Making Leopard servers simple

Editor’s Note: This story is excerpted from Computerworld. For more Mac coverage, visit Computerworld’s Macintosh Knowledge Center.

Leopard Server, the newest version of Mac OS X Server, sports many updated features. One of the most innovative is a new interface that simplifies server setup and management. This interface is designed primarily for small businesses or small workgroups within a larger organization that need server functionality but don’t have the resources to hire a full-time systems administrator.

This new approach doesn’t offer access to all of Leopard Server’s features, but it does offer an intuitive and easy-to-use interface for some of the most common server needs. Services that are available when using Leopard Server’s new user-friendly simplified setup modes include the following:

Streamlined server setup

The actual install process of Leopard Server is largely the same, regardless of whether or not you want use the simplified setup modes. The process involves booting the server from the install DVD (or using a second Mac in Target Disk Mode if the server lacks a DVD drive), choosing a language and installation volume (such as hard drive, partition or RAID array), and optionally customizing the install by eliminating additional language translations and printer drivers. The install process can be performed locally on the server or remotely by using the Server Assistant application.

Once the install process is complete, the server reboots and launches Server Assistant and guides the user through the process of defining the initial server configuration. Again, this can be performed locally or remotely by launching the Server Assistant on any Macintosh running Mac OS X Leopard. Remote installation and setup relies on Secure Shell (SSH) and uses the first eight characters of the server’s hardware serial number as a password or the numerical sequence 12345678 if there is no serial number. The act of connecting using Server Assistant is similar to previous generations of Mac OS X Server; full documentation accompanies the Leopard Server install DVD.

During initial setup, you will be asked to choose one of three server modes: standard, workgroup or advanced. Standard and workgroup are both examples of the simplified setup. Standard is designed for small organizations that do not have an existing infrastructure. Workgroup is for departments within a company or school that already have an existing infrastructure and network user accounts.

Advanced provides the traditional Mac OS X Server tools (all of which have been updated in Leopard Server) and the full range of functionality, much of which requires a more detailed knowledge or servers and networking as a whole and/or Mac OS X Server as a platform. For this reason, I’ll be focusing mostly on standard and workgroup in the rest of this article.

Once you have chosen either standard or workgroup, you will be asked to provide basic information to configure the server. An easy-to-follow worksheet is included as a PDF file on the install DVD that new users can fill out prior to installation to ensure that all the correct information is included.

Key choices in the setup process are:

  • Language and keyboard layout
  • Mac OS X Server serial number (license key)
  • Setup of the initial server administrator account (the password of which is also set as the root password for the server)
  • Network/Internet configuration for each available Ethernet port
  • Network name, including the name that clients use to identify the server for file sharing as well as the Domain Name System name/address, which can be set by automatic lookup from a DNS server
  • Time zone and network time server
  • Server backup options using Leopard’s Time Machine (Note: Time Machine can only be used to back up Leopard Server in standard and workgroup modes because it is not designed to be an enterprise backup system for larger environments.)
  • Options for e-mail services, including the designation of a specific host to relay outgoing mail (if required by your Internet service provider) and a welcome message for new users
  • The option to enable VPN access
  • The option to allow client computers to use the server as a Time Machine backup location and to designate where backups will be stored
  • Options for setting up the server as an Internet gateway or router

At the end of the setup process, you can create new user accounts. This is optional, and you can skip this step and create them later using the Server Preferences application. Once the interactive setup process is complete, Server Assistant will attempt to verify that all network and related information is accurate. If there are problems with network or Internet connectivity, it will alert you and give you the option to go back and correct them.

Overall, the setup process is as user-friendly as one could expect Apple to make it. Most questions are asked in a straightforward manner, and there is on-screen help available at each step. Some information, particularly regarding network and Internet configurations, may still appear a little intimidating to nontechnical users. But there is little that can be done to avoid that. The included worksheet can help users without technical skills research and record most information ahead of time. Most experienced Mac technicians or power users will have no issues.

One thing that is important to keep in mind is that some DNS configuration may need to be done at the network or Internet provider level, particularly if you plan to offer services through an Internet connection. Again, experienced technicians and power users will probably have few issues with this. Less-experienced computer users, however, may find this to be the most intimidating piece of using Leopard Server, simplified setup or not. If services are not going to be provided beyond a local network, however, these issues may not be relevant.

Standard mode vs. workgroup mode

As I already mentioned, simplified setup is available in both standard and workgroup modes. The setup process and server management are largely the same from both modes. Standard mode is intended for when there is no larger infrastructure present (such as in a single office), while workgroup is designed to integrate with a larger network that contains a directory services infrastructure such as Apple’s Open Directory or Microsoft’s Active Directory.

In a larger networked environment, directory services store shared-user accounts that can be used to log into multiple servers (and often workstations) throughout the network. Most directory services also provide single-sign-on support where users are asked to only enter their usernames and passwords during log-in.

Workgroup mode allows you to “import” user accounts from a directory services system in addition to creating users on the server. You can import individual users from a directory services environment, or you can import all users that are members of groups that exist in the directory.

This import process creates accounts on the server that provide access to services hosted on that server for file sharing, instant messaging, shared calendars, etc. However, the usernames and passwords for these imported accounts are actually managed by the directory services system that they originally came from—Open Directory or Active Directory, in other words. Leopard Server will periodically check to ensure that its password information is synced with the larger directory services framework.

To facilitate functionality with directory services, during setup you will be asked to specify a directory server as well as the username and password of an account that has permission to query the directory server. You will also be asked to choose which services to provide. Finally, in addition to being able to create new accounts, you will also be asked if you want to import accounts from the directory server before completing setup.

Workgroup mode offers an unusual mix of functionality. On the one hand, it does allow users in a larger environment to use the same username and password for a departmental or workgroup server that they do for other services within a network. On the other hand, it also keeps the new server somewhat separate from the larger network in that only a subset of users will be able to log in and access resources hosted by the server.

One situation in which this could be particularly attractive is in a Windows Server/Active Directory environment where only a single department uses Macs. A power user or technician can provide Mac users with server support without the need for exceptional effort on the part of the Windows systems administration staff, which might not have the knowledge or desire to offer much Mac server support. In that situation, server or network managers don’t need to put in a lot of effort to serve users.

It seems a little less practical to implement a workgroup server in an environment where services are being provided by an advanced Mac OS X Server/Open Directory infrastructure or an integrated Active Directory/Open Directory environment. In these cases, it would seem more logical to provide services using Leopard Server’s advanced mode. There are, however, some situations in which workgroup mode might useful within an Open Directory environment. One possibility is where a satellite office or remote department might not have sufficient technical staffers to set up and manage Mac OS X servers.

Management via Server Preferences

When operating in standard or workgroup mode, Leopard Server is managed using the Server Preferences utility, either locally on the server or remotely on a Mac running Leopard. As you can see, the design of Server Preferences borrows many elements from the System Preferences utility used in Mac OS X. Server Preferences is divided into sections for managing users and groups, available services and system-level tools.

User management is extremely simple and is, again, almost identical to its counterpart in System Preferences—the Accounts pane in Mac OS X. Four simple tabs allow identification and editing of a user’s account information, contact information, any services that the user is allowed to access and groups to which the user belongs.

When a user is selected in the Accounts pane in Server preferences, the Accounts tab for that user allows you to perform the majority of administrative tasks, including designating if the user is allowed server administration capabilities. You can also insert a picture used in various places throughout the Mac OS X interface—including the log-in window and iChat instant messenger icon—and reset the user’s password. (Password reset offers an assistant to help choose secure passwords.) Group management is equally simple, with two tabs: one for settings such as group names and enabled services that include a shared folder, mailing and mailing list Web archive, Web calendar and group wiki and blog; and another tab for viewing and modifying group membership.

Service settings are also very simple, and each service includes a large on/off switch for enabling or disabling the service. Configuring file sharing is exceedingly simple and is strikingly similar to the file-sharing portion of Leopard client’s System Preferences Sharing pane.

The iCal Service offers two simple options for limiting the data size used by individual events or whole calendars. IChat, also simple, offers check boxes for automatically creating buddy lists of all users, enabling communication with external Jabber servers including Google’s GTalk. IChat also allows chat logging and archiving. The Mail service provides an easy-to-use slider and check box for configuring junk mail and virus filtering. This is in addition to outgoing e-mail relay, which is also offered in the setup process.

The Web service offers an option to define a home page for the server. This can either be a page created and stored on the server, or it can be easily set to a wiki page that allows access to all collaborative Web tools. Web services can also enable wikis for groups and can provide Web mail and blogs for users. Each option includes a link to view the appropriate Web service or page in a browser.

The VPN service provides fields for defining the IP address range to be used by VPN clients and is probably the single most complex item in Server Preferences. There’s an option for changing and viewing the service’s shared secret that is used to establish trust and encryption keys with clients, and a button creates a file that can be used to automatically configure Mac OS X access to the VPN server. (Note: Shared secret is where both the client and server possess a shared string of characters to establish trust between them and then generate an encryption key.)

Standard mode supports only shared secrets for securing VPN access and supports only the Layer 2 Transport Protocol (L2TP) for connections.

The System section of Server Preferences includes three items that display information about the server. Information shows licensing data, IP address, and file sharing and DNS names. The Logs section, the least user-friendly part of Server Preferences for novice administrators, provides access to the various service logs available for standard and workgroup mode services. This includes some of the traditional Mac OS X Server directory services logs.

Graphs provides visual representations of various server states such as CPU usage, network traffic and disk space. This is similar to what can be found in Server Admin when working in advanced mode and in previous Mac OS X Server versions.

Two final items make up the System section and Server Preferences: Time Machine and Firewall. As you might expect, Time Machine defines whether Leopard clients can use the server as a backup location in Leopard’s Time Machine backup application.

When configuring their access to a server running in standard mode, users can opt to not use an available server as a backup location for Time Machine. In that case, they can select an external hard drive as a backup location or simply not to back up using Time Machine at all. Administrators can also specify which hard drive on the server will store backups and whether clients should back up Mac OS X system files or only user data.

Firewall provides a basic interface to the firewall in Leopard Server, which operates as an adaptive firewall under standard and workgroup modes. The interface is extremely basic—even more so than on Leopard clients. It only allows selection of the available services along with remote management using SSH or Apple Remote Desktop to be used in creating firewall rules.

More complex firewall rules involving access to the server over specific ports or from specific IP addresses or address ranges are not available, though it is possible to configure the Unix IPFW firewall that comes bundled with Leopard Server from the command line if you want to create more complex firewall rules.

All in all, Server Preference is simple, intuitive and user-friendly. More importantly, it does help manage Leopard Server for basic use. It would, however, be nice if Apple had provided some more extensive graphical user interface firewall administration, such as what is available using IPFW from the command line or the options available to Leopard Server running in advanced mode.

In addition to Server Preferences, a Dashboard widget provides easy monitoring of the server. Like Server Preferences, it can run on the server itself or, more practically, on any Leopard-based Mac that can access the server. The widget includes the current status of each service; the total number of Web hits and iCal events; and the number of user connections for the file sharing, iChat, Mail and VPN services. Simple graphs for CPU usage, network load and disk space usage are also available. The widget makes monitoring the server extremely convenient and is as user-friendly as Server Preferences itself.

Connecting clients

Leopard introduces the ability for Mac OS X to attempt to locate Open Directory running on servers. The Open Directory servers need to be operating in standard mode using Apple’s zero-configuration Bonjour networking feature. When Macs running Leopard start up, they will automatically detect servers that are located on the local network or subnet and then launch Directory Utility. Directory Utility, in turn, will ask the user if he wants to configure his Mac to use services provided by the server.

If the answer is yes, the user is asked for the username and password of an account created for him on the server and the administrator password for the Mac. After verifying both passwords, the server account password will be updated to match the user’s local account password. The user will then have the option of allowing the server to automatically configure the relevant applications (such as Mail, iChat or Time Machine) to access resources on the server.

Note: Removing a standard server from Directory Utility will remove the ability for the user to update passwords and information in Leopard’s new Directory application. But the removal will not erase configurations for resources accessed by other applications such as Mail and iCal.

When importing users from a directory server in workgroup mode, an invitation e-mail is generated and sent to each user’s e-mail account. The e-mail asks users to access the server and includes a button to automatically configure the appropriate applications to access the server’s resources.

Pre-Leopard Mac OS X clients and Windows clients can use many Leopard Server resources, including file and printer sharing, e-mail, instant messaging using iChat under Mac OS X Tiger or another Jabber-compliant client, VPN, shared calendars, and collaborative Web tools such blogs and wikis. Sharing calendars requires a CalDAV-compliant tool, which does not include pre-Leopard versions of Apple’s iCal.

Auto-configuration of applications such as Apple’s iChat, iCal and Mail to access services is not available for earlier Mac OS X versions or Windows. These applications can, however, be manually configured. VPN access for Mac OS X Panther and Tiger clients can be automated by using configuration files generated from the server.

Differences from traditional Mac OS X server administration

There are some distinct differences between Leopard Server’s simplified standard and workgroup modes and the more traditional and robust advanced mode. Perhaps the most major difference is that accounts created in the simplified modes operate somewhat differently than other Open Directory user accounts. When a user configures a Mac to access a standard or workgroup server, the local user account is paired with his account on the server. But the user’s home folder and other account information continue to be stored on the local Mac and not on the server.

Also, as mentioned earlier, when operating in workgroup mode, Leopard server does not write major account information such as usernames or passwords to a directory server. Instead, it creates an account that mirrors the existing network account and simply manages the attributes required to provide services.

Furthermore, several Leopard Server features are unavailable in standard and workgroup modes, and those that are available may function somewhat differently to allow easier administration. One example is the VPN service, which can operate only with one VPN protocol (L2TP) and which must use shared secrets.

This is instead of the more robust use of security certificates available in advanced mode. Another example is that although Mac and Windows file sharing is supported (using the Apple Filing and Server Message Block protocols, respectively), other file services such as the Network File System in Unix are not.

For the most part, these differences aren’t likely to be of concern to users wishing to set up a server quickly and easily. Users familiar with previous versions of Mac OS X Server, however, should familiarize themselves with some of the changes by reading the “Getting Started” document that accompanies Leopard Server. More importantly, users who begin with the simplified setup and then switch to advanced mode should make sure that they thoroughly understand the functionality of advanced mode and the differences between it and the simpler set-up options.

Moving to advanced mode

It is possible and relatively simple to move from standard or workgroup mode to advanced mode. However, the process is a one-way street. Once Leopard Server is placed in advanced mode, it can’t be reverted without reinstalling or restoring from a backup. This makes sense when you consider that there are several configuration changes that can be made in various advanced administration tools that can’t be adjusted in Server Preferences.

All that’s required to change modes is launching the Server Admin application, which is used in advanced management, and connecting to the server. After authenticating with an administrator account, you’ll be warned that Server Admin is not intended to manage servers in standard or workgroup mode. And you’ll be given the option to convert the server to advanced mode. After conversion, the services that were configured in standard or workgroup mode remain configured and available, as do any existing user accounts.

Overall impressions

As an experienced Mac OS X server administrator, I was very curious as to whether Apple would really be able to pull off a very simple interface to Leopard Server. Overall, I have to say that Apple did it. The simplified set-up process is easy, provided you have all the requisite information ahead of time. Server Preferences is also incredibly intuitive and easy to operate.

Anyone with an understanding of home networking concepts should be successful in configuring and managing most services. Making full use of Internet services beyond a local network—such as setting up e-mail, external Web site access and VPN, and integration of iChat Server with outside Jabber networks including Google’s GTalk—does require a certain level of understanding of DNS and related Internet technologies.

Experienced administrators are likely to find the simplified set-up options limited and, as mentioned above, might even find the ways Apple has implemented account management a little jarring. That said, the product does a pretty good job of walking the fine line between being easy to use and providing needed services.

Ryan Faas is a freelance writer and technology consultant specializing in Mac and multiplatform network issues. In addition to writing for Computerworld, he is a frequent contributor to InformIT.com. Faas was also co-author of Essential Mac OS X Panther Server Administration (O’Reilly Media Inc., 2005). You can find more information about Faas, his consulting services and recently published work at www.ryanfaas.com.

Subscribe to the MacWeek Newsletter

Comments