selected earlier in the Assistant.
12 Specify other extensions to add the CA certicate and click Continue.
13 Select the keychain “System to store the CA certicate.
14 Choose to trust certicates on this computer signed by the created CA.
15 Click Continue and authenticate as an administrator to create the certicate and
key pair.
16 Read and follow the instructions on the last page of the Certicate Assistant.
You can now issue certicates to trusted parties.
Using a CA to Create a Certicate for Someone Else
You can use your CA certicate to issue a certicate to someone else. By doing so you
are stating you want to be a trusted party that can certify the identity of the certicate
holder.
Before you can create a certicate for someone, that person must generate a CSR. The
user can use the Certicate Assistant to generate the CSR and mail the request to you.
You then use the CSR’s text to make the certicate.
To create a certicate for someone else:
1 Start Keychain Access.
Keychain Access is found in the /Applications/Utilities/ directory.
2 In the Keychain Access menu, select Certicate Assistant > Create a Certicate for
Someone Else as a Certicate Signing Authority.
The Certicate Assistant starts, and guides you through the process of making the
certicate.
3 Drag the CSR and drop it on the target area.
4 Choose the CA that is the issuer and sign the request.
You can choose to override the request defaults.
5 Click Continue.
If you override the request defaults, provide the Certicate Assistant with the
requested information and click Continue.
The Certicate is now signed. The default mail application launches with the signed
certicate as an attachment.
Importing a Certicate Identity
You can import a previously generated OpenSSL certicate and private key into
Certicate Manager. The items are listed as available in the list of identities and are
available to SSL-enabled services.
The OpenSSL keys and certicates must be in PEM format.
To import an existing OpenSSL style certicate:
1 In Server Admin, select the server that has services that support SSL.
2 Click Certicates.
3 Click the Add (+) button and choose Import a Certicate Identity.
4 Drag the PEM le containing the private key to the sheet.
5 Drag the PEM le containing the public certicate to the sheet.
6 If needed, drag associated nonidentity certicates to the sheet as well.
68 Chapter 4 Enhancing Security
Chapter 4 Enhancing Security 69
7 Click the Import button.
If prompted, enter the private key passphrase.
Managing Certicates
After you create and sign a certicate, you won’t do much more with it. Since
certicates cannot be edited, you can either delete, replace, or revoke certicates after
they are created. You cannot change certicates after a CA signs them.
If the information a certicate possesses (such as contact information) is no longer
accurate, or if you believe the private key is compromised, delete the certicate.
If you have previously generated certicates for SSL, you can import them for use by
services. The OpenSSL keys and certicates must be in PEM format.
If you chose custom locations for your SSL certicates with Leopard Server, you must
import them into Certicate Manager if you want them to be available for services.
Custom lesystem locations for certicates cannot be managed for services using
Server Admin for Mac OS X Server v10.6. To use custom le locations, you must edit the
conguration les directly.
When certicates and keys are imported via Certicate Manager, they are put in the
/etc/certicates/ directory. The directory contains four PEM formatted les for every
identity:
The certicate Â
The public key Â
The trust chain Â
The concatenated version of the certicate plus the trust chain (for use with some Â
services)
Each le has the following naming convention:
<common name>.<SHA1 hash of the certicate>.<cert | chain | concat | key>.pem
For example, the certicate for a web server at example.com might look like this:
www.example.com.C42504D03B3D70F551A3C982CFA315595831A2E3.cert.pem
After they are imported, Certicate Manager encrypts the les with a random
passphrase. It puts the passphrase in the System keychain, and puts the resulting PEM
les in /etc/certicates/.
Editing a Certicate
After you add a certicate signature, you can’t edit the certicate. You must replace it
with one generated from the same private key.
For instructions on how to do this, see Replacing an Existing Certicate on page 71.
Distributing a CA Public Certicate to Clients
If you’re using self-signed certicates, a warning appears in most user applications
saying that the CA is not recognized. Other software, such as the LDAP client, refuses
to use SSL if the servers CA is unknown.
Mac OS X Server ships only with certicates from well-known commercial CAs. To
prevent this warning, your CA certicate must be distributed to every client computer
that connects to the secure server.
To distribute your certicate to your clients:
1 Copy the self-signed CA certicate (the le named ca.crt) onto each client computer.
This is preferably distributed using nonrewritable media, such as a CD-R. Using
nonrewritable media prevents the certicate from being corrupted.
2 Open the Keychain Access tool by double-clicking the ca.crt icon where the certicate
was copied onto the client computer.
3 Drag the certicate to the System keychain using Keychain Access.
Authenticate as an administrator, if requested.
4 Double-click the certicate to get the certicate details.
5 In the details window, click the Trust disclosure triangle.
6 From the pop-up menu next to When using this certicate,” select Always Trust.”
You have now added trust to this certicate, regardless of who it is signed by.
From the command line
After copying the certicate to the target client computer, perform the following
where <certicate> is the le path to the certicate:
sudo /usr/bin/security add-trusted-cert -d -k /Library/Keychains/System.
keychain <certificate>
You can use the security tool to save and restore trust settings as well. For more
information on using the security tool, see the security man page.
Deleting a Certicate
When a certicate has expired or been compromised, you must delete it.
To delete a certicate:
1 In Server Admin, select the server that has services that support SSL.
2 Click Certicates.
3 Select the Certicate Identity to delete.
4 Click the Remove (-) button and select Delete.
70 Chapter 4 Enhancing Security
Chapter 4 Enhancing Security 71
5 Click Save.
Renewing an Expiring Certicate
Certicates have an expiration date and must be renewed periodically. Renewing a
certicate is the same as replacing a certicate with a newly generated one with an
updated expiration date.
To renew an expiring certicate:
1 Request a new certicate from the CA.
If you are your own CA, create one using your own root certicate.
2 In Server Admin in the Server list, select the server that has the expiring certicate.
3 Click Certicates.
4 Select the Certicate Identity to renew.
5 Click the Action button and select “Replace Certicate with Signed or Renewed
Certicate.”
6 Drag the renewed certicate to the sheet.
7 Click Replace Certicate.
Replacing an Existing Certicate
If you change the DNS name of the server or any virtual hosts on the server, you must
replace an existing certicate with an updated one.
To replace an expiring certicate:
1 Request a certicate from the CA.
If you are your own CA, create one using your own root certicate.
2 In Server Admin in the Server list, select the server that has the expiring certicate.
3 Click Certicates.
4 Select the Certicate Identity to replace.
5 Click the Action button and select “Replace Certicate with Signed or Renewed
Certicate.”
6 Drag the replacement certicate to the sheet.
7 Click Replace Certicate.
Using Certicates
In Server Admin, services like Web, Mail, VPN, and so on display a pop-up list of
certicates that the administrator can choose from. The services vary in appearance
and therefore the pop-up list location varies. Consult the administration guide for the
service you’re trying to use with a certicate.
SSH and SSH Keys
SSH is a network protocol that establishes a secure channel between your computer
and a remote computer. It uses public-key cryptography to authenticate the remote
computer. It also provides trac encryption and data integrity exchanged between
computers.
SSH is frequently used to log in to a remote machine to execute commands, but you
can also use it to create a secure data tunnel, forwarding through an arbitrary TCP port.
You can also use SSH to transfer les using SFTP and SCP. By default, an SSH server uses
the standard TCP port 22.
Mac OS X Server uses OpenSSH as the basis for its SSH tools. Notably, portable home
directory synchronization is provided via SSH.
Key-Based SSH Login
Key-based authentication is helpful for such tasks as automating le transfers and
backups and for creating failover scripts because it allows computers to communicate
without a user needing to enter a password.
Important: Key-based authentication has risks. If the private key you generate
becomes compromised, unauthorized users can access your computers. You must
determine whether the advantages of key-based authentication are worth the risks.
Generating a Key Pair for SSH
The following outlines the process of setting up key-based SSH login on Mac OS X
and Mac OS X Server. To set up key-based SSH, you must generate the keys the two
computers will use to establish and validate the identity of each other.
This doesn’t authorize all users of the computer to have SSH access. Keys must be
generated for each user account.
To do this, run the following commands in Terminal:
1 Verify that an .ssh folder exists in your home folder by entering the command:
ls -ld ~/.ssh.
If .ssh is listed in the output, move to step 2. If .ssh is not listed in the output,
run mkdir ~/.ssh and continue to step 2.
2 Change directories in the shell to the hidden .ssh directory by entering the following
command:
cd ~/.ssh
3 Generate the public and private keys by entering the following command:
ssh-keygen -b 1024 -t rsa -f id_rsa -P ''
72 Chapter 4 Enhancing Security
Chapter 4 Enhancing Security 73
The -b ag sets the length of the keys to 1,024-bits, -t indicates to use the RSA hashing
algorithm, -f sets the le name as id_rsa, and -P followed by two single-quote marks
sets the private key password to be null. The null private key password allows for
automated SSH connections.
Keys are equivilant to passwords so you should keep them private and protected.
4 Copy the public key into the authorized key le by entering the following command:
cat id_rsa.pub >> authorized_keys2
5 Change the permissions of the private key by entering the following command:
chmod go-rwx ~/.ssh/.id_rsa
Set the permissions on the private key so the le can only be changed by the owner.
6 Copy the public key and the authorized key lists to the specied users home folder on
the remote computer by entering the following command:
scp authorized_keys2 username@remotemachine:~/.ssh/
To establish two-way communication between servers, repeat this process on the
second computer.
The process must be repeated for each user that needs to open key-based SSH
sessions. The root user is not excluded from this requirement. The home folder for the
root user on Mac OS X Server is located at /var/root/.
Key-Based SSH with Scripting Sample
A cluster of servers is an ideal environment for using key-based SSH.
The following Perl script is a trivial scripting example that should not be implemented,
but it demonstrates connecting over an SSH tunnel to all servers dened in the
variable serverList, running softwareupdate, installing available updates, and restarting
the computer if necessary.
The script assumes that key-based SSH was set up for the root user on all servers to be
updated.
#!/usr/bin/perl
# \@ is the escape sequence for the "@" symbol.
my @serverList = ('root\@exampleserver1.example.com',
'root\@exampleserver2.example.com');
foreach $server (@serverList) {
open SBUFF, "ssh $server -x -o batchmode=yes 'softwareupdate -i -a' |";
while(<SBUFF>) {
my $flag = 0;
chop($_);
#check for restart text in $_
my $match = "Please restart immediately";
$count = @{[$_ =~ /$match/g]};
if($count > 0) {
$flag = 1;
}
}
close SBUFF;
if($flag == 1) {
"ssh $server -x -o batchmode=yes shutdown -r now"
}
}
Administration Level Security
Mac OS X Server can use another level of access control for added security.
Administrators can be assigned to services they can congure. These limitations are
enacted on a server-by-server basis. This method can be used by an administrator with
no restrictions to assign administrative duties to other admin group users.
This results in a tiered administration model, where some administrators have more
privileges than others for assigned services. This results in a method of access control
for individual server features and services.
For example, Alice (the lead administrator) has control over all services on a given
server and can limit the ability of other admin group users (like Bob and Cathy) to
change settings on the server. She can assign DNS and Firewall service administration
to Bob, while leaving Mail service administration to Cathy.
In this scenario, Cathy can’t change the rewall or any service other than mail. Likewise,
Bob can’t change any services outside of his assigned services.
Tiered administration controls are eective in Server Admin and the serveradmin
command-line tool. They are not eective against modifying UNIX conguration les
throughout the system. Protect UNIX conguration les with POSIX-type permissions
or ACLs.
Setting Administration Level Privileges
Mac OS X Server can use another level of access control for added security.
Administrators can be limited to specic services they can congure. These limitations
are enacted on a server-by-server basis. This method can be used by an administrator
with no restrictions to assign administrative duties to other admin group users.
This results in a tiered administration model, where some administrators have more
privileges than others for their assigned services. This results in a kind of access control
for individual server features and services.
74 Chapter 4 Enhancing Security
Chapter 4 Enhancing Security 75
You can determine which services other admin group users can modify. To do this,
the administrator making the determination must have full, unmodied access.
The process for setting administration level privileges is found in Tiered
Administration Permissions” on page 149.
Service Level Security
You use a Service Access Control List (SACL) to enforce who can use a service. It is not
a means of authentication. It is a list of those who have access rights to use a service.
SACLs allow you to add a layer of access control on top of standard and ACL
permissions.
Only users and groups in an SACL can access its corresponding service. For example,
to prevent users from accessing AFP share points on a server, including home folders,
remove the users from the AFP services SACL.
Server Admin in Mac OS X Server allows you to congure SACLs. Open Directory
authenticates user accounts and SACLs authorize use of services. If Open Directory
authenticates you, the SACL for login window determines whether you can log in,
the SACL for AFP service determines whether you can connect for Apple le service,
and so on.
Setting SACL Permissions
SACLs allow you to specify which users and groups have access to Mac OS X Server
services, including AFP, FTP, and Windows le services.
To set SACL permissions for a service:
1 Open Server Admin.
2 Select the server from the Servers list.
3 Click Settings.
4 Click Access.
5 To restrict access to all services or deselect this option to set access permissions per
service, select “For all services.”
6 If you deselected “For all services,” select a service from the Service list.
7 To provide unrestricted access to services, click Allow all users and groups.”
If you want to restrict access to certain users and groups:
Select Allow only users and groups below.” Â
Click the Add (+) button to open the Users & Groups window. Â
Drag users and groups from the Users & Groups window to the list. Â
8 Click Save.
Security Best Practices
Server administrators must make sure that adequate security measures are
implemented to protect a server from attacks. A compromised server risks the
resources and data on the server and risks the resources and data on other connected
systems. The compromised system can then be used as a base to launch attacks on
other systems within or outside your network.
Securing servers requires an assessment of the cost of implementing security with
the likelihood of a successful attack and the impact of that attack. It is not possible
to eliminate all security risks but it is possible to minimize risks to eciently deal
with them.
Best practices for server system administration include the following:
Update your systems with critical security patches and updates. Â
Check for updates regularly. Â
Install antivirus tools, use them regularly, and update virus denition les and Â
software regularly.
Although viruses are less prevalent on the Mac platform than on Windows, viruses
still pose a risk.
Restrict physical access to the server. Â
Because local access generally allows an intruder to bypass most system security,
secure the server room, server racks, and network junctures. Use security locks.
Locking your systems is a prudent thing to do.
Make sure there is adequate protection against physical damage to servers and Â
ensure that the climate control functions in the server room.
Take additional precautions to secure servers. Â
For example, enable rmware passwords, encrypt passwords where possible,
and secure backup media.
Secure logical access to the server. Â
For example, remove or disable unnecessary accounts. Accounts for outside parties
should be disabled when not in use.
Congure SACLs as needed. Â
Use SACLs to specify who can access services.
Congure ACLs as needed. Â
Use ACLs to control who can access share points and their contents.
Protect any account with root or system administrator privileges by following Â
recommended password practices using strong passwords.
For more information about passwords, see “Password Guidelines” on page 77 .
76 Chapter 4 Enhancing Security
Chapter 4 Enhancing Security 77
Do not use administrator (UNIX admin” group) accounts for daily use. Â
Restrict the use of administration privileges by keeping the admin login and
password separate from daily use.
Back up critical data on the system regularly, with a copy stored at a secure o-site Â
location.
Backup media is of little use in recovery if it is destroyed with the computer during
a re. Test your backup and recovery contingency plans to ensure that recovery
actually works.
Review system audit logs regularly and investigate unusual trac. Â
Disable services that are not required on your system. Â
A vulnerability that occurs in any service on your system can compromise the entire
system. In some cases, the default conguration (out of the box) of a system leads to
exploitable vulnerabilities in services that were enabled implicitly.
Turning on a service opens up a port that users can access your system from.
Although enabling Firewall service helps avoid unauthorized access, an inactive
service port remains a vulnerability that an attacker might exploit.
Enable Firewall service on servers, especially at the network frontier and DMZ. Â
Your server’s rewall is the rst line of defense against unauthorized access. For
more information, see the onscreen help or Mac OS X Server Resources website at
www.apple.com/server/macosx/resources/. Consider also a third-party hardware
rewall as an additional line of defense if your server is highly prone to attack.
If needed, install a local rewall on critical or sensitive servers. Â
Implementing a local rewall protects the system from an attack that might
originate within the organizations network or from the Internet.
For additional protection, implement a local Virtual Private Network (VPN) that Â
provides a secure encrypted tunnel for communication between a client computer
and your server application. Some network devices provide a combination of
functions: rewall, intrusion detection, and VPN.
Administer servers remotely. Â
Manage your servers remotely using applications like Server Admin, Server Monitor,
RAID Admin, and Apple Remote Desktop. Minimizing physical access to the systems
reduces the possibility of mischief.
Password Guidelines
Many applications and services require that you create passwords to authenticate.
Mac OS X includes applications that help create complex passwords (using Password
Assistant), and securely store your passwords (using Keychain Access).
Creating Complex Passwords
Use the following tips to create complex passwords:
Use a mix of alphabetic (upper and lower case), numeric, and special characters Â
(such as ! and @).
Don’t use words or combinations of words found in a dictionary of any language. Â
Don’t append a number to an alphabetic word (for example, “wacky2”) to fulll the Â
constraint of having a number.
Don’t substitute “look alike numbers or symbols for letters (for example, “GR33N” Â
instead of “GREEN”).
Don’t use proper names. Â
Don’t use dates. Â
Create a password of at least 12 characters. Longer passwords are generally more Â
secure than shorter passwords.
Use passwords that can’t be guessed even by someone who knows you and your Â
interests well.
Create as random a password as possible. Â
You can use Password Assistant (located in /System/Library/CoreServices) to verify the
complexity of your password.
78 Chapter 4 Enhancing Security
79
Whether you install Mac OS X Server on a single server or a
cluster of servers, there are tools and processes to help the
installation and deployment succeed.
Some computers come with Mac OS X Server software already installed.
Other computers need the server software installed. For example, installing
Mac OS X Server v10.6 on a computer with Mac OS X makes the computer a server
with Mac OS X Server.
Installing Mac OS X Server v10.6 on Mac OS X Server v10.2–v10.5 upgrades the server
software to v10.6.
This chapter includes instructions for a fresh installation of Mac OS X Server v10.6
using a variety of methods.
Installation Overview
You’ve already planned and decided how many and what kind of servers you are
going to install.
Step 1: Conrm you meet the requirements
Make sure your target server meets the minimum system requirements. For more
information see:
ÂSystem Requirements for Installing Mac OS X Server” on page 81
ÂHardware-Specic Instructions for Installing Mac OS X Server on page 81
Step 2: Gather your information
Gather all the information you need before you begin. This helps to make sure the
installation goes smoothly, and helps you make planning decisions.
For planning your installation, see:
Chapter Â2,Planning Server Usage,” on page 24
5
Installation and Deployment
Step 3: Set up the environment
If you are not in complete control of the network environment (DNS servers, DHCP
server, rewall, and so forth) coordinate with your network administrator before
installing. A functioning DNS system with full reverse lookups and a rewall to allow
conguration constitute a minimum for the setup environment.
If you plan on connecting the server to an existing directory system, you must also
coordinate eorts with the directory administrator. See the following:
ÂSetting Up Network Services” on page 82
ÂConnecting to the Directory During Installation” on page 82
ÂSSH During Installation on page 82
ÂPreparing an Administrator Computer” on page 83
If you are administering the server from another computer, you must create an
administration computer.
Step 4: Start up the computer from an installation disk
You can’t install onto the disk the computer is started from, but you can upgrade. For
clean installations and upgrades, you must start up the server from an installation disk,
not from the target disk. See the following:
ÂAbout Starting Up for Installation on page 84
ÂRemotely Accessing the Install DVD” on page 88
ÂStarting Up from the Install DVD on page 85
ÂStarting Up from an Alternate Partition on page 85
ÂStarting Up from a NetBoot Environment” on page 91
Step 5: Prepare the target disk
If you are doing a clean installation, you must prepare the target disk by making sure it
has the right format and partition scheme. See the following:
ÂPreparing Disks for Installing Mac OS X Server on page 92
ÂChoosing a File System” on page 93
ÂAbout Hard Disk Partitioning on page 94
ÂAbout Creating a RAID Set” on page 96
ÂErasing a Disk or Partition on page 99
Step 6: Start the installer
The installer application takes software from the startup disk and server software
packages and installs them on the target disk. See the following:
ÂIdentifying Remote Servers When Installing Mac OS X Server on page 90
ÂInstalling Server Software Interactively on page 99
ÂInstalling Locally from the Installation Disc” on page 100
80 Chapter 5 Installation and Deployment
Chapter 5 Installation and Deployment 81
ÂInstalling Remotely with Server Assistant on page 101
ÂInstalling Remotely with Screen Sharing and VNC on page 102
ÂUsing the installer Command-Line Tool to Install Server Software on page 104
Step 7: Set Up Services
Restart from the target disk to proceed to setup. For more information about server
setup, see Chapter 6,Initial Server Setup.”
System Requirements for Installing Mac OS X Server
The Mac desktop computer or server where you install Mac OS X Server v10.6 must
have the following:
An Intel processor Â
At least 2 gigabytes (GB) of random access memory (RAM) Â
At least 10 gigabytes (GB) of available disk space Â
A new serial number for Mac OS X Server 10.6 Â
The serial number used with any previous version of Mac OS X Server will not allow
registration in v10.6.
A built-in DVD drive is convenient but not required.
A display and keyboard are optional. You can install server software on a computer
that has no display and keyboard by using an administrator computer. For more
information, see “Setting Up an Administrator Computer on page 124 .
If you’re using an installation disc for Mac OS X Server v10.6, you can control
installation from another computer using VNC viewer software. Open-source VNC
viewer software is available. Apple Remote Desktop, described on Apple Remote
Desktop (page 50), includes VNC viewer capability.
Hardware-Specic Instructions for Installing Mac OS X Server
When you install server software on Xserve systems, the procedure you use when
starting the computer for installation is specic to the kind of Xserve hardware you
have. You may need to refer to the documents that came with your Xserve, where
these procedures are documented.
Gathering the Information You Need
Use the Installation & Setup Worksheet to record information for each server you want
to install. The information below provides supplemental explanations for items on the
worksheet.
Setting Up Network Services
Before you can install, you must set up the following for your network service:
ÂDNS: You must have a fully qualied domain name for each server’s IP addess in the
DNS system. The DNS zone must have the reverse-lookup record for the name and
address pair. Not having a stable, functioning DNS system with reverse lookup leads
to service failures and unexpected behaviors.
ÂStatic IP Address: Make sure you have a static IP address already planned and
assigned to the server.
ÂDHCP: Do not assign dynamic IP addresses to servers. If your server gets its IP
address through DHCP, set up a static mapping in the DHCP server, so your server
gets (via its Ethernet address) the same IP address every time.
ÂFirewall or routing: In addition to any rewall running on your server, the subnet
router might have specic network trac restrictions in place. Make sure the servers
IP address is available for the trac it will handle and the services you will run.
Connecting to the Directory During Installation
To use a server as an Open Directory master, make sure it has an active Ethernet
connection to a secure network before installation and initial setup. If the server
doesn’t have an active directory connection during setup, you can create an Open
Directory master later using Server Admin or Server Preferences.
To use a server bound to another directory server (Open Directory, Active Directory,
or other OpenLDAP), make sure you have the DNS name and IP address of the master
directory server before installation.
SSH During Installation
When you start up a computer from a server installation disc, SSH starts so that remote
installations can be performed.
Important: Before you install or reinstall Mac OS X Server, make sure the network
is secure because SSH gives others access to the computer over the network. For
example, design the network topology so you can make the server computers subnet
accessible only to trusted users.
About the Server Install Disc
You can install server software using the Mac OS X Server Install Disc. This installation
disc contains everything to install Mac OS X Server.
82 Chapter 5 Installation and Deployment
Chapter 5 Installation and Deployment 83
Mac OS X Server Install Disc
The Install Disc has a Documentation folder with Getting Started, Installation & Setup
Worksheet, and a Read Me le. It also contains an Other Installs folder, which has the
following installer packages:
ServerAdministrationSoftware.mpkg Â
Use this package to install the administration tools on a computer running
Mac OS X v10.6 to make it an administrator computer.
iPhoneCongurationUtility.pkg Â
Use this package to install software that makes and distributes iPhone conguration
les.
X11User.pkg Â
Use this package to install software to allow the server to function as an X
Windowing System display server.
Xcode.mpkg Â
Use this package to install the free development tools for Mac OS X. This includes
system administration utilities like PackageMaker and Property List Editor.
Administration Tools CD
In addition to the installation disc, Mac OS X Server includes the Administration
Tools CD. You use this disc to set up an administrator computer. This disc has a
Documentation folder with Getting Started, Installation & Setup Worksheet, and an
acknowledgments page. It also contains:
ServerAdministrationSoftware.mpkg Â
Use this package to install the administration tools on a computer running
Mac OS X Snow Leopard to make it an administrator computer.
iPhoneCongurationUtility.pkg Â
Use this package to install software that makes and distributes iPhone conguration
les.
Two developer tools: PackageMaker and Property List Editor Â
Preparing an Administrator Computer
You can use an administrator computer to install, set up, and administer
Mac OS X Server on another computer. An administrator computer is a computer with
Mac OS X Server v10.6 or Mac OS X v10.6 that you use to manage remote servers.
You cannot run the server administration tools from a Leopard or Leopard Server
computer.
When you install and set up Mac OS X Server on a computer that has a display and
keyboard, its already an administrator computer. To make a computer with Mac OS X
into an administrator computer, you must install additional software.
Important: If you have administrative applications and tools from Mac OS X Server
v10.4 or earlier, do not use them on a computer with Mac OS X v10.6 or
Mac OS X Server v10.6.
To install Mac OS X Server v10.6 administration tools:
1 Make sure the Mac OS X computer has Mac OS X Server v10.6 installed.
2 Insert the Administration Tools CD.
3 Open the Installers folder.
4 Open ServerAdministrationSoftware.mpkg to start the Installer, and then follow the
onscreen instructions.
About Starting Up for Installation
The computer can’t install to its own startup volume, so you must start up in some
other way, such as:
DVDs Â
Alternate volumes (second partitions on the hard disk, or external FireWire disks) Â
NetBoot Â
The computer must install from the same disk or image that started up the computer.
Mounting another share point with an installer won’t work. The installer uses some of
the les currently active in the booted system partition for the new installation.
Before Starting Up
If you’re performing a clean installation rather than upgrading an existing server, back
up any user data that’s on the disk or partition where you’ll install the server software.
If you’re upgrading an existing server, make sure that saved setup data won’t be
detected and used to set up the server. Server Assistant looks for saved setup data on
all mounted disks and in all directories the server is congured to access. The saved
setup data will overwrite the servers existing settings.
For more information about automatic server setup, see “Using Automatic Server
Setup on page 115 .
84 Chapter 5 Installation and Deployment
Chapter 5 Installation and Deployment 85
Starting Up from the Install DVD
This is the simplest method of starting the computer, if you have physical access the
server and it has DVD drive.
Installer application
or
installer tool in
Terminal application
If the target server is an Xserve with a built-in DVD drive, start the server using the
Install DVD by following the instructions in Xserve Users Guide for starting from a
system disc.
If the target server has no built-in DVD drive, you can use an external FireWire DVD
drive. You can also install server software on an Xserve system that lacks a DVD drive
by moving its drive module to another Xserve system that has a DVD drive.
To start up the computer with the installation disc.
1 Turn on the computer and insert the Mac OS X Server Install Disc into the DVD drive.
If you’re using a built-in DVD drive, you can restart the computer directly to the DVD
by holding down the C key. You can release the C key when you see the Apple logo.
Alternatively, you can restart the computer by holding down the Option key, selecting
the icon representing the installation disc, and then clicking the right arrow. You must
use this method if you are starting up from an external DVD drive.
If you’re installing on an Xserve, the procedure for starting up from a DVD may be
dierent.
For more information, see Xserve Users Guide or the Quick Start guide that came with
your Xserve.
2 Open the Install Mac OS X Server application and click the Restart button.
The application is in the Mac OS X Server Install Disc window.
3 If you see an Install button instead of a Restart button in the lower-right corner of the
application window, click Install and proceed through the Installer panes by following
the onscreen instructions.
Starting Up from an Alternate Partition
For a single server installation, preparing to start up from an alternate partition can be
more time-consuming than using the Install DVD. The time required to image, scan,
and restore the image to a startup partition might exceed the time taken to install
once from the DVD.
However, if you are reinstalling regularly, or if you are creating an external Firewire
drive-based installation to take to various computers, or if you need some other kind
mass distribution (such as clustered Xserves without DVD drives installed), this method
can be very ecient.
This method is suited to installing on computers that you do not have easy physical
access to. With sucient preparation, this method can be modied for easy mass
deployment of licensed copies of Mac OS X Server.
To use this method, you must have an existing installation of some kind on the
computer. It is intended for environments where a level of existing infrastructure of
Mac OS X Server is present, and might be unsuitable for a rst server installation.
To start from an alternate partition, there are four basic steps.
Step 1: Prepare the disks and partitions on the target computer.
Before you proceed, you must have at least two partitions on the target computer.
The rst is the initial and nal startup partition; the second is the temporary installer
partition. You can use a single disk with multiple partitions or you can use multiple
disks. You use Disk Utility to prepare the disks.
For more information about preparing and partitioning a hard disk, see the Disk Utility
help.
Step 2: Create a restorable image of the Install DVD.
This step doesn’t need to be done on the target computer. It can be done on an
administrator computer, but there must be enough free space to image the entire
Install DVD. See To create an image of the Install DVD” on page 86.
Step 3: Restore the image to the alternate partition.
You can restore the disk image to a partition within the computer or to an external
hard disk. When complete, the restored partition functions like the Install DVD. Make
sure the alternate partition is at least the size of the disk image. See To restore the
image to a free volume on page 87.
Step 4: Select the alternate partition as the startup disk.
After the partition is restored, it’s a startup and installer disk for your server. Now
start up the computer from that partition. After the computer is running, it is a
Mac OS X Server installer, exactly as if you had started the computer from the DVD.
To create an image of the Install DVD
1 Insert the Install DVD.
2 Launch Disk Utility.
3 Select the rst session icon under the optical drive icon.
This is in the list of devices on the left side of the window.
86 Chapter 5 Installation and Deployment
Chapter 5 Installation and Deployment 87
4 Select File > New > Disk Image from <device>.
5 Give the image a name; select Read-only, Read/Write, or Compressed as the image
type; and then click Save.
6 After the image is complete, select the image from list on the left.
7 In the menu, select Images > Scan Images for Restore.
8 Provide an administrator login and password as needed.
The installer disk image can now be restored to your extra partition.
From the command line
If you prefer to use the command line, you can use hdiutil to create the disk image,
and asr to scan the image for restore. All commands must be done with superuser or
root privileges.
For example, the rst command creates the disk image Installer.dmg from the device
at disk1s1. The second command scans the image Installer.dmg and readies it for
restore.
hdiutil create -srcdevice disk1s1 Installer.dmg
asr imagescan --source Installer.dmg
To restore the image to a free volume
1 Start up the target computer.
2 Make sure the image does not reside on the partition that is to be erased.
3 Launch Disk Utility.
4 In the list of devices on the left side of the window, select the installer DVD image.
5 Click the Restore tab.
6 Drag the installer image from the left side of the window to the Source eld.
7 Drag the alternate partition from the list of devices on the left side of the window to
the Destination eld.
8 Select Erase Destination.
9 Click Restore.
From the command line
To use the command line, use the asr tool to restore the image to the partition.
Restoring the disk image to the partition will erase all existing data on the partition.
The basic syntax is: sudo asr restore -s <compressedimage> -t <targetvol>
--erase
The asr tool can also fetch the target image from an HTTP server using http or https
URLs as its source, so the image doesn’t need to reside on the target computer. For
more information about asr and its capabilities, see the asr man page.
Tip: You can use asr to restore a disk over a network, multicasting the blocks to client
computers. Using the multicast server feature of asr, you could put a copy of the
installer image on a partition of all computers that can receive the multicast packets.
For example, restoring an image called Installer.dmg to the partition ExtraHD would
be:
sudo asr restore -s Installer.dmg -t ExtraHD --erase
Remotely Accessing the Install DVD
When used as the startup disc, the Install DVD provides some services for remote
access. After you start up from DVD, access using Server Assistant, SSH, and VNC are
available.
Server Assistant allows you to view and congure the server installation with the same
user interface you would see if you were installing locally. Server Assistant runs on
Mac OS X v10.6 and Mac OS X Server v10.6.
VNC enables you to use a VNC viewer (like Screen Sharing or Apple Remote Desktop)
to view the user interface as if you were using the remote computers keyboard,
mouse, and monitor. All the things you could do at the computer using the keyboard
and mouse are available remotely, as well as locally. This excludes hardware restarts
(using the power button to shut down and restart the computer), other hardware
manipulation, or holding down keys during startup. VNC viewers are available for all
popular computing platforms.
SSH enables you to have command-line access to the computer with administrator
privileges.
To access the computer with Server Assistant
1 Start the target computer from the Install DVD for Mac OS X Server v10.6 or later.
The procedure you use depends on the target server hardware.
To learn more about startup disk options, see About Starting Up for Installation on
page 84.
2 On an administrator computer, open Server Admin.
3 In the Server menu, select “Install Remote Server.”
The Server Assistant launches.
4 Enter the IP address or DNS name of the target server.
If you do not know the IP address or DNS name of the target server, you must identify
it rst. For more information about this process, see Identifying Remote Servers When
Installing Mac OS X Server” on page 90.
5 For the password, enter the default password for installation.
88 Chapter 5 Installation and Deployment
Chapter 5 Installation and Deployment 89
This is usually the rst eight characters of the servers built-in hardware serial number.
For more information about this password, see About Server Serial Numbers for
Default Installation Passwords on page 90.
To access the computer with VNC:
1 Start the target computer from the Install DVD for Mac OS X Server v10.6 or later.
The procedure you use depends on the target server hardware.
To learn more about startup disk options, see About Starting Up for Installation on
page 84.
2 Use your VNC viewer software to open a connection to the target server.
If you do not know the IP address or DNS name of the target server, you must identify
it rst. For more information about this process, see Identifying Remote Servers When
Installing Mac OS X Server” on page 90.
3 For the password, enter the default password for installation.
This is usually the rst eight characters of the servers built-in hardware serial number.
For more information about this password, see About Server Serial Numbers for
Default Installation Passwords on page 90.
If you’re using Apple Remote Desktop as a VNC viewer, enter the password but don’t
specify a user name.
To access the computer using Screen Sharing:
1 Locate and select the server in the Shared section of a Finder window sidebar.
If the remote server isn’t listed in the Shared section of a Finder window
sidebar, you can connect by choosing Go > Connect to Server and then entering
vnc://serveraddress, where serveraddress is the DNS name or IP address of the server
whose screen you want to share.
2 Select the remote server and click Share Screen in the Finder window.
3 For the password, enter the default password for installation.
This is usually the rst eight characters of the servers built-in hardware serial number.
For more information about this password, see About Server Serial Numbers for
Default Installation Passwords on page 90.
Don’t specify a user name.
To access the computer with SSH:
1 Start the target computer from the Install DVD for Mac OS X Server v10.6 or later.
The procedure you use depends on the target server hardware.
To learn more about startup disk options, see About Starting Up for Installation on
page 84.
2 Identify the target server.
If you don’t know the IP address and the remote server is on the local subnet, you
can nd servers using the comannd line. For more information about this process,
see “Identifying Remote Servers When Installing Mac OS X Server on page 90.
3 Use the Terminal to open a secure shell connection to the target server.
The user name is root.
4 For the password, enter the default password for installation.
This is usually the rst eight characters of the servers built-in hardware serial number.
For more information about this password, see About Server Serial Numbers for
Default Installation Passwords on page 90.
About Server Serial Numbers for Default Installation Passwords
Server serial numbers are used for more than inventory tracking. The server’s built-in
hardware serial number is used as the default password for remote installation.
The password is case-sensitive.
To nd a server’s serial number, look for a label on the server. If you’re installing on
an older computer that has no built-in hardware serial number, use 12345678 for the
password.
If you replace a main logic board on an Intel Xserve, the built-in hardware password is
“System S (no quotes).
Identifying Remote Servers When Installing Mac OS X Server
When using Server Assistant, you must be able to recognize the target server in a list
of servers on your local subnet or you must enter the IP address of the server (in IPv4
format: 000.000.000.000) if it resides on a dierent subnet. Information provided for
servers in the list includes IP address, DNS name, and Media Access Control (MAC)
address (also called hardware or Ethernet address).
If you use VNC viewer software to remotely control installation of
Mac OS X Server v10.6 or later, it might let you select the target server from a
list of available VNC servers. If not, you must enter the IP address of the server
(in IPv4 format: 000.000.000.000).
The target servers IP address is assigned by a DHCP server on the network. If no DHCP
server exists, the target server uses a 169.xxx.xxx.xxx address unique among servers on
the local subnet. Later, when you set up the server, you can change the IP address.
If you don’t know the IP address and the remote server is on the local subnet, you
can nd servers that are awaiting install nding the the Bonjour service name
“_sa-rspndr._tcp.”
90 Chapter 5 Installation and Deployment
Chapter 5 Installation and Deployment 91
You can use the dns-sd tool to identify computers on the local subnetwhere you can
install server software. Enter the following from a computer on the same local network
as the server:
dns-sd -B _sa-rspndr._tcp.
This command returns the IP address and the EthernetID (in addition to other
information) of servers on the local subnet that have started up from the installation
disk.
Similarly, servers awaiting setup use the service name “_svr-uncong._tcp.” and can be
found by entering:
dns-sd -B _svr-unconfig._tcp.
Starting Up from a NetBoot Environment
If you have an existing NetBoot infrastructure, this is the easiest way to perform mass
installation and deployment. You can use this method for clusters that have no optical
drive or existing system software.
Target servers
NetBoot target
servers
Mac OS X
Server
Initiate server
installation
Administrator
computer
Destination
This method can also be used in environments where large numbers of servers must
be installed in an ecient manner.
This section won’t tell you how to create the necessary NetBoot infrastructure. If you
want to set up NetBoot and NetInstall options for your network, servers, and client
computers, see the manuals at www.apple.com/server/resources/.
This section has instructions to create a NetInstall image from the Mac OS X Server
Install Disk and start a server from it. There is no need to make preparations to the
hard disk.
Step 1: Create a NetInstall image from the Install DVD
This step doesn’t need to be done on the target computer. It can be done on an
administrator computer that has enough free space to image the entire Install DVD.
Step 2: Start up the computer from the NetBoot server
There are four ways of doing this, depending on your environment.
To create a NetInstall image from the Install DVD:
1 Launch System Image Utility from /Applications/Server/.
2 Select the Install DVD on the left, and choose NetInstall image on the right.
3 Click Continue.
4 Enter a name for the image and a description.
This information is seen by clients selecting it a startup disk.
5 Click Create and then choose a save location for the disk image.
Upon completion, you can use this image with an existing NetBoot server to start up a
server for installation.
For more information about NetInstall images and System Image Utility, including
customization options, see the documentation at www.apple.com/server/resources/.
To start up the computer from the NetBoot server:
In the target computer GUI, select the NetInstall disk from the Startup Disk pane of the m
System Preferences.
Restart the computer, holding down the “n key. m
The rst NetBoot server to respond to the computer will start up the computer with its
default image.
Restart the computer, holding down the Option key. m
The computer will show you the available startup disks, locally on the computer and
remotely from NetBoot and NetInstall servers. Select a disk and continue the startup.
Use the command-line locally or remotely to specify the NetBoot server that the m
computer will start up from:
sudo bless --netboot --server bsdp://<netbook server host name, server.
example.com>
Preparing Disks for Installing Mac OS X Server
Before performing a clean installation of Mac OS X Server, you can partition the server
computer’s hard disk into multiple volumes, create a RAID set, or erase the target disk
or partition.
92 Chapter 5 Installation and Deployment
Chapter 5 Installation and Deployment 93
If you’re using an installation disc for Mac OS X Server v10.6, you can perform these
tasks from another networked computer using VNC viewer software, such as Apple
Remote Desktop, before beginning a clean installation.
WARNING: Before partitioning a disk, creating a RAID set, or erasing a disk or
partition on a server, preserve user data you want to save by copying it to another
disk or partition.
Choosing a File System
A le system is a method for storing and organizing computer les and the data they
contain on a storage device such as a hard disk. Mac OS X Server supports several
types of le systems. Each le system has its own strengths. You must decide which
system ts your organization’s needs.
For more information, see developer.apple.com/technotes/tn/tn1150.html.
The following systems are available for use:
Mac OS Extended (Journaled) aka HFS+J Â
Mac OS Extended (Journaled, Case-Sensitive) aka HFSX Â
About Mac OS Extended (Journaled) aka HFS+J
An HFS+J volume is the default le system for Mac OS X Server.
An HFS+J volume has an optional journal to speed recovery when mounting a volume
that was not unmounted safely (for example, as the result of a power outage or
crash). The journal makes it easy to restore the volume structures to a consistent state,
without scanning all structures.
The journal is used only for volume structures and metadata. It does not protect the
contents of a fork. In other words, this journal protects the integrity of the underlying
disk structures, but not data that is corrupted due to a write failure or catastrophic
power loss.
More information about HFS+J can be found in Apple’s Developer Documentation at:
developer.apple.com/documentation/MacOSX/Conceptual/BPFileSystem/Articles/
Comparisons.html
About Mac OS Extended (Journaled, Case-Sensitive) aka HFSX
HFSX is an extension to HFS Plus and allows volumes to have case-sensitive le and
directory names. Case-sensitive names means that you can have two objects whose
names dier only by the case of the letters in the same directory at the same time.
For example, you could have Bob, BOB, and bob in the same directory as uniquely
named les.
A case-sensitive volume is supported as a start volume format. An HFSX le system for
Mac OS X Server must be specically selected when erasing a volume and preparing a
disk before initial installation.
If you are planning to use NFS, you should use case-sensitive HFSX.
An HFSX volume can be case sensitive or case insensitive. Case sensitivity (or lack
thereof) is global to the volume. The setting applies to all le and directory names on
the volume. To determine whether an HFSX volume is case-sensitive, use Disk Utility to
examine the format of the disk.
Note: Do not assume that an HFSX volume is case sensitive. Always use Disk Utility to
determine case sensitivity or case insensitivity. Additionally, don’t assume your third-
party software solutions work correctly with case sensitivity.
Important: Case-sensitive names do not ignore Unicode ignorable characters. This
means that a single directory can have several names that are considered equivalent
using Unicode comparison rules, but they are considered distinct on a case-sensitive
HFSX volume.
About Hard Disk Partitioning
The minimum recommended size for an installation partition is 10 GB. A much larger
volume is recommended for a conguration that keeps shared folders and group
websites on the startup volume together with the server software.
Partitioning the hard disk creates a volume for server system software and additional
volumes for data and other software. Partitioning erases previous contents of the disk.
Erasing a disk is another way of saying that you have given a disk a single volume
partition and erased that volume.
Consider dedicating a hard disk or a volume of a partitioned hard disk to server
software. Put additional software, share points, websites, and so forth on other disks or
volumes. With this approach, you can upgrade or reinstall the server software without
aecting your other software or user data. If you must store additional software or data
on the system volume, consider mirroring it to another drive.
Tip: Having an extra, empty partition or two on the target installation disk can give
you additional exibility in installation and deployment. For example, additional space
can give you a place to temporarily mirror your current installation before performing
an in-place update, or it can give you a fast installer disk.
94 Chapter 5 Installation and Deployment
Chapter 5 Installation and Deployment 95
Partitioning a Disk
You can use the Installer to open Disk Utility and then use Disk Utility to partition the
installation target disk into desired volumes. You can erase the target volume using
the Mac OS Extended format, Mac OS Extended (Journaled) format, Mac OS Extended
format (Case-Sensitive) format, and Mac OS Extended (Journaled, Case-Sensitive)
format. You cannot partition the active startup disk or erase the active startup volume.
You can select an existing partition and choose resize, Add (+), or Delete (–). However,
you can’t delete or resize the startup partition. You also can’t select the startup volume
and then choose an entirely new partition scheme from the pop-up menu.
To partition a disk using Disk Utility
1 Launch Disk Utility.
If you are in the Installer, Disk Utility is available from the Utilities menu.
Otherwise, launch the application from /Applications/Utilities/Disk Utility.
2 Select the disk to be partitioned.
Selecting a volume on the disk allows you to erase the volume but does not create a
dierent partition scheme.
3 Click Partition.
4 Choose your partition scheme and follow the instructions in the window to set all
necessary parameters.
5 Click Apply.
You can nd instructions for partitioning the hard disk into multiple volumes, creating
a RAID set, and erasing the target disk or partition by viewing Disk Utility Help. To view
Disk Utility Help, open Disk Utility on another Mac computer with Mac OS X v10.6 and
choose Help > Disk Utility Help.
From the command line
You can use the diskutil command-line tool to partition and erase a hard disk.
Normally, you would use a remote shell (SSH) to log in to the newly started computer
to use this method. The tool to partition disks is diskutil.
Just like using Disk Utility, you can erase the target volume using the Mac OS Extended
format, Mac OS Extended (Journaled) format, Mac OS Extended format (Case-Sensitive)
format, and Mac OS Extended (Journaled, Case-Sensitive) format.
You cannot delete or resize the active startup disk or erase the active startup volume.
All potentially destructive diskutil operations must be performed with superuser or
root privileges.
Additional information about diskutil and other uses can be found in Introduction to
Command-Line Administration. For complete command syntax for diskutil, consult
the tool’s man page.
The specic command issued depends on your disk format needs and the hardware in
use. Take care to use command-line arguments that apply to your specic needs.
The following command is a sample, which partitions a computer’s only 120 GB hard
disk into two equal 60 GB journaled HFS+ volumes (“BootDisk” and “DataStore”), which
can start up an Intel-based Mac computer.
The basic syntax is:
diskutil partitionDisk device numberOfPartitions GPTFormat <part1Format
part1Name part1Size> <part2Format part2Name part2Size>
So the command is:
diskutil partitionDisk disk0 2 GPTFormat JournaledHFS+ BootDisk 50%
JournaledHFS+ DataStore 50%
About Creating a RAID Set
If you’re installing Mac OS X Server on a computer with multiple internal hard disks,
you can create a RAID set to optimize storage capacity, improve performance, and
increase reliability in case of a disk failure.
For example, a mirrored RAID set increases reliability by writing your data to two or
more disks at once. If one disk fails, your server uses another disk in the RAID set.
You can use Disk Utility to set up a RAID set. There are two types of RAID sets and one
additional disk option available in Disk Utility:
ÂA striped RAID set (RAID 0) splits les across the disks in the set. A striped RAID
set improves the performance of your software because it can read and write on
all disks in the set at the same time. You might use a striped RAID set if you are
working with large les, such as digital video.
ÂA mirrored RAID set (RAID 1) duplicates les across the disks in the set. Because
this scheme maintains copies of the les, it provides a continuous backup of them.
In addition, it can help keep data available if a disk in the set fails. Mirroring is
recommended if shared les or applications must be accessed frequently.
You can set up RAID mirroring after installing Mac OS X Server if you install on a disk
that isn’t partitioned. To prevent data loss, set up RAID mirroring as soon as possible.
ÂA concatenated disk set lets you use several disks as a single volume. This is not a
true RAID set and oers no redundancy or performance increase.
96 Chapter 5 Installation and Deployment
Chapter 5 Installation and Deployment 97
You can combine RAID sets to combine their benets. For example, you can create
a RAID set that combines the fast disk access of a striped RAID set and the data
protection of a mirrored RAID set. To do this, create two RAID sets of one type and
then create a RAID set of another type, using the rst two RAID sets as the disks.
The RAID sets you combine must be created with Disk Utility or diskutil in Mac OS X
v10.4 or later.
You cannot mix the method of partitioning used on the disks in a RAID set. (The PPC
platform is APMFormat and the Intel platform is GPTFormat.)
Mac Pro desktop computers and Intel-based Xserves can start from a software RAID
volume. Some Intel-based Macs do not support starting up from software RAID
volumes. If you start Intel-based Macs from a software RAID volume, the computer
might start up with a ashing question mark.
The following computers do not support starting up from software RAID volumes:
iMac (Early 2006) Â
Mac mini (Early 2006) Â
If you need more sophisticated RAID support, consider a hardware RAID.
Creating a RAID Set Using Disk Utility
You can use the Installer to open Disk Utility and then use Disk Utility to create the
RAID set from available disks. Creating a RAID set erases the contents of the disks
involved, so it isn’t necessary to erase the disks before creating the RAID set.
RAID set volumes can be Mac OS Extended format, Mac OS Extended (Journaled)
format, Mac OS Extended format (Case-Sensitive) format, Mac OS Extended (Journaled,
Case-Sensitive) format, and MS-DOS FAT format. For more information about volume
formats, see “Preparing Disks for Installing Mac OS X Server on page 92.
You cannot create a RAID set from the startup disk.
To create a RAID set using Disk Utility:
1 Launch Disk Utility.
If you are in the Installer, Disk Utility is available from the Utilities menu; otherwise,
launch the application from /Applications/Utilities/Disk Utility.
2 Select the disk to be part of the RAID set.
You can’t select your startup disk.
When creating RAID sets or adding disks, specify the disk instead of a partition.
3 Click RAID.
4 Choose your RAID set type.
5 Drag the disks to the window.
6 Follow the instructions in the window to set parameters.
7 Click Create.
You can nd instructions for partitioning the hard disk into multiple volumes, creating
a RAID set, and erasing the target disk or partition by viewing Disk Utility Help. To view
Disk Utility Help, open Disk Utility on another Mac computer with Mac OS X v10.6 and
choose Help > Disk Utility Help.
From the command line
You can use the diskutil command-line tool to create a RAID set. Normally, you would
use a remote shell (SSH) to log in to the newly started computer to use this method.
You can use diskutil to can create a RAID volume that is Mac OS Extended format,
Mac OS Extended (Journaled) format, Mac OS Extended format (Case-Sensitive) format,
Mac OS Extended (Journaled, Case-Sensitive) format, or MS-DOS FAT format. However
keep in mind the following:
You cannot create a RAID from the startup disk. Â
When creating RAID sets or adding disks, specify the entire disk instead of a Â
partition on that disk.
All potentially destructive diskutil operations must be done with superuser or root Â
privileges.
For complete command syntax for diskutil, consult the tool’s man page.
Use command-line arguments that apply to your specic needs. The following
command is a sample, which creates a single mirrored RAID set (RAID 1) from the rst
two disks installed in the computer (disk0 and disk1), with the resulting RAID volume
called MirrorData.
The basic syntax is:
diskutil createRAID mirror setName format device device ...
So the command is:
diskutil createRAID mirror MirrorData JournaledHFS+ disk0 disk1
98 Chapter 5 Installation and Deployment
Chapter 5 Installation and Deployment 99
Erasing a Disk or Partition
You have several options for erasing a disk, depending on your preferred tools and
your computing environment:
ÂErasing a disk using Disk Utility: You can use the Installer to open Disk Utility and
then use it to erase the target volume or another volume. You can erase the target
and all other volumes using the Mac OS Extended format or Mac OS Extended
(Journaled) format. You can erase other volumes using those formats, as well as
Mac OS Extended format (Case-Sensitive) format, or Mac OS Extended (Journaled,
Case-Sensitive) format.
You can nd instructions for partitioning the hard disk into multiple volumes,
creating a RAID set, and erasing the target disk or partition by viewing Disk Utility
Help. To view Disk Utility Help, open Disk Utility on another Mac computer with
Mac OS X v10.6 and choose Help > Disk Utility Help.
ÂErasing a disk using the command line: You can use the command line to
erase disks using the tool diskutil. Erasing a disk using diskutil deletes all volume
partitions. The command to erase a complete disk is:
diskutil eraseDisk format name [OS9Drivers | APMFormat | MBRFormat |
GPTFormat] device
For example:
diskutil eraseDisk JournaledHFS+ MacProHD GPTFormat disk0
There is also an option to securely delete data by overwriting the disk with random
data multiple times. For more details, see diskutil’s man page.
To erase a single volume on a disk, a slightly dierent command is used:
diskutil eraseVolume format name device
For example:
diskutil eraseVolume JournaledHFS+ UntitledPartition /Volumes/
OriginalPartition
For complete command syntax for diskutil, consult the tool’s man page.
Installing Server Software Interactively
You can use the installation disc to install server software interactively on a local server,
on a remote server, or on a computer with Mac OS X installed.
Installing Locally from the Installation Disc
You can install Mac OS X Server directly onto a computer with a display, a keyboard,
and a DVD drive attached, as shown in the following illustration:
Installer application
or
installer tool in
Terminal application
If you have an Install DVD, the optical drive must be able to read DVD discs.
You can also install directly onto a computer that lacks a display, keyboard, and
optical drive capable of reading your installation disc. In this case, you start the target
computer in target disk mode and connect it to an Intel-based administrator computer
using a FireWire cable.
You use the administrator computer to install the server software on the target
computer’s disk or partition, which appears as a disk icon on the administrator
computer.
To install server software locally:
1 Start up the target computer using the Install DVD, installer partition, or NetInstall disk.
For startup options, see About Starting Up for Installation on page 84.
2 When the Installer opens, if you want to perform a clean installation, use the Utilities
menu to open Disk Utility to prepare the target disk or partition before proceeding.
If you have not prepared your disk for installation, do so now with Disk Utility. For
more instructions on preparing your disk for installation, see “Preparing Disks for
Installing Mac OS X Server” on page 92.
3 Proceed through the Installer panes by following the onscreen instructions.
4 When the Install Mac OS X Server pane appears, select a target disk or volume
(partition) and make sure it’s in the expected state.
If you want to customize what software is included in the installation, click Options in
the Select a Destination pane.
5 Proceed through the Installer panes by following the onscreen instructions.
If you’re using an administrator computer to install onto a server in target disk mode
and connected using a FireWire cable, complete the following:
a Quit Server Assistant when it starts on the administrator computer.
b Shut down the administrator computer and the server.
c Start up the administrator computer and the server normally (not in target disk
mode).
100 Chapter 5 Installation and Deployment
Chapter 5 Installation and Deployment 101
After installation is complete, the target server restarts and you can perform initial
server setup. Chapter 6,Initial Server Setup,” on page 108 describes how.
Installing Remotely with Server Assistant
To install Mac OS X Server on a remote server from the server Install DVD, installation
partition, or NetInstall disk, you need an administrator computer from which to use
Server Assistant to manage the installation:
Administrator computer
Subnet 1
Subnet 2
Welcome
>installer
>installer
After the computer starts up from the Install Disk, you can control and manage the
server from an administration computer.
Important: If you have administrative applications and tools from Mac OS X Server
v10.5 or earlier, do not use them with Mac OS X Server v10.6.
To use the Installer user interface, use VNC to view and interact with the remote
installer. For more information, see “Installing Remotely with Screen Sharing and
VNC” on page 102.
You don’t need to be an administrator on the local computer to use Server Assistant.
To install on a remote server by using Server Assistant:
1 Start up the target computer using the Install DVD, installer partition, or NetInstall disk.
If you need more information on your startup options, see About Starting Up for
Installation on page 84.
2 After the target computer starts, launch Server Admin in the /Applications/Server/
folder on the administrator computer.
3 Select the target server from the list of servers waiting for installation.
If neither the target server nor the list appear, make sure the target server is on the
same local subnet as the administrator computer.
4 If the target computer is not on the same local subnet as the administrator computer,
add the server manually.
a Choose Install Remote Server from the Server menu of Server Admin.
b Enter the IP address or DNS name of the target server.
If you do not know the IP address or DNS name of the target server, you must
identify it rst. For more information about this process, see Identifying Remote
Servers When Installing Mac OS X Server on page 90.
5 For the password, enter the default password for installation.
This is usually the rst eight characters of the servers built-in hardware serial number.
For more information about this password, see About Server Serial Numbers for
Default Installation Passwords on page 90.
6 Proceed by following the onscreen instructions.
7 When the Volumes pane appears, select a target disk or volume (partition), make sure
it’s in the expected state and click Continue.
8 Proceed by following the onscreen instructions.
While installation proceeds, you can open another Server Assistant window to install
server software on other computers. Choose Server > Install Remote Server to do so.
After installation is complete, the target server restarts and you can perform initial
server setup. Chapter 6,Initial Server Setup describes how.
Installing Remotely with Screen Sharing and VNC
If you’re using an installation disc for Mac OS X Server v10.6 or later, you can control
installation from another computer using a VNC viewer, like Mac OS X’s built-in Screen
Sharing, open source VNC viewer software, or Apple Remote Desktop. This allows
you to remotely control preparation of the target disk or partition before beginning
installation.
You can partition the hard disk into multiple volumes, create a RAID set, or erase the
target disk or partition.
The process for remotely installing with VNC is the same as installing locally at the
keyboard and monitor, except that you must rst connect to the VNC server on the
target computer with a VNC client, like Apple Remote Desktop.
102 Chapter 5 Installation and Deployment
Chapter 5 Installation and Deployment 103
For detailed instructions for connecting to a computer running from an Install DVD,
see “Remotely Accessing the Install DVD” on page 88.
Important: If you perform an upgrade, make sure that saved setup data won’t be
detected and used by the server. If saved setup data is used, the server settings are
not compatible with the saved settings and can cause unintended consequences. For
more information, see “How a Server Searches for Saved Setup Data Files” on page 118 .
To install on a remote server by using Screen Sharing and VNC:
1 After the target computer has started from the server Install DVD, installation partition,
or NetInstall disk, access the server using Screen Sharing or VNC client software on the
administrator computer.
2 After the connection begins, proceed as though you were using a keyboard and
mouse at the server.
3 Choose the language you want the server to use and click Continue.
4 When the Installer opens, if you want to perform a clean installation, use the Utilities
menu to open Disk Utility to prepare the target disk or partition before proceeding.
If you have not prepared your disk for installation, do so now with Disk Utility. For
more instructions on preparing your disk for installation, see “Preparing Disks for
Installing Mac OS X Server” on page 92.
5 Proceed through the Installer panes by following the onscreen instructions.
6 When the Install Mac OS X Server pane appears, select a target disk or volume
(partition) and make sure it’s in the expected state.
To customize what software is included in the installation, click Options in the Select a
Destination pane.
7 Proceed through the Installer panes by following the onscreen instructions.
After installation is complete, the target server restarts and you can perform initial
server setup. Chapter 6,Initial Server Setup,” on page 108 describes how.
Changing a Remote Computers Startup Disk
Sometimes you may need to explicitly set a remote computers startup disk. You can
do this via the command line using the bless command.
The tool Apple Remote Desktop can change a computers startup disk. Apple Remote
Desktop is not included with Mac OS X Server, and is available separately for purchase.
To change a remote computer’s startup disk
# Method 1
sudo bless --folder "/Volumes/<disk>/System/Library/CoreServices"
--setBoot
sudo shutdown -r now
# Method 2
sudo systemsetup -liststartupdisks
sudo systemsetup -setstartupdisk <path to disk root>
Using the installer Command-Line Tool to Install Server
Software
You use the installer tool to install server software on a local or remote computer
from the command line. For information about installer, see the installer man
page.
These instructions assume you started up the computer using the Install DVD, installer
partition, or NetInstall disk. If not, see About Starting Up for Installation” on page 84.
To use installer to install server software:
1 Start a command-line session with the target server by choosing from the following:
ÂInstalling a local server: When the Installer opens, choose Utilities > Open Terminal
to open the Terminal application. Use su root.
ÂInstalling a remote server: Follow the instructions on “Remotely Accessing the
Install DVD” on page 88 for SSH connections. Use ssh root@<ip address>.
If you don’t know the IP address or DNS name of the server, see “Identifying Remote
Servers When Installing Mac OS X Server on page 90.
2 For the password, enter the default password for installation.
This is usually the rst eight characters of the servers built-in hardware serial number.
For more information about this password, see About Server Serial Numbers for
Default Installation Passwords on page 90.
3 Identify the target server volume where you want to install the server software.
To list the volumes available for server software installation from the installation disc,
type:
/usr/sbin/installer -volinfo -pkg /System/Installation/Packages/
OSInstall.mpkg
You can also identify a NetInstall image you’ve created and mounted:
/usr/sbin/installer -volinfo -pkg /Volumes/<name_of_install_image>/
System/Installation/Packages/OSInstall.mpkg
The list displayed reects your particular environment, but here’s an example showing
three available volumes:
/Volumes/Mount 01
/Volumes/Mount1
/Volumes/Mount02
104 Chapter 5 Installation and Deployment
Chapter 5 Installation and Deployment 105
4 If you haven’t already done so, prepare the disks for installation.
For more information about preparing the disks for installation, see “Preparing Disks for
Installing Mac OS X Server” on page 92.
If the target volume has the latest Mac OS X Server v10.5 or 10.4.11 installed, when you
run installer it upgrades the server to v10.6 and preserves user les.
If you’re not upgrading but performing a clean installation, back up the user and
settings les you want to preserve, then use diskutil to erase the volume and format
it to enable journaling:
/usr/sbin/diskutil eraseVolume HFS+ "Mount 01" "/Volumes/Mount 01"
/usr/sbin/diskutil enableJournal "/Volumes/Mount 01"
You can also use diskutil to partition the volume and to set up mirroring. For more
information about the command, see the diskutil man page.
Important: Don’t store data on the hard disk or hard disk partition where the
operating system is installed. With this approach, you won’t risk losing data if you need
to reinstall or upgrade system software. If you must store additional software or data
on the system partition, consider mirroring the drive.
5 Install the operating system on the target volume.
For example, to use Mount 01 in the example in step 4 to install from a server
installation disc, enter:
/usr/sbin/installer -verboseR -lang en -pkg /System/Installation/
Packages/OSInstall.mpkg -target "/Volumes/Mount 01"
If you’re using a NetInstall image, the command identies them as step 3 shows.
When you enter the -lang parameter, use one of the following values: en (for English),
de (for German), fr (for French), or ja (for Japanese).
During installation, progress information appears. While installation proceeds, you can
open another Terminal window to install server software on another computer.
6 When installation from the disc is complete, restart the server by entering:
/sbin/reboot
or
/sbin/shutdown -r
Server Assistant opens on the target computer when installation is complete. You can
now set up the server. For more information, see Chapter 6,Initial Server Setup.”
Installing Multiple Servers
Most Ecient Methods of Installation
The most ecient method of installation would be completely automated. Opening
the Terminal application and using the installer tool to initiate each server software
installation doesn’t accomplish this eciently.
However, scripting the command-line tool (using known values for server IP addresses,
for example) to automate multiple simultaneous installations can be very ecient.
To completely automate server installation, you must script the installer tool and
have a high measure of control over the network infrastructure.
For example, to have known IP addresses and the appropriate hardware serial
numbers included in your script, you cannot rely on the randomly assigned IP
addresses. You can use DHCP assigned static addresses to remove that uncertainty and
ease your scripting considerations.
Additionally, you can create a NetInstall server on the target servers’ local network
that can install an operating system. If you combine this with saved auto setup les,
you can easily automate installation of multiple computers without much human
interaction.
The methods, scripting languages, and possibilities are too many to list in this guide.
More Interactive Methods of Installation
When running Server Assistant from an administration computer to install on multiple
machines, you still have to open a connection to each server one at a time.
You can use VNC viewer software or the installer tool to initiate multiple server
software installations.
After using a VNC viewer to control installation of Mac OS X Server v10.6 on one
remote computer, you can use the VNC viewer to open a connection to another
remote computer and control installation on it. Because this involves interacting with
each server individually, it is a less ecient method of installing on multiple servers.
106 Chapter 5 Installation and Deployment
Chapter 5 Installation and Deployment 107
Upgrading a Computer from Mac OS X to Mac OS X Server
This is not supported in Mac OS X Server v10.6. Perform a clean installation instead.
How to Keep Current
After you’ve set up your server, you’ll want to update it when Apple releases server
software updates.
There are several ways to access update releases of Mac OS X Server:
In Server Admin, select a server in the Servers list, then click the Server Updates Â
button.
Note: The Server Updates button refers only to updates for the server’s operating
system software from Apple. Third-party software is not updated when used.
Additionally, it does not control software updates hosted in the Software Update
service.
Use the Software Update pane of System Preferences, if you are logged locally into Â
the server.
Use the Âsoftwareupdate command-line tool.
Download a disk image of the software update from: Â
www.apple.com/support/downloads
108
Basic characteristics of your Mac OS X Server are established
during server setup. The server can operate in three dierent
congurations: advanced, standard, and workgroup.
After installing server software, the next task is to set up the server. There are several
ways to set up a server:
Set up servers interactively. Â
Automate the setup by using setup data you’ve saved in a le or on a server Â
available to the newly installed server.
Information You Need
To understand and record information for each server you want to set up, see the
Installation & Setup Worksheet on the Install DVD or the Administration Tools CD.
The following chapter provides supplemental explanations for some items on the
worksheet.
When you upgrade from the latest Mac OS X Server v10.5 or v10.4.11, Server Assistant
displays existing server settings, but you can change them. Use the Installation & Setup
Worksheet to record settings you want the v10.6 server to use.
Postponing Server Setup Following Installation
Server Assistant opens on a server that hasn’t been set up and waits for you to begin
the setup process. To set up the server later, you can postpone the setup process by
using the servers keyboard, mouse, and display.
To postpone setting up Mac OS X Server:
In Server Assistant, press Command-Q on the servers keyboard and then click m
Shut Down.
When you restart the server, Server Assistant opens again.
6
Initial Server Setup
Chapter 6 Initial Server Setup 109
If you’re setting up a server without a keyboard or display, you can enter the following
in the Terminal application to shut down the server remotely:
sudo shutdown now
Connecting to the Network During Initial Server Setup
Before setting it up for the rst time, try to place a server in its nal network location
(subnet). If you’re concerned about preventing unauthorized or premature access
during setup, you can set up a rewall to protect the server while you’re nalizing its
conguration.
If you can’t avoid moving a server after initial setup, you must change settings that are
sensitive to network location before it can be used. For example, the server’s IP address
and DNS name, stored in directories and conguration les on the server, must be
updated. For more information, see “Changing the Servers DNS Name After Setup on
page 144.
Conguring Servers with Multiple Ethernet Ports
Your server has a built-in Ethernet port and might have additional Ethernet ports built
in or added on.
When you’re using Server Assistant to interactively set up servers, all of a server’s
available Ethernet ports are listed and you select them to activate and congure. When
you work in Server Assistant’s oine mode, you click an Add button to create a list of
ports to congure.
If you enable more than one port, you specify the order for the ports to be used by the
server when routing trac to the network. Although the server receives network trac
on any active port, network trac initiated by the server is routed through the rst
active port.
For a description of port conguration attributes, see the Installation & Setup Worksheet
from the Install DVD or the Administration Tools CD.
About Settings Established During Initial Server Setup
During server setup, the following basic server settings are established:
The language to use for server administration and the computer keyboard layout is Â
dened.
The server software serial number is set. Â
A time zone is specied, and network time service is set up. Â
A server administrator user is dened and the administrator’s home folder is created. Â
Default SSH and Apple Remote Desktop state is enabled. Â
Network interfaces (ports) are congured. Â
TCP/IP and Ethernet settings are dened for each port you want to activate.
Network names are dened. Â
The primary DNS name, computer name are dened by the administrator, and local
hostname is derived from the computer name.
For more information about names of Mac OS X Server, see “Understanding
Mac OS X Server Names.”
Basic Directory information is set up. (Optional) Â
The server is set up as an Open Directory Master, or it is set to obtain directory
information from another a directory service, or the directory setup can be deferred
until rst login.
For more information, see “Specifying Initial Open Directory Usage.”
Some services are chosen and congured. Â
For a list of which services are enabled at startup, see “Understanding Server
Conguration Methods.”
If you’re upgrading, the current settings are maintained through the setup
process. Other settings, such as share points you’ve dened and services you’ve
congured, are also preserved. For a complete description of whats upgraded
and actions, see the online help and Mac OS X Server Resources website at
www.apple.com/server/macosx/resources/.
You can perform initial server setup only once without reinstalling a server. To change
settings established during setup, you use Server Admin, Workgroup Manager, or
Directory Utility (in /System/Library/CoreServices/) to manage directory settings.
Specifying Initial Open Directory Usage
During setup of Mac OS X Server v10.6, you specify how the server stores and accesses
user accounts and other directory information. You choose whether the server
connects to a directory system or works as a standalone server.
If you’re setting up multiple servers and one or more will host a shared directory,
set up those servers before setting up servers that will use those shared directories.
When you set up a server initially, you specify its directory services conguration.
Choices are:
ÂCreate Users and Groups
This setting makes the server an Open Directory Master or uses the servers local
users and groups for authentication.
11 0 Chapter 6 Initial Server Setup
Chapter 6 Initial Server Setup 111
ÂImport Users and Groups
This setting connects the server to an existing Open Directory or Active Directory
system, importing the users and groups from an existing directory system.
You can import Open Directory users or Active Directory users. You must provide a
directory administrator name and password.
ÂCongure Manually
This setting used to set up the server to obtain directory information from a shared
directory domain thats been set up on another server. You can connect to Open
Directory servers or Active Directory servers.
You can also defer directory conguration during setup by declining to specify a
connection in the assistant.
After setup, use Server Admin or the Login Options section of Account preferences
of System Preferences to rene the server’s directory conguration, if necessary. You
can create or change a connection to a directory system by using Login Options. You
can use Accounts preferences to set up connections to multiple directory servers,
including Open Directory and Active Directory. You can make the server an Open
Directory master or replica by using Server Admin to change the server’s Open
Directory service settings.
From Accounts preferences, you can open Directory Utility if you need to set up
connections to other kinds of directory servers or specify the search policy. Directory
Utility lets you set up connections to other non-Apple directory systems and specify a
search policy (the order in which the server should search through the domains).
For information about changing directory services, see the online help and
Mac OS X Server Resources website at www.apple.com/server/macosx/resources/.
Note: If you connect Mac OS X Server v10.6 to a directory domain of Mac OS X Server
v10.2 or earlier, users dened in the older directory domain cannot be authenticated
with the MS-CHAPv2 method. This method may be required to securely
authenticate users for the VPN service of Mac OS X Server v10.6. Open Directory in
Mac OS X Server v10.6 supports MSCHAPv2 authentication, but Password Server in
Mac OS X Server v10.2 doesn’t support MS-CHAPv2.
Not Changing Directory Usage When Upgrading
When you are setting up a server that you’re upgrading to v10.6 from the latest v10.5
or 10.4.11 and you want the server to use the same directory setup its been using,
choose “Congure Manually” (but decline to provide directory service settings) in
Server Assistant.
Even if you want to change the servers directory setup, selecting “Congure Manually
is the safest option, especially if you’re considering changing a servers shared
directory conguration.
Changing from hosting a directory to using another server’s shared directory or
vice versa, or migrating a shared NetInfo domain to LDAP are examples of directory
usage changes you should make after server setup to preserve access to directory
information about your network.
For information about directory usage options available to you and how to use
Directory Utility (in /System/Library/CoreServices/) and Server Admin to make
directory changes, see the online help and Mac OS X Server Resources website at
www.apple.com/server/macosx/resources/.
Setting Up a Server as a Standalone Server
A standalone server stores and accesses account information in its local directory
domain. The standalone server uses its local users and groups to authenticate clients
for its le, mail, and other services. Other servers and client computers can’t access the
standalone servers local directory domain or authenticate their own users with it.
Users and groups are managed in the Accounts pane of System Preferences.
When a user attempts to log in to the server or use a service that requires
authentication, the server authenticates the user by consulting the local database.
If the user has an account on the system and supplies the relevant password,
authentication succeeds.
To get this conguration, you choose Create Users and Groups from the assistant,
but decline to create an Open Directory Master.
Binding a Server to Multiple Directory Servers
Automatic server setup allows you to bind to multiple servers. You need to save setup
data, then you have to modify the plist le by hand. In the saved setup data, you will
nd the directoryServers” key in the plist le, and its an array. You add items (or in
this case directory servers) to the array. The server binds to all of the servers listed in
the array.
For more information on making saved server setup data, see “Using Automatic Server
Setup on page 115 and “Creating and Saving Setup Data on page 116 .
You can also bind to multiple directories interactively after initial server setup by using
the Login Options section of Accounts Preferences.
For instructions, see p. 72 of Getting Started; repeat steps 3 and 4 to connect to
additional directory servers. To set up advanced directory server connections,
you would click Open Directory Utility in step 2.
11 2 Chapter 6 Initial Server Setup
Chapter 6 Initial Server Setup 113
To interactively connect to an additional directory server:
1 Open the Accounts pane of System Preferences on your server.
2 Click Login Options and then click Open Directory Utility.
3 Click the Add (+) button, and then choose the directory server from the pop-up menu
or enter the directory server’s DNS name or IP address.
4 If the dialog expands to show Client Computer ID, User Name, and Password elds,
enter the name and password of a user account on the directory server.
For an Open Directory server, you can enter the name and password of a standard
user account; you don’t need to use a directory administrator account. If the dialog
says you can leave the name and password elds blank, you can connect without
authentication, although this is less secure.
For an Active Directory server, you can enter the name and password of an Active
Directory administrator account or a standard user account that has the Add
workstations to domain privilege.
Setting up Servers Interactively
The simplest way to set up a few servers is to use Server Admins guided interview
process after establishing a connection with each server in turn. If you have only a
few servers to set up, the interactive approach is useful. You can use the interactive
approach to set up a local server, a remote server, or several remote servers.
Server Assistant will display the Network pane separately for each server you’re setting
up remotely, even if you’re setting up a list of servers. You then enter all network
settings manually, if necessary. You provide server setup data interactively, then initiate
setup immediately.
Set up DNS and DHCP (if used for static IP address allocation) for your servers before
setup. While not strictly mandatory, doing so will simplify the setup and post-setup
processes. For example, if the server’s DNS name is already associated to an IP address
(with reverse lookup), and the IP address will be allocated to the server’s MAC address
by a DHCP server on the network, you will already have needed information for setup
without doing the additional manual conguration work during and after setup.
The following illustration shows target servers on the same subnet as the
administrator computer in one scenario and target servers on a dierent subnet in the
other scenario. Both setup scenarios can be used to set up servers on the same and
dierent subnets.
Subnet 1
Subnet 2
WelcomeWelcome
Welcome
If a target server is on a dierent subnet, you must supply its IP address or DNS name.
Servers on the same subnet are listed by Server Assistant, so you select servers from
the list.
After server software is installed on a server, you can use the interactive approach
to set it up remotely from an administrator computer that can connect to the target
server.
To set up servers interactively:
1 Make sure the DHCP or DNS servers you specify for the server you’re setting up to use
are running.
2 Make sure the target servers have been newly installed and are waiting for setup.
3 Fill out the Installation & Setup Worksheet from the Install DVD or Administration
Tools CD.
After installation, Server Assistant opens.
4 If you are installing on a remote server, open Server Admin, select “Ready for Setup” in
the list on the left, and then select the servers you want to set up.
After you click Set Up, Server Assistant opens and lists all the servers you selected in
Server Admin.
If instead you choose Server > Set Up Remote Server, Server Assistant doesn’t list any
servers in the Server pane, and you have to add them one by one by clicking Add.
5 Select the target servers from the conguration list.
11 4 Chapter 6 Initial Server Setup
Chapter 6 Initial Server Setup 115
If the computer you want to congure doesn’t appear in the list, you can add it