Mac OS X ServerAdvanced Server AdministrationVersion 10.6 Snow Leopard
10 Contents
Installing Locally from the Installation DiscYou can install Mac OS X Server directly onto a computer with a display, a keyboard, and a DVD drive atta
Chapter 5 Installation and Deployment 101After installation is complete, the target server restarts and you can perform initial server setup. Ch
3 Select the target server from the list of servers waiting for installation.If neither the target server nor the list appear, make sure the target
Chapter 5 Installation and Deployment 103For detailed instructions for connecting to a computer running from an Install DVD, see “Remotely Acces
sudo shutdown -r now# Method 2sudo systemsetup -liststartupdiskssudo systemsetup -setstartupdisk <path to disk root>Using the installer Command-
Chapter 5 Installation and Deployment 105 4 If you haven’t already done so, prepare the disks for installation.For more information about prepa
Installing Multiple ServersMost Ecient Methods of InstallationThe most ecient method of installation would be completely automated. Opening the Term
Chapter 5 Installation and Deployment 107Upgrading a Computer from Mac OS X to Mac OS X ServerThis is not supported in Mac OS X Server v10.6. Pe
108Basic characteristics of your Mac OS X Server are established during server setup. The server can operate in three dierent congurations: advanc
Chapter 6 Initial Server Setup 109If you’re setting up a server without a keyboard or display, you can enter the following in the Terminal appli
11This guide provides a starting point for administering Mac OS X Server v10.6 using its advanced administration tools. It contains information ab
Default SSH and Apple Remote Desktop state is enabled. ÂNetwork interfaces (ports) are congured. ÂTCP/IP and Ethernet settings are dened for each po
Chapter 6 Initial Server Setup 111 Â Import Users and GroupsThis setting connects the server to an existing Open Directory or Active Directory s
Even if you want to change the server’s directory setup, selecting “Congure Manually” is the safest option, especially if you’re considering changing
Chapter 6 Initial Server Setup 11 3To interactively connect to an additional directory server: 1 Open the Accounts pane of System Preferences o
The following illustration shows target servers on the same subnet as the administrator computer in one scenario and target servers on a dierent subn
Chapter 6 Initial Server Setup 11 5If the computer you want to congure doesn’t appear in the list, you can add it manually by clicking the Add
The automatic approach is useful when you:Have more than a few servers to set up ÂWant to prepare for setting up servers that aren’t yet available ÂWa
Chapter 6 Initial Server Setup 11 7You can dene generic setup data that can be used to set up any server. For example, you can dene generic se
Using Encryption with Setup Data FilesSaved setup data can be encrypted for extra security. Before a server sets itself up using encrypted setup data,
Chapter 6 Initial Server Setup 11 9If setup data is encrypted, the server needs the correct passphrase before setting itself up. You can use Ser
12 Preface About This GuideUsing Onscreen HelpYou can get task instructions onscreen in Help Viewer while you’re managing Mac OS X Server v10
To use setup data from a le remotely: 1 Create the folder for the setup le on the remote server. a Connect to the remote server.ssh root@<serve
Chapter 6 Initial Server Setup 121Handling Setup ErrorsWhen a server encounters a setup problem, Server Assistant shows a description of the set
Setting Up ServicesAfter installation and initial startup, the rst time you open Server Admin, you see any services that were congured during server
Chapter 6 Initial Server Setup 12 3Setting Up Open DirectoryUnless your server must be integrated with another vendor’s directory system or the
12 4This chapter shows you how to complete ongoing management for your systems, including setting up administrator computers, designating administra
Chapter 7 Ongoing System Management 12 5In the following illustration, the arrows originate from administrator computers and point to servers th
Using the Administration ToolsInformation about administration tools can be found on the pages indicated in the following table.Use this application o
Chapter 7 Ongoing System Management 12 7You can use Workgroup Manager on a v10.6 server to manage Mac OS X clients running the latest Mac OS X v
Server Admin BasicsYou use Server Admin to administer services on Mac OS X Server computers. Server Admin also lets you specify settings that support
Chapter 7 Ongoing System Management 12 9If a server in the Servers list appears gray, double-click the server or click the Connect button in the
Preface About This Guide 13Document Road MapMac OS X v10.6 has a suite of guides which can cover management of individual services. Each service
IP address ÂOS version ÂTo create a server smart group: 1 Under the Server list at the bottom of the Server Admin window, click the Add (+) button. 2
Chapter 7 Ongoing System Management 131The following table contains a summary of what you nd for each button:Toolbar button ShowsOverview Info
Server-side le tracking for mobile home-sync is a feature of mobile home folders. For information about when to enable this feature, see the online h
Chapter 7 Ongoing System Management 133The following sections give guidance regarding the types of changes will be necessary for a name or IP ad
Your network conguration might have other domains, computers, and record types that are impacted by a server’s IP address change (SRV records, for in
Chapter 7 Ongoing System Management 13 5Changing the DNS name of the directory server requires that all bound machines be rebound to the new dir
VPNVPN servers allocate IP address ranges to VPN clients and mediate DNS queries of VPN clients. Any of these can be aected by a change to the VPN se
Chapter 7 Ongoing System Management 137MySQLIn general, MySQL is not aected by changing an IP address or DNS name. However, none of the data in
For the most part, changing the network address or DNS name of a le server has no internal aect on le services. The le service processes monitor n
Chapter 7 Ongoing System Management 13 9IMAP and POPDovecot, the IMAP and POP service, loads the fully-qualied domain name at startup and cong
14 Preface About This GuideViewing PDF Guides OnscreenWhile reading the PDF version of a guide onscreen:Show bookmarks to see the guide’s outl
Address Book ServiceChanging the IP address of an Address Book server does not aect new connections to the server; however, it can disconnect existin
Chapter 7 Ongoing System Management 141Certicates for Collaboration ServicesAddressBook, iCal, and iChat servers that use SSL will need new cer
To change the IP address of the Podcast Producer computer: 1 Stop the Xgrid job queue when empty (or stop and empty it). 2 Recongure DNS, Open Dire
Chapter 7 Ongoing System Management 143Software Update Service ÂXgrid ÂAfter Software Update changes the DNS name or IP address, a number of cha
Changing the IP Address of a ServerYou can change the IP address of a server using the Network pane of System Preferences or the networksetup tool.Do
Chapter 7 Ongoing System Management 145You can use the scutil command-line tool to set the local hostname and local hostname. For more informati
Adding and Removing Services in Server AdminServer Admin can only show you the services you are administering, hiding all other service conguration p
Chapter 7 Ongoing System Management 147Controlling Access to ServicesYou can use Server Admin to congure which users and groups can use service
Using SSL for Remote Server AdministrationYou can control the level of security of communications between Server Admin and remote servers by choosing
Chapter 7 Ongoing System Management 149The following is the File Sharing conguration pane in Server Admin.Tiered Administration PermissionsIn p
Preface About This Guide 15Getting Documentation UpdatesPeriodically, Apple posts revised help pages and new editions of guides. Some revised he
Server Admin updates to reect what operations are possible for a user’s permissions. For example, some services are hidden or the Settings pane is di
Chapter 7 Ongoing System Management 151The following topics describe general Workgroup Manager usage. Instructions for conducting specic admini
The following is a sample user record conguration pane in Workgroup Manager: Initially, accounts listed are those stored in the last directory node o
Chapter 7 Ongoing System Management 153Dening Managed PreferencesTo work with managed preferences for user accounts, group accounts, or compute
Working with Directory DataTo work with raw directory data, use Workgroup Manager’s Inspector.The following is the record Inspector pane in Workgroup
Chapter 7 Ongoing System Management 155Service Conguration AssistantsServer Admin has conguration assistants to guide you through setting up s
Address Book ServiceFile type LocationConguration les /etc/cardavd/cardavd.plistData /Library/AddressBookServer/Documents/iCal ServiceFile type Loca
Chapter 7 Ongoing System Management 157Mail—AmavisdFile type LocationConguration les /etc/amavisd.confData: (default locations) /var/amavis/M
NoticationsFile type LocationConguration les /etc/emond.d//etc/emond.d/rules//Library/Keychains/System.keychainOpenDirectory ServiceThe entire Open
Chapter 7 Ongoing System Management 159Web ServiceFile type LocationConguration les /etc/apache2/* (for Apache 2.2)/etc/httpd/* (for Apache 1.
16Mac OS X Server gives you everything you need to provide standards-based workgroup and Internet services — delivering a world-class UNIX server so
Some single points of failure include:Computer system ÂHard disk ÂPower supply ÂAlthough it is almost impossible to eliminate all single points of fai
Chapter 7 Ongoing System Management 161Using Backup PowerIn the architecture of a server solution, power is a single point of failure. If power
The automatic restart options are: Â Restart automatically after a power failure. The power management unit automatically starts up the server after a
Chapter 7 Ongoing System Management 163Link AggregationAlthough not common, the failure of a switch, cable, or network interface card can cause
About the Link Aggregation Control Protocol (LACP)IEEE 802.3ad Link Aggregation denes a protocol called Link Aggregation Control Protocol (LACP) that
Chapter 7 Ongoing System Management 165Computer to SwitchIn this scenario shown in the following illustration, you connect your server to a swit
For example, you can connect two links to the master switch and the remaining links to the backup switch. As long as the master switch is active, the
Chapter 7 Ongoing System Management 167The interface name bond<num> assigned by the system is dierent from the name you give to the link
Load BalancingOne factor that can cause services to become unavailable is server overload. A server has limited resources and can service a limited nu
Chapter 7 Ongoing System Management 169Daemon OverviewBy the time a user logs in to a Mac OS X system, a number of processes are running. Many o
Chapter 1 System Overview and Supported Standards 17What’s New in Mac OS X Server v10.6Mac OS X Server v10.6 oers major enhancements in several
The launchctl utility is the command-line tool used to control launchd. It can:Load and unload daemons ÂStart and stop launchd controlled jobs ÂGet sy
171Eective monitoring allows you to detect potential problems before they occur and gives you early warning when they occur.Detecting potential p
Several factors can be considered for a monitoring response:What are relevant response methods? In other words, how will the response take Âplace?Wha
Chapter 8 Monitoring Your System 173A green status indicator shows the component is OK, a yellow status indicator notes a warning, and a red sta
df -HlFilesystem Size Used Avail Capacity Mounted on/dev/disk0s9 40G 38G 2.1G 95% /In this example, the hard disk is almost full with only 2.1 GB left
Chapter 8 Monitoring Your System 175If you detect an unusual number of requests coming from the same source, use Firewall service to block trac
The following shows a sample Overview pane for a single server.This overview shows basic hardware, operating system versions, active services, and gr
Chapter 8 Monitoring Your System 177When a server kernel panics it abruptly halts all normal system operations. Usually, a kernel process named
Setting Up a Core Dump ServerYou can use any Mac OS X v10.5 or later computer to be a core dump server that ts the following criteria. The core dump
Chapter 8 Monitoring Your System 179Setting Up a Core Dump ClientA core dump client sends its kernel panic debug information to the core dump se
OpenCL support ÂMac OS X Server v10.6 supports OpenCL and makes it possible for developers to use the GPU for general computational tasks.What’s New i
Conguring Common Core Dump OptionsBy default, core dumps happen using UDP port 1069 over the built-in Ethernet (en0) interface, and the resulting le
Chapter 8 Monitoring Your System 181SNMPv2 is the default access protocol and the default read-only community string is “public.”Enabling SNMP r
To enable and congure SNMP:Use the /usr/bin/snmpconf command, which takes you through a basic text-based msetup assistant for conguring the communi
Chapter 8 Monitoring Your System 183Step 3: Collect SNMP information from the hostTo get the SNMP-available information you added, execute this
There are two main notication daemons: syslogd and emond. Â syslogd: The syslogd daemon is a standard UNIX method of monitoring systems. It logs mes
Chapter 8 Monitoring Your System 185LoggingMac OS X Server maintains standard UNIX log les and Apple-specic process logs. Logs for the OS can
Syslog Conguration FileThe Syslog conguration le can be found at /etc/syslog.conf. Each line has the following format:<facility>.<loglevel
Chapter 8 Monitoring Your System 187To run slapd in debugging mode: 1 Stop and remove slapd from launchd’s watch list:launchctl unload /System/
188Provide increased server responsiveness to clients and reduce server load with Push Notication Server.Mac OS X Server v10.6 uses an XMPP Pubsub
Chapter 9 Push Notication Server 189Starting and Stopping Push NoticationWhen you start push notication on a server, the service broadcasts i
Chapter 1 System Overview and Supported Standards 19The following table highlights the capabilities of each conguration tool.Service Set in ini
Changing a Service’s Push Notication ServerIf push notication is congured on the server, it is listed in the location on the service’s settings pan
AaccessACLs 55, 75IMAP 13 9IP address restrictions 52Keychain Access Utility 66LDAP 21, 58Mac address 53, 90remote installation 84, 88, 90, 101
192 Indexpreparing 64private keys 59public keys 59renewing 71requesting 63, 64, 65root 66self-signed 61, 65Server Admin 62, 148services us
Index 193Eemail. See mail serviceemond daemon 184encryption 54, 55, 59, 11 8See also SSLEthereal packet sning tool 175Ethernet 53, 109, 166exp
19 4 Indexserver 14 4static 82See also identityIPv6 addressing 22Jjournaling, le system 93junk mail screening 13 9KKerberos 21, 57, 58, 13 4
Index 195See also Open DirectoryOpenCL 18OpenLDAP 21OpenSSL 54operating environment requirements 162PPackageMaker 47packets, data, ltering of
19 6 IndexServer Adminaccess control 147as administration tool 12 8authentication 38certicates 62, 148conguration methods 18customizing 40n
Index 197UUDP (User Datagram Protocol) 52, 180UNIX 23updating software 107upgradingfrom previous server versions 25, 28saved setup data 11 7vs
Apple Inc. K© 2009 Apple Inc. All rights reserved.The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publicat
Service Set in initial server setupServer Preferences Server AdminOpen Directory master (user accounts and other data)Optional Optional Yes Podcast P
Chapter 1 System Overview and Supported Standards 21A standards-based directory services architecture oers centralized management of network re
 Web Technologies: Mac OS X Server is a complete AMP stack (a bundle of integrated Apache-MySQL-PHP/Perl/Python software). Mac OS X Server web tech
Chapter 1 System Overview and Supported Standards 23 Â XMPP: Extensible Messaging and Presence Protocol (XMPP) is an open XML-based messaging p
24Before installing and setting up Mac OS X Server do a little planning and become familiar with your options.The major goals of the planning phase
Chapter 2 Planning Server Usage 25During the planning stage, you’ll also decide which installation and server setup options best suit your needs
If you’ve been planning to replace a Windows NT computer, consider using Mac OS X Server with its extensive built-in support for Windows clients. Make
Chapter 2 Planning Server Usage 27Home folders for network users can be consolidated onto one server or distributed Âamong various servers. Alt
Dening a Migration StrategyIf you’re using Mac OS X Server v10.4–10.5 or a Windows-based server, examine the opportunities for moving data and settin
Chapter 2 Planning Server Usage 29The rst aspect primarily involves directory services integration. Identify which Mac OS X Server computers wi
11 Preface: About This Guide11 What’s in This Guide12 Using Onscreen Help13 Document Road Map14 Viewing PDF Guides Onscreen14 Printing PDF Gui
For example, if you use Mac OS X Server to provide DHCP, network time, or BootP services to other servers, you should set up the servers that provide
Chapter 2 Planning Server Usage 31Making Sure Required Server Hardware Is AvailableYou might want to postpone setting up a server until all its
Understanding Backup and Restore PoliciesThere are many reasons to have a backup and restore policy. Your data is subject to failure because of failed
Chapter 2 Planning Server Usage 33Your organization must determine the following:What must be backed up? ÂWhat should not be backed up (as per o
Understanding Backup SchedulingBacking up les requires time and resources. Before deciding on a backup plan, consider the following questions:How muc
Chapter 2 Planning Server Usage 35Consider the following questions:How long will it take to restore data at each level of granularity? ÂFor exam
 Capacity. If you back up only a small amount of data, low-capacity storage media can do the job. But if you need to back up large amounts of data,
Chapter 2 Planning Server Usage 37For example, Time Machine doesn’t back up user and group directory records, email, DNS records, Address Book s
38Manage Mac OS X Server using graphical applications or command-line tools.Mac OS X Server v10.6 administration applications must be run from eithe
Chapter 3 Administration Tools 39Server Admin InterfaceThe Server Admin interface is shown here, with each element explained in the following ta
4 Contents33 Understanding Backup Types34 Understanding Backup Scheduling34 Understanding Restores35 Other Backup Policy Considerations36 Co
DMain Work Area: Shows status and conguration options. This looks dierent for each service and for each context button selected.EAvailable servers:
Chapter 3 Administration Tools 41Server AssistantServer Assistant is used for:Remote server installations ÂInitial setup of a local server ÂInit
Server PreferencesServer Preferences is the simplied administration application you need for managing Mac OS X Server v10.6. You can use Server Prefe
Chapter 3 Administration Tools 43Workgroup Manager InterfaceThe Workgroup Manager interface is shown here, with each element explained in the fo
Customizing the Workgroup Manager EnvironmentThere are several ways to tailor the Workgroup Manager environment:To open Workgroup Manager Preferences,
Chapter 3 Administration Tools 45To identify the Xserve computer to monitor, click Add Server, identify the server, and enter user name and pass
iCal Service UtilityiCal Service Utility gives users access to shared information about locations and resources. Users can use iCal Service Utility to
Chapter 3 Administration Tools 47System Image ManagementYou can use the following Mac OS X Server applications to set up and manage NetBoot and
Command-Line ToolsIf you’re an administrator who prefers to work in a command-line environment, you can do so with Mac OS X Server.From the Terminal
Chapter 3 Administration Tools 49Podcast Capture, Composer, and ProducerPodcast Capture takes audio and video from a local or remote camera, cap
Contents 558 Single Sign-On59 About Certicates, SSL, and Public Key Infrastructure59 Public and Private Keys60 Certicates60 About Certicate
Apple Remote DesktopApple Remote Desktop (ARD), which you can optionally purchase, is an easy-to-use network-computer management application. It simpl
51By vigilantly adhering to security policies and practices, you can minimize the threat to system integrity and data privacy.Mac OS X Server is b
About Network SecurityNetwork security is as important to data integrity as physical security. Although someone might immediately see the need to lock
Chapter 4 Enhancing Security 53This allows an organization to provide services to the external network while protecting the internal network fro
In theory, MAC ltering allows a network administrator to permit or deny network access to hosts and devices associated with the MAC address, although
Chapter 4 Enhancing Security 55Most transport encryption requires the participation of both parties in the transaction. Some services (such as S
 Secure VM: Secure VM encrypts system virtual memory (memory data temporarily written to the hard disk), not user les. It improves system security
Chapter 4 Enhancing Security 57In Mac OS X Server, users trying to access services (like logging in to a directory-aware workstation, or trying
Web Service (Apache via the SPNEGO Simple and Protected GSS-API Negotiation ÂMechanism protocol)Xgrid  ÂStoring passwords in user accounts. This app
Chapter 4 Enhancing Security 59Kerberos also provides a single sign-on environment where users must authenticate only once a day, week, or other
6 Contents84 About Starting Up for Installation84 Before Starting Up85 Starting Up from the Install DVD85 Starting Up from an Alternate Parti
Web, mail, and directory services use the public key with SSL to negotiate a shared key for the duration of the connection.For example, a mail server
Chapter 4 Enhancing Security 61About IdentitiesIdentities are a certicate and a private key, together. The certicate identies the user, and t
Several keychains can hold certicates: Â SystemRootCerticates: This keychain holds root certicates that ship with Mac OS X. The certicates alread
Chapter 4 Enhancing Security 63The Server Admin interface is shown below, with Certicates selected.Certicate Manager provides integrated manag
When certicates and keys are imported via Certicate Manager, they are put in the /etc/certicates/ directory. The directory contains four PEM format
Chapter 4 Enhancing Security 65Creating a Self-Signed CerticateA self-signed certicate is generated at server setup. Although it is available
4 Click the Action button below the certicates list and choose “Generate Certicate Signing Request (CSR).”Certicate manager creates the signing r
Chapter 4 Enhancing Security 67 5 If you override the defaults, provide the following information in the next few screens:A unique serial numbe
Using a CA to Create a Certicate for Someone ElseYou can use your CA certicate to issue a certicate to someone else. By doing so you are stating yo
Chapter 4 Enhancing Security 69 7 Click the Import button.If prompted, enter the private key passphrase.Managing CerticatesAfter you create an
Contents 7124 Chapter 7: Ongoing System Management124 Computers You Can Use to Administer a Server124 Setting Up an Administrator Computer125 U
For instructions on how to do this, see “Replacing an Existing Certicate” on page 71.Distributing a CA Public Certicate to ClientsIf you’re using se
Chapter 4 Enhancing Security 71 5 Click Save.Renewing an Expiring CerticateCerticates have an expiration date and must be renewed periodicall
SSH and SSH KeysSSH is a network protocol that establishes a secure channel between your computer and a remote computer. It uses public-key cryptograp
Chapter 4 Enhancing Security 73The -b ag sets the length of the keys to 1,024-bits, -t indicates to use the RSA hashing algorithm, -f sets the
$count = @{[$_ =~ /$match/g]};if($count > 0) {$flag = 1;}}close SBUFF;if($flag == 1) {"ssh $server -x -o batchmode=yes shutdown -r now"}}
Chapter 4 Enhancing Security 75You can determine which services other admin group users can modify. To do this, the administrator making the de
Security Best PracticesServer administrators must make sure that adequate security measures are implemented to protect a server from attacks. A compro
Chapter 4 Enhancing Security 77Do not use administrator (UNIX “admin” group) accounts for daily use. ÂRestrict the use of administration privile
Creating Complex PasswordsUse the following tips to create complex passwords:Use a mix of alphabetic (upper and lower case), numeric, and special char
79Whether you install Mac OS X Server on a single server or a cluster of servers, there are tools and processes to help the installation and deplo
8 Contents159 Eliminating Single Points of Failure160 Using Xserve for High Availability161 Using Backup Power161 Setting Up Your Server for
Step 3: Set up the environmentIf you are not in complete control of the network environment (DNS servers, DHCP server, rewall, and so forth) coordina
Chapter 5 Installation and Deployment 81“ Â Installing Remotely with Server Assistant” on page 101“ Â Installing Remotely with Screen Sharing an
Setting Up Network ServicesBefore you can install, you must set up the following for your network service: Â DNS: You must have a fully qualied doma
Chapter 5 Installation and Deployment 83Mac OS X Server Install DiscThe Install Disc has a Documentation folder with Getting Started, Installati
When you install and set up Mac OS X Server on a computer that has a display and keyboard, it’s already an administrator computer. To make a computer
Chapter 5 Installation and Deployment 85Starting Up from the Install DVDThis is the simplest method of starting the computer, if you have physic
However, if you are reinstalling regularly, or if you are creating an external Firewire drive-based installation to take to various computers, or if y
Chapter 5 Installation and Deployment 87 4 Select File > New > Disk Image from <device>. 5 Give the image a name; select Read-only
Tip: ∏ You can use asr to restore a disk over a network, multicasting the blocks to client computers. Using the multicast server feature of asr, you
Chapter 5 Installation and Deployment 89This is usually the rst eight characters of the server’s built-in hardware serial number.For more infor
Contents 9188 Chapter 9: Push Notication Server188 About Push Notication Server189 Starting and Stopping Push Notication190 Changing a Servi
2 Identify the target server.If you don’t know the IP address and the remote server is on the local subnet, you can nd servers using the comannd l
Chapter 5 Installation and Deployment 91You can use the dns-sd tool to identify computers on the local subnetwhere you can install server softwa
Step 1: Create a NetInstall image from the Install DVDThis step doesn’t need to be done on the target computer. It can be done on an administrator com
Chapter 5 Installation and Deployment 93If you’re using an installation disc for Mac OS X Server v10.6, you can perform these tasks from another
A case-sensitive volume is supported as a start volume format. An HFSX le system for Mac OS X Server must be specically selected when erasing a volu
Chapter 5 Installation and Deployment 95Partitioning a DiskYou can use the Installer to open Disk Utility and then use Disk Utility to partition
Additional information about diskutil and other uses can be found in Introduction to Command-Line Administration. For complete command syntax for disk
Chapter 5 Installation and Deployment 97You can combine RAID sets to combine their benets. For example, you can create a RAID set that combines
5 Drag the disks to the window. 6 Follow the instructions in the window to set parameters. 7 Click Create.You can nd instructions for partitionin
Chapter 5 Installation and Deployment 99Erasing a Disk or PartitionYou have several options for erasing a disk, depending on your preferred tool
Kommentare zu diesen Handbüchern