Tiny Deathstars of Foulness

In DNS, recursion references the process where a name server will make DNS queries to other name servers on behalf of client systems. Most name servers are simply DNS clients that cache information for a specified amount of time. Recursion is disabled by default on most name servers. In Mac OS X recursion is enabled for subnets local to the server only.
In environments where you wish to provide recursive queries you can enable recursion by opening Server Admin, clicking on the disclosure triangle for the server you will be configuring and then clicking on the DNS service. From here, click on the Settings icon in the Server Admin toolbar and then in the section for Accept recursive queries from the following networks you would click on the plus sign (+). In this field provide the IP address or netmask that you would like to enable recursion for. For example, if you’re enabling recursion for all computers on the subnet and the subnet mask for those clients is then you would enter:
This will allow recursion for those clients by updating the /etc/dns/ file. Alternatively you can edit the setting by hand yourself, but don’t do so using the /etc/dns/ file or you could introduce instability into the DNS service and Server Admin could overwrite your settings. Rather, edit the /etc/named.conf file. In named.conf add the following line in the options section:
allow-recursion {;};
Overall, this is a fairly straight forward technical note, but there is an underlying theme that Apple is doing a really good job of leveraging an include methodology with regards to configuration files. Inside the /etc/named.conf, also in the options section, you’ll notice that there is a line that begins with include and specifies the path of the Server managed file, which uses the word apple at the end of it. This is mirrored in zone files as well. While not all open source services use this method for allowing different configurations in the GUI and the command line, I hope they all will at some point.

September 29th, 2009

Posted In: Mac OS X Server

Tags: , , , , , ,

You have a fairly large Open Directory environment and you go to add the 33rd replica but you get a funny error that dserr doesn’t have listed. The reason is likely that a single Open Directory Master can only have 32 replicas. However, you can have 32 replicas on each replica (thus having a replica tree), ergo allowing for a total of 1,024 replicas and a master. So rather than bind that 33rd replica to a master, move to a replica tree model, trying to offload replicas in as geographically friendly a fashion as possible (thus reducing slap traffic on your WAN links) by repositioning replicas per site. Similar to how Active Directory infrastructures often have a global catalog at each site, if you’ve got a large number of Open Directory Replicas then you should likely try and limit the number that connects back to each master per site to 1.

Assuming that each replica can sustain a good 350 clients on a bad day (and we always plan for bad days), even the largest pure Mac OS X deployments will have plenty of LDAP servers to authenticate to. However, you’re likely going to have issues with clients being able to tell which Open Directory server is the most appropriate to authenticate through. Therefore, cn=config will need to be customized per group that leverages each replica, or divert rules used with ipfw to act as a traffic cop. Overall, the replica trees seem to be working fairly well in Snow Leopard, netting a fairly scalable infrastructure for providing LDAP services.

You can also get pretty granular with the slurpd (the daemon that manages Open Directory replication) logs by invoking slurpd with a -d option followed by a number from 4 to 65535, with intensity of logs getting more as the number gets higher. You can also use the -r option to indicate a specific log file. If you have more than 32 replicas then it stands to reason that you also have a large number of objects in Open Directory, a fair amount of change occurring to said objects and therefore a fair amount of replication IO. In order to offload this you can move your replication temp directory onto SSD drives, by specifying the -t option when invoking slurpd.

The slurpd replication occurs over port 389 (by default). Therefore, in a larger environment you should be giving priority to network traffic. If you choose to custom make/install slurpd then you’ll also need to go ahead and build your Kerberos principles manually. In this case you would get a srvtab file for the slurpd server and then configure slapd to accept Kerberos Authentication for slaves. Having said this, I haven’t seen an environment where I had to configure slurpd in this fashion.

September 28th, 2009

Posted In: Mac OS X Server, Unix

Tags: , , , , ,

The term Adaptive Firewall can mean a lot of things to a lot of people. In Mac OS X Server it means that if you attempt to logon with an inappropriate password 10 times that a dynamic rule will be created blocking access for the computer that access was attempted from for 15 minutes. After 15 minutes the dynamic rule will be removed from the server. To see the number of Dynamic Rules running on a server, look at the Firewall services Overview tab, or Active Rules. There’s not a timer but it’s pretty easy to see which IPs are blocked. I’ve found it doesn’t always clear out after 15 minutes. If not, then create a new rule and let ipfw flush the rules and any Dynamic Rules should disappear.

September 27th, 2009

Posted In: Mac OS X Server, Mac Security

Tags: , , , ,

If you’ve been upgrading Xsan from version to version without doing a nuke + pave of your volume then you might still not be using extended attributes. Instead you might still be using ._ files, or AppleDouble files. Apple has a script included with Xsan, dotclean, which will go ahead and perform the conversion, although it does take awhile to run according to how many files you have. In order to kick it off, first unmount the volume for all except the controller that will do the conversion. Next, simply open Xsan Admin, click on Volumes and then the volume you wish to enable it for. From here, click on the gear icon and then under Extended Attributes click on Enable on this Volume. This will invoke dotclean.

To do so programatically, Apple has included a shell script in the /user/share/servermgrd/bundles/servermgr_xsan.bundle/Contents/Resources directory. From here, simply run the shell script with a single positional parameter of the volume name. For example, if the volume were called MyVolume:

./ /Volumes/MyVolume

September 26th, 2009

Posted In: Mac OS X, Mac OS X Server, Xsan

Tags: , , , ,

I’m a geek, I can’t help it. The Houseport USB Z-Wave Adapter can control 230 devices, set the level of lights that have dimmers, time lighting controls and garage door openers and maintain the actual Z-Wave mesh network. So how could I not be interested?!?! The Wayne Dalton Houseport software and Z-Wave adapter were announced some time ago. Betas went out and got our appetites wet. I have been sitting by my phone waiting for them to call and tell me I can buy it for months! Now, you can finally buy the Houseport software and adapter at and you can download the manual at The PC version is the Wayne-Dalton WDUSB-10R HomeSettings Controls USB Adapter for PC.

Houseport in Action

Houseport in Action

For those unfamiliar with Z-Wave, it’s home automation gear and corresponding software. You can control the HVAC in your home, Wayne-Dalton WDTC-20 HomeSettings Controls Thermostat, the Intermatic HA04C Home Settings Wireless Heavy-Duty Outdoor Lighting Module for outdoor lighting (ie – those darn Christmas lights you forget to unplug in the mornings), GE 45605 Z-Wave Technology Duplex Receptacle the inwall power outlets, Screw in Module for screwing into those sockets you can’t otherwise Z-Wave enable and of course, there’s the HomeSettings In-Wall Switch/Dimmer (300W) and other dimmers for controlling indoor lighting (make sure you know how your place is wired, this has been a sore point with me with 3-way vs. 4-way, etc).

You can also control the Garage Door with Wayne-Dalton 3018Z Classic Drive Opener with Z-Wave and even small appliances Wayne-Dalton 3018Z Classic Drive Opener with Z-Wave and even lamps with Wayne-Dalton HA-03WD HomeSettings Lamp Module. The latest addition to the Z-Wave offerings is the Schlage LiNK line, which includes Schlage LiNK Wireless Keypad Deadbolt Starter Kit System that can be used to Z-wave enable the locks on the doors in your home.

Control doesn’t have to just be automated. You can also have control over things respond to events. For example, using the Hawking Technologies Z-Wave Sensors Homeremote Wireless Motion Detector you can have preset lighting or turn on the stereo when someone walks into a room. You can use Z-Wave as a bit of a personal monitoring system using cameras such as Hawking HomeRemote Pro HRPC2 Wireless Video Camera with Night Vision and there are even products that allow for voice activation of systems. Not that control needs to all flow through the computer. You can also get a GE 45608 Home Theater Remote with Z-Wave Lighting Control, which allows you to control a number of Z-Wave enabled devices and the home stereo.

Finally, my favorite part of Z-Wave has been that it’s a wireless mesh network. You install devices and they mesh with the existing network of devices in the home. My least favorite part of Z-Wave is that it’s a zero config wireless mesh network. If devices are not compatible with the controller it can throw the whole network into a tailspin. What I’ve done in those cases is sell the gear I bought on Craigslist and buy something else…  It’s annoying, but there’s not a great compatibility system out there (theoretically it should all be compatible but hey, it’s technology, that’s a friggin’ pipe dream as most of you likely already know). Most Z-Wave controllers that run on computers have been a little difficult to configure; however, Houseport for the Mac couldn’t be easier. Enjoy!!!

For more on Z-Wave overall, check out their wikipedia page.

September 25th, 2009

Posted In: Business, Home Automation, Mac OS X

Tags: , , ,

The build_hd_index process is spiking! What to do?!?! In an Xsan
environment where you have a number of clients and Apple Remote Desktop is running on an administrative computer, the Application Usage Data and User Accounting Data collectors can cause the build_hd_index process to run more often than is needed (okay so spiking is a bit extreme but a dropped frame once every couple of days is the end of the world to some people), especially in cases where you don’t actually use the collected data for business intelligence. If you do a Get Info on a computer in Remote Desktop you can uncheck Collect Application Usage Data and Collect User Accounting Data, which will free it all up. Here’s the trickeration (too much ESPN, sorry about that), you have to do this on all computers that run Remote Desktop since it’s the app that stores the settings.

September 25th, 2009

Posted In: Mac OS X, Mac OS X Server, Mass Deployment

Tags: , , ,

The videos for the MacSysAdmin conference are now up, along with sweet pictures of all the speakers wearing foam Snow Leopard hats:

September 25th, 2009

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, VMware

Tags: , , ,

I once denied someone’s request to add me as a friend on Facebook and got an earful about how they bought one of my books and couldn’t believe I would be so rude, etc. Since then I’ve been an open networker on most of the social networks. It’s kinda’ weird sometimes to listen to people talk about how they keep track of their friends through feeds when I have too many to keep track of, but the tools continue to become more sophisticated and I’m getting closer to be able to do so.

Having said that, there is a new thing I’ve been noticing recently. Someone adds you as a friend and then tags you in a photo that you’re not in. Perhaps its a photo where they’ve added your profile picture or your name for a character from a comic book or video game. There’s really no reason for them to do this. You click on their profile and they have thousands of friends and have posted hundreds of these things, perhaps too many to do by hand. Wondering why they’re doing it I browse around their profile, looking for links or something to explain why – but nothing…

Most spam that we get is for someone to make a buck off a product. Maybe they’re selling Viagra, maybe it’s someone trying to get you to wire them money so they can send you that $10,000,000 check that only you can cash or maybe it’s for some seedy website. Either way they want you to do something that results in payment being made to them through some fashion. This is different. It’s people just posting weird collages of other people’s profile pictures and then tagging 16 to 20 people. But there’s no apparent financial gain. It’s confusing to me… Why do it?

The only fix I can think of is to de-friend them and/or just untag the photos. But now I feel the need to track them and try and figure out what the point is, or whether there is a point…

September 25th, 2009

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , ,

The first sessions for MacIT have been announced at the talk I will be giving posted on

In addition, the HandsOn talk I will be giving has been posted at

If you only plan on attending the expo then if you register today it’s free! If you plan on attending the sessions then you may have a little more time than deciding today. Either way, you can register for either at the registration page.

September 24th, 2009

Posted In: Mac OS X Server, public speaking

Now that Mac OS X Server 10.6 has been out for a little while and the new features have able to sink in a bit, it seems like a good time to lay out what those new features are. While on the outside Mac OS X Server 10.6 has been described as a minor update outside of the whole 64-bit thing, it’s worth noting that it sports about as many new features as every version of Mac OS X Server that it follows. These include:

  1. NetRestore has been integrated with System Image Utility to facilitate easier creation of NetRestore NetBoot sets, allowing for asr-based restores (asr has not been given a GUI though)
  2. There’s now an option to enable and disable directory services binding discovery on servers
  3. Wide Area Bonjour support in the DNS service
  4. Mobile Access service has been added which allows you to proxy incoming connections for all the included groupware services through the server
  5. Push Notification service has been added to enhance iPhone integration with Mac OS X Server
  6. The mail server now uses Dovecot, which now has a GUI option in Server Admin and Server Preferences for relaying outgoing mail through a separate SMTP server
  7. Podcast Producer got a pretty big overhaul in Podcast Producer 2, making workflows easier to be created and managed with an assistant and making the server itself much easier to set up with another assistant
  8. Podcast Producer has been integrated ever-so-slightly with Final Cut Server workflows
  9. New 802.1x features in networksetup
  10. New command, mcxrefresh, used for refreshing managed preferences on clients
  11. Users now have a splash page that allows for a number of fairly self-service options including setting up easy-to-use mail rules
  12. A lot of GUI logic has been added; for example, when you promote to an Open Directory Master Server Admin checks existing bindings and if they are present provides a different prompt; also the toolbar in Directory Utility was cleaned up and DHCP supplied LDAP mysteriously removed
  13. You can use Server Preferences and the Server Admin/Workgroup Manager pseudo-interchangeably rather than switching between Standard, Workgroup and Advanced (that whole idea died with 10.5)
  14. GUI iChat Server federation to allow for multiple iChat servers for an organization
  15. Client & Server updates most likely to impact Server admins more than users:
  • You can now move journaling to a dedicated drive (ie – SSD) to offload potential IO performance bottlenecks
  • Directory Utility was moved to CoreServices and can now be accessed through the Accounts System Preference pane
  • Hard drive spaces now reported more accurately, changing the game in capacity planning for all those Nagios/Zenoss hooha’s

There’s also more, which I’ll write up as I get some of the details sorted out. If there’s a glaring omission please feel free to drop it into a comment!  🙂

Looking at the difference between 10.5 Server and 10.6 it seems this is a similar enhancement in terms of the number of new features. Some are more subtle but will allow for more agile development of features in subsequent releases.

September 24th, 2009

Posted In: Mac OS X Server

Tags: , , , ,

Next Page »