arshadmuhammed.files.wordpress.com · Web viewOS X Server for small business. A single Mac server...

OS X Server for small businessA single Mac server can provide all the services needed by computer and mobile device users in a small business.

In the following illustration of OS X Server in a small business, the server and the users’ computers are all connected to an intranet that shares a DSL or cable Internet connection. The Internet connection is shared through a router, which can be an AirPort Extreme Base Station (802.11n), a Time Capsule, or a router from your ISP or a computer retailer.

The router connects to the Internet through a DSL modem or cable modem and connects to the intranet to share the Internet connection with the server and the users’ computers. The server and some of the users’ computers have wired connections to the intranet, and other users’ computers connect to the intranet wirelessly through the Wi-Fi router. The server and the users’ computers get their network addresses from the router’s DHCP server. They get DNS name service from the ISP.

The router also protects the server and the users’ computers against malicious attacks from the Internet by blocking communications that originate outside the intranet. However, the router is configured to allow incoming communications for some services. For example, the router allows the server’s Mail service to receive email from outside the intranet, and Messages service can receive instant messaging invitations from Google Talk users via the Internet. All the wired and wireless computers and mobile devices on the intranet get services from the Mac server.

The server provides user and group accounts, shared folders, server-based contact lists, shared calendars, instant messaging, and wikis with web calendars and blogs. The ISP doesn’t provide enough email addresses for everyone in the organization, so the server provides email addresses and Mail service.

Users with OS X use Time Machine to back up their Mac computers to an external hard drive (not shown) attached to the server.

Some users have their portable computers, home computers, and mobile devices set up to connect to the server’s VPN via the Internet. This gives them secure remote access, while traveling or working at home, to all the services that the server provides on the intranet. iPhone, iPad, and iPod touch users can check wikis and blogs while roaming.

OS X Server for workgroupsA Mac server can provide services to a workgroup, such as a department in a large organization.

In the following illustration of OS X Server in a workgroup, the organization has an IT department that provides DHCP service for assigning network addresses, DNS name service, Mail service, Internet access, and a VPN.

Everyone in the department already has a user account provided by the organization’s network accounts server, so these user accounts have been imported to the department’s server. This means everyone simply uses the user name and password they already know in order to authenticate for services provided by the department’s server. Those services are set up to use single sign-on authentication with the network account server, allowing users to log in once per session for all departmental services.

The department’s server provides address book, calendar, and instant messaging services that work with the users’ OS X Contacts, Calendar, and Messages apps. The department’s server also provides shared folders and private wikis for groups and projects within the department. Some projects include participants from outside the department. Outside participants use their existing user accounts to authenticate for wiki or shared folder access.

The organization’s servers provide storage for backup, but most users have OS X and prefer to use Time Machine with the external hard drive (not shown) attached to the department’s server.

The department has some Windows users, who use Internet Explorer, Safari, and FireFox to access wikis, web calendars, and blogs. Shared folders appear as mapped drives in their Network Places. They have also set up their PCs to use the department server’s Jabber instant messaging.

Set up an administrator computerYou can use the Server app on an administrator computer to set up and manage your server over the network. You can install the Server app on a Mac that isn’t a server, making it an administrator computer. If you have OS X Server on multiple servers, they already have the Server app installed, and you can use them as administrator computers.

As illustrated below, you use the Server app on the administrator computer to check server status, manage accounts and services, and view or change server system settings. The remote server doesn’t need a display.

1. Install the Server app on a Mac you want to be an administrator computer by doing either of the following:

Copy from your server.

You can copy the Server app from your server to a Mac that you want to be an administrator computer.

Install from the Mac App Store.

After purchasing OS X Server from the App Store on your server, you can install it free of charge on a Mac you want to be an administrator computer. You open the App Store on the prospective administrator computer, find OS X Server in the App Store, click Buy, and provide the Apple ID you used to purchase OS X Server. The Server app is downloaded to the administrator computer.

2. Open the Server app you installed in step 1, and then choose Manage > Connect to Server.

The “Choose a Mac” dialog appears. If the “Welcome to Server” dialog appears instead, choose Manage > “Connect to Server” again.

3. You can now select another Mac to manage, and then click Continue.

For additional instructions, see Manage OS X Server remotely.

Note: If you select This Mac (that is, the Mac you’re working on) and click Continue, the Server app makes the Mac a server.

Server toolsYou use a few different tools to change service settings, check status, and perform other server administration tasks on Macs running OS X Server.

Server app is the primary tool you use to:

Manage users and groups.

Monitor server status.

Start, stop, and customize services.

View and change system, network, and storage settings.

Manage an AirPort device.

The apps described below are available from the Tools menu in Server App. They help you to manage other more advanced functions of your server.

Directory Utility Configure advanced connections to directory servers. You can open Directory Utility from the Tools menu in the Server app.

Screen Sharing Observe and control your server from another computer on the network. You can open Screen Sharing from the Tools menu in the Server app.

System Image Utility Create NetBoot, NetInstall, and NetRestore images for Mac computers.

Xsan Admin Set up and manage a storage area network (SAN) to provide fast, shared storage among Mac computers connected to a Fibre Channel network.

For more information about these apps, open the application and use the Help menu.

Many management and setup features of OS X Server are also from the command line via the /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin tool. For more information about the serveradmin(8) tool, see it's man page. For more information about using command line tools, see About the command-line environment.

About the command-line environmentA command-line interface (CLI) is an alternative to graphical applications for interacting with and controlling your computer.

OS X Server provides graphical applications—primarily the Server app—to address common administration tasks. However, there are situations where using the CLI might be appropriate. These situations include:

Configuring advanced options that aren’t supported by graphical applications

Configuring remotely from a computer that doesn’t have the Server app installed—for example, a computer with Windows, Linux, or another UNIX-based operating system

Performing tasks that are repetitive or that must be run at predefined times

Editing text files, usually to change advanced configuration settings and preferences

The primary way to access the CLI in OS X is with the Terminal app. Other ways to access the CLI are discussed in related topics. Each window in Terminal contains an execution context, called a shell, which is separate from all other execution contexts.

The shell is an interactive programming language interpreter, with a specialized syntax for executing commands and writing structured programs (shell scripts). Different shells have slightly different capabilities and programming syntax. Although you can use any shell, the examples in OS X Server: Advanced Administration use bash, the startup shell for OS X and the default user shell.

UNIX

OS X and OS X Server are built on the foundation of the UNIX operating system. UNIX-based operating systems include BSD, GNU/Linux, AIX, and Solaris. The shared heritage of these operating systems means that many programs are compatible across this larger family, with minimal changes.

The unique underpinnings of each brand of UNIX are what distinguish them from each other. To support programs and utilities that work across multiple flavors of UNIX, some specifications are set by regulatory bodies. One such specification is The Open Group’s Single UNIX Specification. Mac OS X v10.5 or later conform to v3 of this specification, which implies conformance to the SUSv3 and POSIX 1003.1 specifications for the C API, shell utilities, and threads. Code that complies with the UNIX-03 specification works on OS X Server and on other compliant systems.

For more information about the Single UNIX Specification v3, see www.unix.org/version3/.

The shell

In UNIX-based operating systems, the shell is the fundamental user interface. The shell is an environment that presents a text prompt to the user and accepts keyboard input from the user.

In OS X, the shell is easily accessed through Terminal, but there are other options. The shell can be invoked interactively, or by a text file with commands to the shell given in a standard format. There are several shells available in OS X, each with its own strengths and capabilities. Shells in OS X include bash, csh, ksh, sh, tcsh, and zsh.

For information about these shells, see their man pages.

Control remote computers with SSHSSH (Secure Shell) lets you send secure, encrypted commands to a computer remotely, as if you were sitting at the computer.

You use the ssh tool in Terminal to open a command-line connection to a remote computer, and while the connection is open, you enter commands to be performed on the remote computer. You can also use any other application that supports SSH to connect to a computer with OS X Mountain Lion or OS X Server installed.SSH works by setting up encrypted tunnels using public and private keys. Here’s a description of an SSH session:

The local and remote computers exchange public keys. If the local computer has never encountered a given public key, SSH and your web browser prompt you to accept the unknown key.

The two computers use the public keys to negotiate a session key used to encrypt subsequent session data.

The remote computer attempts to authenticate the local computer using RSA or DSA certificates. If this isn’t possible, the local computer is prompted for a local user name and password.

After successful authentication, the session begins. A remote shell, a secure file transfer, a remote command, or other action can take place through the encrypted tunnel.

The following are SSH tools:

Tool Description

sshd A daemon that acts as a server to all other commands

ssh The primary user tool, which includes a remote shell, remote command, and port-forwarding sessions

scp Secure copy, a tool for automated file transfers

sftp Secure FTP, a replacement for FTP

ServicesOS X Server can provide services to Mac, Windows, and UNIX computers, and to iOS devices such as iPhone, iPad, and iPod touch. You use the Server app to turn on the services you want to provide, customize service settings, and turn off services you don’t need.

Services include:

Calendar service provides shared calendars, so users can check each other’s availability, book conference rooms, and schedule meetings and events.

Contacts service provides centralized contact information

DNS service provides domain names for other computers

File sharing service lets users store and share folders and files on the server.

FTP service gives users a simple way to move files and folders to and from your server.

Mail service lets users send and receive email on your local network and the Internet using any email app or, optionally, a web browser.

Messages service lets users collaborate by chatting and sharing information.

NetInstall lets you manage the installation of OS X onto multiple computers.

Open Directory service helps you integrate your server with an existing directory services implemetation or provide advanced directory services in your organization for implementing technologies like RADIUS.

Profile Manager service lets you manage mobile devices and distributecomputers and iOS devices to use your server.

With Software Update service, you can host and manage which Apple-provided software updates are available to computers in your organization.

Time Machine service lets users back up their Mac computers on your server’s disk.

VPN service gives users secure remote access to your server and network

Websites service lets you publish custom websites

Wiki service lets users share information using wikis

Xsan service lets you create a shared storage area network (SAN)

Disk preparationIf you’re going to install OS X Server on an existing computer and want a clean installation rather than an upgrade, use the Disk Utility app to erase the disk you’ll install on. With Disk Utility, you can also partition the server’s disk into multiple volumes or set up a RAID set.

You can use Disk Utility when you begin installing OS X Server. For instructions, search Help Center for “Erase and reinstall OS X.”

You can also use Disk Utility after installing OS X Server.

Formats for server disks

When you erase a disk before installing OS X Server on it, select one of these formats:

Mac OS Extended (Journaled):

This format is recommended, and is the most common format for Mac and Mac server startup disks.

Mac OS Extended (Case-sensitive, Journaled):

This format is worth considering if you’re planning to have your server host a custom website with static web content instead of or in addition to wikis. A case-sensitive disk can host static web content with a more direct mapping between files and URLs.

You can erase other disks using one of the formats above, or a non-journaled variant: Mac OS Extended or Mac OS Extended (Case-sensitive).

If the server has a disk formatted using the UNIX File System (UFS) format by an earlier version of OS X or OS X Server, do not use the UFS disk for an OS X Server startup disk.

Volumes on a partitioned disk

Partitioning a hard disk creates a volume for OS X Server and one or more volumes for service data and other software. The volume you install OS X Server on should be at least 10 GB. This volume should be larger if you plan to store shared folders, wikis, and other service data on it.

The volumes on a partitioned disk are often simply called “disks.” Each volume appears as a disk in the Finder, and you use each volume as if it were a separate disk.

RAID sets

If you’re installing OS X Server on a computer with multiple internal hard disk drives, you can create a RAID (Redundant Array of Independent Disks) set to optimize storage capacity, improve performance, and increase reliability in case of a disk failure. For example, a mirrored RAID set increases reliability by writing your data to two or more disks at once. If one disk fails, your server automatically continues using other disks in the RAID set.

You can set up RAID mirroring or another type of RAID set when you begin installing OS X Server. After installing, you can set up RAID mirroring on a disk that isn’t partitioned. To prevent data loss, you should set up RAID mirroring as early as possible. For information about setting up a RAID set, search Disk Utility Help for “Using RAID sets.”

If you choose a RAID set, you won’t get a recovery partition or FileVault full disk encryption. A recovery partition allows you to reinstall OS X or recover your entire system from a Time Machine backup. Full disk encryption isn’t recommended for an OS X Server startup disk or any disk that stores service data. If these disks are encrypted, the server can’t restart until you go to the server and enter the password at the server’s keyboard. If you use OS X Server to share an encrypted disk, the disk isn’t available to users until you enter the password at the server’s keyboard.

Port mapping for network and server protectionIf you have a network router that shares its Internet connection with computers on your intranet, such as an AirPort Extreme Base Station (802.11n) or a Time Capsule, the router isolates your intranet from the Internet. These Internet-sharing routers protect your intranet against malicious attacks from the Internet by blocking communications that originate outside the intranet.

Computers on the Internet can’t access your server unless you configure your router to expose specific services on the Internet. For example, you might expose your Wiki and Websites services on the Internet, but not file sharing. You can still control access to wikis by requiring users to log in to view them. The process of exposing individual services to the Internet is called “port mapping” or “port forwarding.”

Internet users can access your exposed services by using an Internet host name, such as server.mycompany.com, that you register with a public DNS registrar or a DNS hosting service. Your registered host name points to the public IP address you got from your ISP and configured your router to use. Internet users can also access your exposed services by using your public IP address directly instead of by using an Internet host name.

When using your Internet host name or public IP address to access a specific service, such as your Wiki service, users actually reach your router. If you exposed the service, your router forwards the request to your server. If you didn’t expose the service, the router doesn’t forward the request, and the user can’t get that service from your server.

If you want to let Internet users with accounts on your server access services that aren’t exposed to the Internet, you can turn on VPN service. It provides a secure remote connection to all services on your intranet.

Register the server’s Internet host nameTo allow users to access the server by using its host name on the Internet, you must register the server’s host name.

Obtain an Internet domain name, such as example.com.

If you don’t already have a domain name, you can purchase one from a public domain name registrar. For information about domain name registrars, search the web.

Register a unique host name for this server, such as server.example.com, with your domain name registrar.

If your organization has a computer support group, request a host name from them. Otherwise, work with the domain name registrar where you obtained your domain name to assign a host name.

Have a DNS hosting service add records for this server to its DNS servers.

If your organization has a computer support group, ask if they host DNS servers. Otherwise, your DNS registrar might provide DNS hosting service, or you can search the web for a provider.

DNS records for your server

Before you set up your server, have your DNS server administrator add records for your server to a DNS server. After these records are added, users can access your server by using its host name, such as server.mycompany.com.

Users can use your server’s host name on your intranet if the DNS server administrator for your intranet adds DNS records for your server. If your intranet doesn’t have a DNS server, users can access your server by using its local hostname, such as server.local.

Users can use your server’s host name on the Internet if a DNS hosting service adds the records described below to its DNS servers. These records must point your server’s host name to the public IP address of your Internet router, if you have one. The DNS registrar you obtained a domain name from might provide DNS hosting service, or you can search the web for a provider.

A (address)

An A record is required. It maps your server’s host name to its IP address. If you have an Internet router, your server has a unique, private IP address on your intranet, but on the Internet it uses the router’s public IP address.

PTR (pointer)

A PTR record is required. It provides a reverse lookup by mapping the server’s IP address to its host name. If you have an Internet router, your server has a unique, private IP address on your intranet, but on the Internet it uses the router’s public IP address.

MX (mail exchange)

If your server provides Mail service, the optional MX record specifies that your server is a mail server for your domain. An MX record lets users have an email address such as [email protected]. Without an MX record, email addresses must include your server’s full host name (for example, [email protected]).

CNAME (alias)

One or more optional CNAME records provide convenient access to services your server provides, such as mail.example.com and www.example.com.

SRV for Contacts service

If your server provides Contacts service, you can add an optional SRV record for Contacts service’s CardDAV protocol.

If you have an SSL certificate for Contacts service, add a record that maps _carddavs._tcp for port 8443 to your server’s host name. For example:

_carddavs._tcp 86400 IN SRV 0 1 8443 server.example.com

If you don’t have an SSL certificate for Contacts service, add a record that maps _carddav._tcp for port 8008 to your server’s host name. For example:

_carddav._tcp 86400 IN SRV 0 1 8008 server.example.com

SRV for Calendar service

If your server provides Calendar service, you can add an optional SRV record for Calendar service’s CalDAV protocol.

If you have an SSL certificate for Calendar service, you can add an optional record that maps _carddavs._tcp for port 8443 to your server’s host name. For example:

_caldavs._tcp 86400 IN SRV 0 1 8443 server.example.com

If you don’t have an SSL certificate for Calendar service, add a record that maps _caldav._tcp for port 8008 to your server’s host name. For example:

_caldav._tcp 86400 IN SRV 0 1 8008 server.example.com

SRV (service locator) for Messages service

If your server provides Messages instant messaging service, you can add two optional SRV (service locator) records for Messages server’s XMPP (Jabber) protocol.

One record controls connections between your server and other XMPP servers. It maps _xmpp-server._tcp for port 5269 to your server’s host name. For example:

_xmpp-server._tcp 86400 IN SRV 0 1 5269 server.example.com

Another record controls Messages and other XMPP client connections to your server. It maps _xmpp-client._tcp for port 5222 to your server’s host name. For example:

_xmpp-client._tcp 86400 IN SRV 0 1 5222 server.example.com

These SRV records let users have a Messages address such as [email protected]. Without these SRV records, Messages addresses must include your server’s full host name (for example, [email protected]).

DHCP server configuration for your serverBefore you set up your Mac server, configure your DHCP server to supply important network addresses to computers on your intranet.

The DHCP server can provide each computer with its own IP address, the IP address of your network router, and the IP addresses of DNS servers for your network.

When configuring your DHCP server, be sure to do the following:

Configure your network’s DHCP server to assign a fixed (static) IP address to your server. This feature is called “static mapping” or “DHCP reservations.” With a fixed IP address, your server always has the same IP address, so other computer users can connect to it reliably.

Configure your DHCP server to provide your server’s IP address as the DNS server address, unless your intranet has a DNS server. If your intranet doesn’t have a DNS server, your server is configured as a DNS server during initial server setup.

If your intranet connects to the Internet through a router supplied by your ISP or purchased from a computer retailer, the router is usually your DHCP server. For information about configuring your router, see its documentation.

If your intranet and Internet connections are managed by your organization, ask the DHCP administrator to configure the DHCP servers for your Mac server

Ports used for administrationFor Apple’s administration applications to function, specific ports must be enabled. In addition, other ports must be enabled for each service you want to run on your server.

Port number and type Tool used

22 TCP SSH command-line shell

389, 636 TCP Directory

Was this page helpful?Send feedback.

© 2012 Apple Inc. All rights reserved.

Restart computersTo restart a computer now or at a specific time, use the shutdown -r or systemsetup command. For more information, see their man pages.

HideRestart the local computerEnter the following command in a Terminal window:

$ sudo shutdown -r now

HideRestart a remote computer immediatelyEnter the following command in a Terminal window:

$ ssh -l admincomputer shutdown -r now

Replace admin with the short name of a user account on the remote computer.

Replace computer with the IP address or host name of the remote computer.

HideRestart a remote computer at a specific timeEnter the following command in a Terminal window:

$ ssh -l admincomputer shutdown -r hhmm

Replace admin with the short name of a user account on the remote computer.


Replace hhmm with the hour and minute you want the remote computer to restart.

HideRestart automatically after power failureYou can also use the systemsetup command to set the computer to start up after a power failure or system freeze, by specifying a number of seconds.Enter the following command in a Terminal window:

$ sudo systemsetup -setwaitforstartupafterpowerfailure seconds

Replace seconds with the number of seconds before the computer starts after a power failure. This value must be 0 (zero) or a multiple of 30.

Shut down computersTo shut down a computer at a specific time, use the shutdown command. For more information, see the shutdown man page.HideShut down a remote computer immediatelyEnter the following command in a Terminal window:

$ ssh -l root computer shutdown -h now


HideShut down a remote computer at a specific timeEnter the following command in a Terminal window:

$ sudo shutdown -h +mm

Replace mm with the number of minutes until the remote computer shuts down.

HideShut down while leaving the computer on and poweredTo support UPS restart after power failure, the shutdown command provides the -u option. This option halts system shutdown before the shutdown command instructs the power manager to turn off the power supply.The -u option keeps the system halted and waits for 5 minutes before removing power so an external UPS can forcibly remove power.Using the -u option simulates a dirty shutdown, which allows a later automatic power-on. The operating system uses the -u option with supported UPS devices in emergency shutdowns.

Change a remote computer’s startup diskYou can change a remote computer’s startup disk using SSH.

HideDetermine available startup disksLog in to the remote computer using SSH, and enter:

$ systemsetup -liststartupdisks

HideChange the startup diskLog in to the remote computer using SSH, and enter:

$ systemsetup -setstartupdisks path

Replace path with the path to an available startup disk on the remote computer.

Manipulate firmware NVRAM variablesTo manipulate firmware NVRAM variables, use the nvram tool. If you change a value with nvram, the value is saved only if the computer cleanly restarts or shuts down. For more information, see the nvram man page.

HideView NVRAM variables$ nvram -p

Overview of DNS setupIf you’re using an external DNS name server and you entered its IP address in the Gateway Setup Assistant, you don’t need to do anything else. If you’re setting up your own DNS server, you must do the following.

Register your domain name

Domain name registration is managed by IANA. IANA registration makes sure that domain names are unique across the Internet. (For more information, see http://www.iana.org.)

If you don’t register your domain name, your network can’t communicate over the Internet.

After you register a domain name, you can create subdomains as long as you set up a DNS server on your network to track the subdomain names and IP addresses.

For example, if you register the domain name example.com, you could create subdomains such as host1.example.com, mail.example.com, or www.example.com. A server in a subdomain could be named primary.www.example.com or backup.www.example.com.

The DNS server for example.com tracks information for its subdomains, such as host (computer) names, static IP addresses, aliases, and mail exchangers.

If your ISP handles your DNS service, you must inform them of changes you make to your domain name, including added subdomains.

The range of IP addresses used with a domain must be clearly defined before setup. These addresses are used exclusively for one specific domain, never by another domain or subdomain. Coordinate the range of addresses with your network administrator or ISP.

Learn and plan

If you’re new to DNS, learn and understand DNS concepts, tools, and features of OS X Server and BIND. See Find more DNS information.

When you’re ready, plan your DNS service. Consider the following questions:

Do you need a local DNS server? Does your ISP provide DNS service? Can you use multicast DNS names instead?

How many servers do you need? How many additional servers do you need for backup DNS purposes? For example, should you designate a second or third computer for DNS service backup?

What is your security strategy to deal with unauthorized use?

How often should you schedule periodic inspections or tests of DNS records to verify data integrity?

How many services or devices (such as intranet websites or network printers) need a name?

There are two ways to configure DNS service on a Mac server:

Use the Server app. This is the recommended method.

Edit the BIND configuration file. BIND is the set of programs used by OS X Server that implements DNS. One of those programs is the “name daemon,” or “named.” To set up and configure BIND, you must change the configuration file and the zone file. The configuration file is /etc/named.conf.

The zone file name is based on the name of the zone. For example, the zone file example.com is /var/named/example.com.zone.

If you edit named.conf to configure BIND, don’t change the inet settings of the controls statement. Otherwise, the Server app can’t retrieve status information for DNS.The inet settings should look like this:controls {inet 127.0.0.1 port 54 allow {any;}keys { "rndc-key"; };};

Add forwarding serverWhen your DNS server cannot resolve a DNS query locally, it can use a forwarding server to handle the query. The DNS server forwards the request to another DNS server that can respond to the DNS query. This can be used across separate subnets and networks.

1. Select your server in the Server app sidebar, and then click DNS.

2. Click Edit next to Forwarding Servers.

3. Click Add (+), and enter the forwarding server's IP address.

You can enter multiple IP addresses.

4. Click OK.

The number of forwarding servers you specified is shown.

Set lookup behaviorUse the Server app to set lookup behavior for clients. Your DNS server can perform lookups for clients on all networks or only specific networks you choose.


2. Select the “Perform lookups for” checkbox.

3. From the “Perform lookups for” pop-up menu, choose “all clients” or “only some clients.”

4. If you choose “only some clients,” you have the following options:

Perform lookups for the server itself: Performs DNS lookups for your server.

Perform lookups for clients on the local network: Performs DNS lookups for clients on the same network your server is on.

5. Click Add (+) to enter the IP address of the server or network.

CIDR notation is supported. For more information on CIDR notation, see the CIDR Notation article on Wikipedia.



















Add host name and aliasesUse the Server app to add host names and aliases to your DNS server.


2. Click Add (+) below the host names list.

3. In the Host Name field, enter the host name of the computer.

4. Below the IP Addresses list, click Add (+) to enter the IP address of the computer.

If your computer has more than one IP address, you can enter multiple IP addresses to the list. You can also add multiple addresses to help with load balancing.

5. Below the Aliases list, click Add (+) to enter aliases for your computer.

You can add as many aliases as you want.

6. If your server provides Mail service, select the “Create an MX record for this host name” checkbox.

The optional MX record specifies that your server is a mail server for your domain. An MX record lets users have an email address such as [email protected]. Without an MX record, email addresses must include your server’s full host name (for example, [email protected]).

7. Click Done.

Start DNSYou can stop or start DNS in the DNS pane of the Server app.

1. In the Server app sidebar, select the service you want to start.

2. Click the On/Off switch to turn on the service.

3. If a dialog asks whether you want to allow Internet access to the service you turned on, click Allow to configure your AirPort device and make the service accessible to Internet users.

Click Don’t Allow if you don’t want the service to be accessible to computers on the Internet, or if you’re not sure. You can change Internet access to services later by selecting your AirPort device in the Server sidebar. For more information, see Manage AirPort port mapping and Wi-Fi login.

The dialog appears only if your AirPort device is listed in the Server sidebar and you turned on a service that the Server app can manage on your AirPort device.These services include Calendar, Contacts, Mail, Messages, and Websites.

If you have an Internet router that isn’t listed in the Server sidebar, you can configure it to allow Internet access to services. This process is called port forwarding or port mapping. For information, see Router port mapping.

Edit host names and aliasesUse the Server app to change host names and aliases on your DNS server.


2. From the Host Name list, select the computer you want to change, and then select Edit Host Name from the Action pop-up menu (looks like gear).

3. Make your changes to the DNS information for your server.

4. Click Done.

Remove host names and aliasesUse the Server app to remove host names and aliases from your DNS server.


2. From the Host Name list, select the computer you want to remove and then click Delete (–) below the list.

Use zone transfers to defend against server miningServer mining is the practice of getting a copy of a complete primary zone by requesting a zone transfer. In this case, a hacker pretends to be a secondary zone to another primary zone and requests a copy of the primary zone’s records.

With a copy of your primary zone, the hacker can see what kinds of services a domain offers and the IP addresses of the servers that offer them. He or she can then try specific attacks based on those services. This is reconnaissance before another attack.

To defend against this attack, specify which IP addresses have permission to request zone transfers (your secondary zone servers) and deny all others.

Zone transfers are accomplished over TCP on port 53. To limit zone transfers, block zone transfer requests from anyone but your secondary DNS servers.

1. Create a firewall filter that permits only IP addresses that are inside your firewall to access TCP port 53.

2. Follow the instructions for configuring firewall rules, using the following settings:

Packet: Allow

Port: 53

Protocol: TCP

Source IP: (the IP address of your secondary DNS server)

Destination IP: (the IP address of your primary DNS server)

Set up a VLANTo set up and manage VLANs, you use the VLAN area of the Network pane of System Preferences.

Be sure that ports used by non-VLAN devices (non-802.1q-compliant) are configured to transmit untagged frames. If a noncompliant Ethernet device receives a tagged frame, it cannot understand the VLAN tag and drops the frame.

Note: The VLAN area of the Network pane is visible only if your hardware supports this feature.

1. Log in to your server as an administrator.

2. Open the Network pane of System Preferences.

3. Choose Manage Virtual Interfaces from the Action pop-up menu (looks like a gear).

4. Click Add (+), and then select New VLAN.

5. In the VLAN Name field, enter a name for the VLAN.

6. In the Tag field, enter a tag (a number between 1 and 4094).

This VLAN tag designates the VLAN ID (VID). Each logical network has a unique VID. Interfaces configured with the same VID are on the same virtual network.

7. Select the Interface.

8. Click Create.

9. Click Done.

Manage Wi-FiThe Server app can manage an AirPort device to give Internet computers access to selected services, and to let users log in to your wireless network with their name and password. The Server app can manage an AirPort Extreme Base Station (802.11n) or a Time Capsule.

To be managed, your AirPort device must have its Connection Sharing option set to “Share a public IP address” (that is, an Internet connection). The advanced option IPv6 Mode must be set to Tunnel. The “default host” option should also be turned off, which is the default setting.

If you don’t use the Server app to manage your router, you can use the router’s configuration software to protect your server and your intranet. For more information, see this help topic: Router port mapping.

HideAdd or remove public servicesYou can use the Server app to designate public services that can be accessed by computers on the Internet. OS X Server configures your AirPort device to expose those public services on the Internet. The process of exposing individual services to the Internet is called port mapping or port forwarding. For more information, see this help topic: Port mapping for network and server protection.

1. Select your AirPort device in the sidebar.The AirPort device is listed in the Hardware section of the sidebar.

2. To expose a service to computers on the Internet, click Add (+) and choose the service from the pop-up menu.

If the service you want to add isn’t listed in the pop-up menu, choose Other, and then enter the service name and port. For a list of services, see this help topic: Services and ports.

Note: Exposing Websites service also exposes Wiki, web calendar, and Profile Manager services.

3. To stop a listed service from accepting connections initiated by computers on the Internet, select the service and click Delete (–).

4. To apply your changes, click Restart AirPort. If asked, enter the password for your AirPort device.Important: Restarting your AirPort device interrupts its services for all computers on your intranet for up to a minute. AirPort device services may include Internet access, DHCP service, and a shared disk for Time Machine backup or other uses.

When entering the password to authorize restarting the AirPort device, use the password for the device, not the password for your Wi-Fi network. OS X Server remembers this password, so you don’t have to enter it again unless you change it on your AirPort device.

Services that aren’t in the Public Services list can get incoming connections only from the server’s intranet.

HideAllow user name and password login over Wi-FiYou can let users log in to your wireless network with their user name and password instead of the Wi-Fi network password. In this case, your server provides Remote Authentication Dial In User Service (RADIUS) for your AirPort device and authorizes all user accounts on the server to access your wireless network. For more information, see this help topic: About RADIUS for AirPort.

1. Select your AirPort device in the sidebar.The AirPort device is listed in the Hardware section of the sidebar.

2. If you want users to log in to your wireless network with their user account credentials, select “Allow user name and password login over Wi-Fi.”Important: Your server will lose its connection to the AirPort device, unless the two are connected via a wired Ethernet network.

Don’t select this option if you want to let users log in to your wireless network with the Wi-Fi network password.

You can turn off RADIUS using the AirPort Utility app.

3. To apply your changes, restart your AirPort device by entering its password and clicking Set.Important: Restarting your AirPort device interrupts its services for all computers on your intranet for up to a minute. AirPort device services may include Internet access, DHCP service, and a shared disk for Time Machine backup or other uses.

When entering the password to authorize restarting the AirPort device, use the password for the device, not the password for your Wi-Fi network. OS X Server remembers this password, so you don’t have to enter it again unless your change it on your AirPort device.

Selecting this option starts RADIUS on your server, registers the selected AirPort device with RADIUS, and authorizes all user accounts on the server to access your wireless network.

Configure LDAP directory accessUsing Directory Utility, you can specify how your Mac computer accesses an LDAPv3 directory if you know the DNS host name or IP address of the LDAP directory server.

If the directory is not hosted by a server that supplies its own mappings (such as a Mac server) you must know the search base and the template for mapping OS X data to the directory’s data.

Supported mapping templates are:

Open Directory Server, for a directory that uses the Mac server schema

Active Directory, for a directory hosted by a Windows 2000, Windows 2003, or later server

RFC 2307, for most directories hosted by UNIX servers

The LDAPv3 plug-in fully supports Open Directory replication and failover. If the Open Directory master becomes unavailable, the plug-in falls back to a nearby replica.

To specify custom mappings for the directory data, follow the instructions in Configure access to an LDAP directory manually instead of the instructions here.

Important: If your computer name contains a hyphen, you might not be able to join or bind to a Directory Domain such as LDAP or Active Directory. To establish binding, use a computer name that does not contain a hyphen.

1. Open System Preferences on your computer and click Users & Groups.

2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator.

3. Click Login Options, then click Join or Edit.

If you see an Edit button, your computer has at least one connection to a directory server.

4. Click Open Directory Utility.


6. Click Services.

7. In the list of services, select LDAPv3 and click the Edit (/) button.

8. Click New, then click Edit.

By default, the new directory connection is enabled. For more information about enabling or disabling a directory connection, see Enable or disable directory service.

9. Enter a name in the Configuration Name field.

10. Enter the LDAP server’s DNS host name or IP address in the Server Name or IP Address field.

11. Select “Encrypt using SSL” if you want Open Directory to use Secure Sockets Layer (SSL) for connections with the LDAP directory.

Before you select this, ask your Open Directory administrator to determine if SSL is needed.

If Directory Utility can’t contact the LDAP server, you might need to adjust your configuration access settings. For more information, see Change the connection settings for an LDAP or Open Directory server.

12. Click Search & Mappings.

13. From the “Access this LDAPv3 server using” pop-up menu, choose Open Directory and enter a search base.

Typically, the search base suffix is derived from the server’s DNS host name. For example, the search base suffix could be “dc=ods,dc=example,dc=com” for a server whose DNS host name is ods.example.com.

14. If the directory server supports trusted binding, click Bind and enter the name of the computer and the name and password of a directory administrator.

The binding might be optional.

Trusted binding is mutual; each time the computer connects to the LDAP directory, they authenticate each other. If trusted binding is set up or the LDAP directory doesn’t support trusted binding, the Bind button does not appear. Make sure you supplied the correct computer name.

If you see an alert saying that a computer record exists, try again using a different computer name, or click Overwrite to replace the existing computer record.

The existing computer record might be abandoned, or it might belong to another computer.

If you replace an existing computer record, notify the LDAP directory administrator in case replacing the record disables another computer. In this case, the LDAP directory administrator must give the disabled computer a different name and add it back to the computer group it belonged to.

15. Click Security.

If the LDAP directory requires authentication to connect, select the “Use authentication when connecting” checkbox and enter the distinguished name and password of a user account in the directory.

An authentication connection is not mutual; the LDAP server authenticates the client but the client doesn’t authenticate the server.

The distinguished name can specify any user account that has permission to see data in the directory. For example, a user account whose short name is dirauth on an LDAP server and whose address is ods.example.com would have the distinguished name uid=dirauth,cn=users,dc=ods,dc=example,dc=com.

Important: If the distinguished name or password is incorrect, you can log in to the computer using user accounts from the LDAP directory.

16. Click OK to finish creating the LDAP connection.

17. Click OK to finish configuring LDAPv3 options.

Manage LDAP directory accessYou can change, duplicate, or delete configuration settings for an LDAP server. If your LDAP server access settings change, you can change them. If you are adding a similar LDAP server that only needs minor connection setting changes, you can duplicate the settings of an existing LDAP connection. If you need to delete an LDAP connection, you can delete it.

HideChange a configuration for accessing an LDAP directoryYou can use Directory Utility to change the settings of an LDAP directory configuration. The configuration settings specify how Open Directory accesses an LDAPv2 or LDAPv3 directory.

If the LDAP configuration is provided by DHCP, you can’t change it, so this type of configuration is dimmed in the LDAP configurations list.







6. Click Services.


8. If the list of server configurations is hidden, click Show Options.

9. Make changes as needed to the following settings:

Enable: Click a checkbox to enable or disable access to an LDAP directory server.

Configuration Name: Double-click a configuration name to edit it.

Server Name or IP Address: Double-click a server name or IP address to change it.

LDAP Mapping: From the pop-up menu, choose a template, enter the search base suffix for the LDAP directory, and click OK.

If you choose a template, you must enter a search base suffix or the computer can’t find information in the LDAP directory. Typically, the search base suffix is derived from the server’s DNS host name. For example, for a server whose DNS host name is ods.example.com, the search base suffix is “dc=ods,dc=example,dc=com.”

If you choose From Server instead of a template, a search base suffix is not needed. In this case, Open Directory assumes the search base suffix is the first level of the LDAP directory.

If you choose Custom, you must set up mappings between the OS X record types and attributes and the classes and attributes of the LDAP directory you’re connecting to. For more information, see Configure LDAP Searches & Mappings.

SSL: Click the checkbox to enable or disable encrypted communications using the SSL protocol. Before you select the SSL checkbox, ask your Open Directory administrator if SSL is needed.

10. To change the following default settings for this LDAP configuration, click Edit to display the options, make changes, and click OK when you're done:

Click Connection to set timeout options, specify a custom port, ignore server referrals, or force use of the LDAPv2 (read-only) protocol. For more information, see Change the connection settings for an LDAP or Open Directory server.

Click Search & Mappings to set up searches and mappings for an LDAP server. For more information, see Set up trusted binding for an LDAP directory.

Click Security to set up an authenticated connection (instead of trusted binding) and other security policy options. For more information, see Change the LDAP connection security policy.

Click Bind to set up trusted binding, or click Unbind to stop trusted binding. (You might not see these buttons if the LDAP directory doesn’t permit trusted binding.) For more information, see Set up trusted binding for an LDAP directory.

11. To finish changing the configuration, click OK.

HideDuplicate a configuration for accessing an LDAP directoryYou can use Directory Utility to duplicate a configuration that specifies how OS X accesses an LDAPv3 or LDAPv2 directory. After duplicating an LDAP directory configuration, you can change its settings to make it different from the original configuration.







6. Click Services.



9. In the list, select a server configuration, then click Duplicate.

10. Change the duplicate configuration’s settings:

Enable: Click a checkbox to enable or disable access to an LDAP directory server.

Configuration Name: Double-click a configuration name to edit it.

Server Name or IP Address: Double-click a server name or IP address to change it.

LDAP Mapping: Choose a template from the pop-up menu, then enter the search base suffix for the LDAP directory and click OK.

If you choose a template, you must enter a search base suffix or the computer can’t find information in the LDAP directory. Typically, the search base suffix is derived from the server’s DNS host name. For example, for a server whose DNS host name is ods.example.com, the search base suffix is “dc=ods,dc=example,dc=com.“

If you choose From Server instead of a template, a search base suffix is not needed. In this case, Open Directory assumes the search base suffix is the first level of the LDAP directory.

If you choose Custom, you must set up mappings between the OS X record types and attributes and the classes and attributes of the LDAP directory you’re connecting to. For more information, see Configure LDAP Searches & Mappings.

SSL: Click the checkbox to enable or disable encrypted communications using the SSL protocol. Before you select the SSL checkbox, ask your Open Directory administrator if SSL is needed.

11. To change the following default settings for the duplicate LDAP configuration, click Edit to display the options, make changes, and click OK when you’re done:

Click Connection to set up trusted binding (if the LDAP directory supports it), set timeout options, specify a custom port, ignore server referrals, or force use of the LDAPv2 (read-only) protocol. For more information, see Change the connection settings for an LDAP or Open Directory server.

Click Search & Mappings to set up searches and mappings for an LDAP server. For more information, see Set up trusted binding for an LDAP directory.

Click Security to set up an authenticated connection (instead of trusted binding) and other security policy options. For more information, see Change the LDAP connection security policy.

Click Bind to set up trusted binding, or click Unbind to stop trusted binding. (You might not see these buttons if the LDAP directory doesn’t permit trusted binding.) For more information, see Set up trusted binding for an LDAP directory.

12. To finish changing the configuration, click OK.

13. If you want the computer to access the LDAP directory specified by the duplicate configuration you created, add the directory to a custom search policy in the Authentication or Contacts pane of Search Policy in Directory Utility and make sure LDAPv3 is enabled in the Services pane.

For more information, see Enable or disable directory service, and Define search policies.

HideDelete a configuration for accessing an LDAP or Open Directory serverYou can use Directory Utility to delete a configuration that specifies how the computer accesses an LDAPv3 or LDAPv2 directory.

If the LDAP configuration is provided by DHCP, you can’t change it, so this configuration option is dimmed in the LDAP configurations list.







6. Click Services.



9. In the list, select a server configuration and click Delete, then click OK.

10. Choose from the following:

If you see an alert saying the computer is bound to the LDAP directory and you want to stop trusted binding, click OK and then enter the name and password of an LDAP directory administrator (not a local computer administrator).

If you see an alert saying the computer can’t contact the LDAP server, you can click OK to forcibly stop trusted binding. If you forcibly stop trusted binding, this computer still has a computer record in the LDAP directory. Notify the LDAP directory administrator so the administrator knows to remove the computer from the computer group.

The deleted configuration is removed from the custom search policies for authentication and contacts.

Set up trusted binding for an LDAP directoryYou can use Directory Utility to set up trusted binding between the computer and an LDAP directory that supports trusted binding. The binding is mutually authenticated by an authenticated computer record that’s created in the directory when you set up trusted binding.

You can’t configure a computer to use trusted LDAP binding with a DHCP-supplied LDAP directory. Trusted LDAP binding is inherently static, and DHCP-supplied LDAP is dynamic.



3. Click Login Options, then click Edit.



6. Click Services.



9. In the list, select a server configuration and click Edit.

Several options appear, including the Bind button. If the Bind button doesn’t appear, the LDAP directory doesn’t support trusted binding.

10. Click Bind, enter the following credentials, and then click OK.

Enter the name of the computer and the name and password of an LDAP directory domain administrator. The computer name can’t be in use by another computer for trusted binding or other network services.

11. Verify that you supplied the correct computer name.

If you see an alert saying that a computer record exists, click Cancel to go back and change the computer name, or click Overwrite to replace the existing computer record.

The existing computer record might be abandoned or it might belong to another computer. If you replace an existing computer record, notify the LDAP directory administrator so that replacing the record won't disable another computer.

In such a situation, the LDAP directory administrator must give the disabled computer another name and add it to the computer group it belonged to, using a different name for that computer.

12. Click OK.

Change the LDAP connection security policyUsing Directory Utility, you can configure a stricter security policy for an LDAPv3 connection than the security policy of the LDAP directory. For example, if the LDAP directory’s security policy permits clear-text passwords, you can set an LDAPv3 connection to not permit clear-text passwords.

Setting a stricter security policy protects your computer from a malicious hacker trying to use a rogue LDAP server to gain control of your computer.

The computer must communicate with the LDAP server to show the state of the security options. Therefore, when you change security options for an LDAPv3 connection, the computer’s authentication search policy should include the LDAPv3 connection.

The permissible settings of an LDAPv3 connection’s security options are subject to the LDAP server’s security capabilities and requirements. For example, if the LDAP server doesn’t support Kerberos authentication, several LDAPv3 connection security options are disabled.






6. Click Search Policy.

7. Click Authentication and make sure the LDAPv3 directory you want is listed in the search policy.

For more information about adding the LDAPv3 directory to the authentication search policy, see Define search policies.

8. Click Services.



11. Select the configuration for the directory you want, then click Edit.

12. Click Security and then change any of the following settings.

Note: The security settings here and on the corresponding LDAP server are determined when the LDAP connection is set up. The settings aren’t updated when server settings are changed.

If any of the last four options are selected but disabled, the LDAP directory requires them. If any of these options are unselected and disabled, the LDAP server doesn’t support them.

Use authentication when connecting: Determines whether the LDAPv3 connection authenticates itself with the LDAP directory by supplying the specified distinguished name and password. This option is not visible if the LDAPv3 connection uses trusted binding with the LDAP directory.

Bound to the directory as: Specifies the credentials the LDAPv3 connection uses for trusted binding with the LDAP directory. This option and the credentials can’t be changed here. Instead, you can unbind and then bind again with different credentials. For more information, see Stop trusted binding with an LDAP directory and Set up trusted binding for an LDAP directory. This option is not visible unless the LDAPv3 connection uses trusted binding.

Disable clear text passwords: Determines whether the password is to be sent as cleartext if it can’t be validated using an authentication method that sends an encrypted password.

Digitally sign all packets (requires Kerberos): Certifies that directory data from the LDAP server hasn’t been intercepted and modified by another computer while en route to your computer.

Encrypt all packets (requires SSL or Kerberos): Requires the LDAP server to encrypt directory data using SSL or Kerberos before sending it to your computer. Before you select the “Encrypt all packets (requires SSL or Kerberos)” checkbox, ask your Open Directory administrator if SSL is needed.

Block man-in-the-middle attacks (requires Kerberos): Protects against a rogue server posing as the LDAP server. Best if used with the “Digitally sign all packets” option.

Enable LDAP bind authentication for a userYou can enable the use of LDAP bind authentication for a user account stored in an LDAP directory domain. When you use this password validation technique, you rely on the LDAP server that contains the user account to authenticate the user’s password.

Important: If your computer name contains a hyphen, you might not be able to join or bind to a directory domain such as LDAP or Active Directory. To establish binding, use a computer name that does not contain a hyphen.

1. Make sure the Mac computer that needs to authenticate the user account has a connection to the LDAP directory where the user account resides and that the computer’s search policy includes the LDAP directory connection.

For information about configuring LDAP server connections and the search policy, see Configure LDAP directory access.

If you configure an LDAP connection that doesn’t map the password and authentication authority attributes, bind authentication occurs automatically. For more information, see Configure LDAP Searches & Mappings.

2. If you configure the connection to permit clear text passwords, also configure it to use SSL to protect the clear text password while it is in transit.

3.

4. About Active Directory access5. You can configure a Mac to access basic user account information in an Active Directory domain of a

Windows 2000 or later server. This is possible because of an Active Directory connector for Directory Utility. This Active Directory connector is listed in the Services pane of Directory Utility.

6. You do not need to make schema changes to the Active Directory domain to get basic user account information. You might want to change the default access control list (ACL) of specific attributes so computer accounts can read user properties.

7. The Active Directory connector generates all attributes required for OS X authentication from standard attributes in Active Directory user accounts. The connector also supports Active Directory authentication policies, including password changes, expirations, forced changes, and security options.

8. OS X supports packet encryption and packet-signing options for all Windows Active Directory domains. This functionality is on by default as “allow.” You can change the default setting to disabled or required by using

the dsconfigad command-line tool. The packet encryption and packet signing options ensure all data to and from the Active Directory domain for record lookups is protected.

9. The Active Directory connector dynamically generates a unique user ID and a primary group ID based on the user account’s globally unique ID (GUID) in the Active Directory domain. The generated user ID and primary group ID are the same for each user account, even if the account is used to log in to different Mac computers.

10. Alternatively, you can force the Active Directory connector to map the user ID to Active Directory attributes that you specify.

11. The Active Directory connector generates a group ID based on the Active Directory group account’s GUID. You can also force the plug-in to map the group ID for group accounts to Active Directory attributes that you specify.

12. When someone logs in to a Mac using an Active Directory user account, the Active Directory connector can mount the Windows network home folder specified in the Active Directory user account as the user’s home folder. You can specify whether to use the network home specified by Active Directory’s standard home directory attribute or by the home directory attribute of OS X (if the Active Directory schema is extended to include it).

13. Alternatively, you can configure the plug-in to create a local home folder on the startup volume of the Mac client computer. In this case, the plug-in also mounts the user’s Windows network home folder (specified in the Active Directory user account) as a network volume, like a share point. Using the Finder, the user can then copy files between the Windows home folder network volume and the local Mac home folder.

14. The Active Directory connector can also create mobile accounts for users. A mobile account has a local home folder on the startup volume of the Mac client computer. (The user also has a network home folder as specified in the user’s Active Directory account.)

15. A mobile account caches the user’s Active Directory authentication credentials on the Mac client computer. The cached credentials permit the user to log in using the Active Directory name and password when the client computer is disconnected from the Active Directory server.

16. A mobile account has a local home folder on the startup volume of the Mac client computer. (The user also has a network home folder as specified in the user’s Active Directory account.)

17. If the Active Directory schema has been extended to include OS X record types (object classes) and attributes, the Active Directory connector detects and accesses them.

18. For example, the Active Directory schema could be changed using Windows administration tools to include OS X managed client attributes. This schema change enables the Active Directory connector to support managed client settings made using the Server app.

19. Mac clients assume full read access to attributes that are added to the directory. Therefore, it might be necessary to change the ACL of those attributes to permit computer groups to read these added attributes.

20. The Active Directory connector discovers all domains in an Active Directory forest. You can configure the plug-in to permit users from any domain in the forest to authenticate on a Mac computer. Alternatively, you can permit only specific domains to be authenticated on the client.

21. The Active Directory connector fully supports Active Directory replication and failover. It discovers multiple domain controllers and determines the closest one. If a domain controller becomes unavailable, the plug-in falls back to another nearby domain controller.

The Active Directory connector uses LDAP to access Active Directory user accounts and Kerberos to authenticate them. The Active Directory connector does not use Microsoft’s proprietary Active Directory Services

Configure Active Directory domain accessUsing the Active Directory connector listed in Directory Utility, you can configure a Mac to access basic user account information in an Active Directory domain on a Windows server.

The Active Directory connector generates all attributes required for OS X authentication. No changes to the Active Directory schema are required.

The Active Directory connector detects and accesses standard OS X record types and attributes (such as the attributes required for OS X client management), if the Active Directory schema is extended to include them.

WARNING: With the advanced options of the Active Directory connector, you can map to the OS X unique user ID (UID), primary group ID (GID), and group GID attribute to the correct attributes that have been added to the Active Directory schema. However, if you change the settings of these mapping options later, users might lose access to previously created files.






6. Click Services.

7. In the list of services, select Active Directory and click the Edit (/) button.

8. Enter the DNS host name of the Active Directory domain you want to bind to the computer you’re configuring.

The administrator of the Active Directory domain can tell you the DNS host name to enter.

9. If necessary, edit the Computer ID.

The Computer ID is the name the computer is known by in the Active Directory domain, and it’s preset to the name of the computer. You might change this to conform to your organization’s established scheme for naming computers in the Active Directory domain. If you’re not sure, ask the Active Directory domain administrator.

Important: If your computer name contains a hyphen you might not be able to join or bind to a Directory Domain such as LDAP or Active Directory. To establish binding, use a computer name that does not contain a hyphen.

10. (Optional) Set advanced options.

If the advanced options are hidden, click Show Advanced Options and set options in the User Experience, Mappings, and Administrative panes. You can also change advanced option settings later.

11. Click Bind, use the following to authenticate as a user who has rights to bind a computer to the Active Directory domain, select the search policies you want Active Directory added to (see below), and click OK:

Username and Password: You might be able to authenticate by entering the name and password of your Active Directory user account, or the Active Directory domain administrator might need to provide a name and password.

Computer OU: Enter the organizational unit (OU) for the computer you’re configuring.

Use for authentication: Use to determine whether Active Directory is added to the computer’s authentication search policy.

Use for contacts: Use to determine whether Active Directory is added to the computer’s contacts search policy.

When you click OK, Directory Utility sets up trusted binding between the computer you’re configuring and the Active Directory server. The computer’s search policies are set according to the options you selected when you authenticated, and Active Directory is enabled in Directory Utility’s Services pane.

With the default settings for Active Directory advanced options, the Active Directory forest is added to the computer’s authentication search policy and contacts search policy if you selected “Use for authentication” or “Use for contacts.”

However, if you deselect “Allow authentication from any domain in the forest” in the Administrative advanced options pane before clicking Bind, the nearest Active Directory domain is added instead of the forest.

You can change search policies later by adding or removing the Active Directory forest or individual domains. For more information, see Define search policies.

22. Interface (ADSI) to get directory or authentication services.23. \

Set up mobile user accounts in Active DirectoryYou can enable or disable mobile Active Directory user accounts on a computer that is configured to use Directory Utility’s Active Directory connector. Users with mobile accounts can log in using their Active Directory credentials when the computer is not connected to the Active Directory server.

The Active Directory connector caches credentials for a user’s mobile account when the user logs in while the computer is connected to the Active Directory domain. This credential caching does not require changing the Active Directory schema.

If the Active Directory schema is extended to include OS X managed client attributes, those mobile account settings are used instead of the Active Directory connector mobile account setting.

You can have mobile accounts created automatically or you can require that Active Directory users confirm creation of a mobile account.






6. Click Services.


8. If the advanced options are hidden, click Show Advanced Options.

9. Click User Experience, then click “Create mobile account at login,” and optionally click “Require confirmation before creating a mobile account.”

Note the following:

If both options are selected, each user decides whether to create a mobile account during login. When a user logs in to OS X using an Active Directory user account, or when logging in as a network user, the user sees a dialog with controls for creating a mobile account immediately.

If the first option is selected and the second option is unselected, mobile accounts are created when users log in.

If the first option is not selected, the second option is disabled.

10. Click OK.

Set up home folders for Active Directory user accountsOn a computer that’s configured to use the Directory Utility Active Directory connector, you can enable or disable network home folders or local home folders for Active Directory user accounts.

With network home folders, a user’s Windows network home folder is mounted as the OS X home folder when the user logs in.

You determine whether the network home folder location is obtained from the Active Directory standard homeDirectory attribute or from the OS X homeDirectory attribute, if the Active Directory schema is extended to include it.

With local home folders, each Active Directory user who logs in has a home folder on the OS X startup disk. In addition, the user’s network home folder is mounted as a network volume, like a share point. The user can copy files between this network volume and the local home folder.






6. Click Services.



9. Click User Experience.

10. If you want Active Directory user accounts to have local home folders in the computer’s /Users folder, click “Force local home folder on startup disk.”

This option is not available if “Create mobile account at login” is selected.

11. To use the Active Directory standard attribute for the home folder location, select “Use UNC path from Active Directory to derive network home location” and then choose from the following protocols for accessing the home folder:

To use the standard Macintosh protocol AFP, choose afp from the “Network protocol to be used” pop-up menu.

To use the standard Windows protocol SMB, choose smb from the “Network protocol to be used” pop-up menu.

12. To use the OS X attribute for the home folder location, deselect “Use UNC path from Active Directory to derive network home location.”

To use the OS X attribute, the Active Directory schema must be extended to include it.

13. Click OK.

Set up home folders for Active Directory user accounts

On a computer that’s configured to use the Directory Utility Active Directory connector, you can enable or disable network home folders or local home folders for Active Directory user accounts.

With network home folders, a user’s Windows network home folder is mounted as the OS X home folder when the user logs in.

You determine whether the network home folder location is obtained from the Active Directory standard homeDirectory attribute or from the OS X homeDirectory attribute, if the Active Directory schema is extended to include it.

With local home folders, each Active Directory user who logs in has a home folder on the OS X startup disk. In addition, the user’s network home folder is mounted as a network volume, like a share point. The user can copy files between this network volume and the local home folder.






6. Click Services.



9. Click User Experience.

10. If you want Active Directory user accounts to have local home folders in the computer’s /Users folder, click “Force local home folder on startup disk.”

This option is not available if “Create mobile account at login” is selected.

11. To use the Active Directory standard attribute for the home folder location, select “Use UNC path from Active Directory to derive network home location” and then choose from the following protocols for accessing the home folder:

To use the standard Macintosh protocol AFP, choose afp from the “Network protocol to be used” pop-up menu.

To use the standard Windows protocol SMB, choose smb from the “Network protocol to be used” pop-up menu.

12. To use the OS X attribute for the home folder location, deselect “Use UNC path from Active Directory to derive network home location.”

To use the OS X attribute, the Active Directory schema must be extended to include it.

13. Click OK.

arshadmuhammed.files.wordpress.com · Web viewOS X Server for small business. A single Mac server...

Documents

Transcript of arshadmuhammed.files.wordpress.com · Web viewOS X Server for small business. A single Mac server...