You have a fairly large Open Directory environment and you go to add the 33rd replica but you get a funny error that dserr doesn’t have listed. The reason is likely that a single Open Directory Master can only have 32 replicas. However, you can have 32 replicas on each replica (thus having a replica tree), ergo allowing for a total of 1,024 replicas and a master. So rather than bind that 33rd replica to a master, move to a replica tree model, trying to offload replicas in as geographically friendly a fashion as possible (thus reducing slap traffic on your WAN links) by repositioning replicas per site. Similar to how Active Directory infrastructures often have a global catalog at each site, if you’ve got a large number of Open Directory Replicas then you should likely try and limit the number that connects back to each master per site to 1.
Assuming that each replica can sustain a good 350 clients on a bad day (and we always plan for bad days), even the largest pure Mac OS X deployments will have plenty of LDAP servers to authenticate to. However, you’re likely going to have issues with clients being able to tell which Open Directory server is the most appropriate to authenticate through. Therefore, cn=config will need to be customized per group that leverages each replica, or divert rules used with ipfw to act as a traffic cop. Overall, the replica trees seem to be working fairly well in Snow Leopard, netting a fairly scalable infrastructure for providing LDAP services.
You can also get pretty granular with the slurpd (the daemon that manages Open Directory replication) logs by invoking slurpd with a -d option followed by a number from 4 to 65535, with intensity of logs getting more as the number gets higher. You can also use the -r option to indicate a specific log file. If you have more than 32 replicas then it stands to reason that you also have a large number of objects in Open Directory, a fair amount of change occurring to said objects and therefore a fair amount of replication IO. In order to offload this you can move your replication temp directory onto SSD drives, by specifying the -t option when invoking slurpd.
The slurpd replication occurs over port 389 (by default). Therefore, in a larger environment you should be giving priority to network traffic. If you choose to custom make/install slurpd then you’ll also need to go ahead and build your Kerberos principles manually. In this case you would get a srvtab file for the slurpd server and then configure slapd to accept Kerberos Authentication for slaves. Having said this, I haven’t seen an environment where I had to configure slurpd in this fashion.
The term Adaptive Firewall can mean a lot of things to a lot of people. In Mac OS X Server it means that if you attempt to logon with an inappropriate password 10 times that a dynamic rule will be created blocking access for the computer that access was attempted from for 15 minutes. After 15 minutes the dynamic rule will be removed from the server. To see the number of Dynamic Rules running on a server, look at the Firewall services Overview tab, or Active Rules. There’s not a timer but it’s pretty easy to see which IPs are blocked. I’ve found it doesn’t always clear out after 15 minutes. If not, then create a new rule and let ipfw flush the rules and any Dynamic Rules should disappear.
If you’ve been upgrading Xsan from version to version without doing a nuke + pave of your volume then you might still not be using extended attributes. Instead you might still be using ._ files, or AppleDouble files. Apple has a script included with Xsan, dotclean, which will go ahead and perform the conversion, although it does take awhile to run according to how many files you have. In order to kick it off, first unmount the volume for all except the controller that will do the conversion. Next, simply open Xsan Admin, click on Volumes and then the volume you wish to enable it for. From here, click on the gear icon and then under Extended Attributes click on Enable on this Volume. This will invoke dotclean.
To do so programatically, Apple has included a dotclean_wrapper.sh shell script in the /user/share/servermgrd/bundles/servermgr_xsan.bundle/Contents/Resources directory. From here, simply run the shell script with a single positional parameter of the volume name. For example, if the volume were called MyVolume:
I’m a geek, I can’t help it. The Houseport USB Z-Wave Adapter can control 230 devices, set the level of lights that have dimmers, time lighting controls and garage door openers and maintain the actual Z-Wave mesh network. So how could I not be interested?!?! The Wayne Dalton Houseport software and Z-Wave adapter were announced some time ago. Betas went out and got our appetites wet. I have been sitting by my phone waiting for them to call and tell me I can buy it for months! Now, you can finally buy the Houseport software and adapter at http://www.smarthomeusa.com/ShopByManufacturer/Wayne-Dalton/Item/WDUSB-10MAC/ and you can download the manual at http://www.smarthomeusa.com/Products/WDUSB-10MAC/manuals/USB-MAC.pdf. The PC version is the Wayne-Dalton WDUSB-10R HomeSettings Controls USB Adapter for PC.
For those unfamiliar with Z-Wave, it’s home automation gear and corresponding software. You can control the HVAC in your home, Wayne-Dalton WDTC-20 HomeSettings Controls Thermostat, the Intermatic HA04C Home Settings Wireless Heavy-Duty Outdoor Lighting Module for outdoor lighting (ie – those darn Christmas lights you forget to unplug in the mornings), GE 45605 Z-Wave Technology Duplex Receptacle the inwall power outlets, Screw in Module for screwing into those sockets you can’t otherwise Z-Wave enable and of course, there’s the HomeSettings In-Wall Switch/Dimmer (300W) and other dimmers for controlling indoor lighting (make sure you know how your place is wired, this has been a sore point with me with 3-way vs. 4-way, etc).
You can also control the Garage Door with Wayne-Dalton 3018Z Classic Drive Opener with Z-Wave and even small appliances Wayne-Dalton 3018Z Classic Drive Opener with Z-Wave and even lamps with Wayne-Dalton HA-03WD HomeSettings Lamp Module. The latest addition to the Z-Wave offerings is the Schlage LiNK line, which includes Schlage LiNK Wireless Keypad Deadbolt Starter Kit System that can be used to Z-wave enable the locks on the doors in your home.
Control doesn’t have to just be automated. You can also have control over things respond to events. For example, using the Hawking Technologies Z-Wave Sensors Homeremote Wireless Motion Detector you can have preset lighting or turn on the stereo when someone walks into a room. You can use Z-Wave as a bit of a personal monitoring system using cameras such as Hawking HomeRemote Pro HRPC2 Wireless Video Camera with Night Vision and there are even products that allow for voice activation of systems. Not that control needs to all flow through the computer. You can also get a GE 45608 Home Theater Remote with Z-Wave Lighting Control, which allows you to control a number of Z-Wave enabled devices and the home stereo.
Finally, my favorite part of Z-Wave has been that it’s a wireless mesh network. You install devices and they mesh with the existing network of devices in the home. My least favorite part of Z-Wave is that it’s a zero config wireless mesh network. If devices are not compatible with the controller it can throw the whole network into a tailspin. What I’ve done in those cases is sell the gear I bought on Craigslist and buy something else… It’s annoying, but there’s not a great compatibility system out there (theoretically it should all be compatible but hey, it’s technology, that’s a friggin’ pipe dream as most of you likely already know). Most Z-Wave controllers that run on computers have been a little difficult to configure; however, Houseport for the Mac couldn’t be easier. Enjoy!!!
For more on Z-Wave overall, check out their wikipedia page.
The build_hd_index process is spiking! What to do?!?! In an Xsan
environment where you have a number of clients and Apple Remote Desktop is running on an administrative computer, the Application Usage Data and User Accounting Data collectors can cause the build_hd_index process to run more often than is needed (okay so spiking is a bit extreme but a dropped frame once every couple of days is the end of the world to some people), especially in cases where you don’t actually use the collected data for business intelligence. If you do a Get Info on a computer in Remote Desktop you can uncheck Collect Application Usage Data and Collect User Accounting Data, which will free it all up. Here’s the trickeration (too much ESPN, sorry about that), you have to do this on all computers that run Remote Desktop since it’s the app that stores the settings.
The videos for the MacSysAdmin conference are now up, along with sweet pictures of all the speakers wearing foam Snow Leopard hats:
I once denied someone’s request to add me as a friend on Facebook and got an earful about how they bought one of my books and couldn’t believe I would be so rude, etc. Since then I’ve been an open networker on most of the social networks. It’s kinda’ weird sometimes to listen to people talk about how they keep track of their friends through feeds when I have too many to keep track of, but the tools continue to become more sophisticated and I’m getting closer to be able to do so.
Having said that, there is a new thing I’ve been noticing recently. Someone adds you as a friend and then tags you in a photo that you’re not in. Perhaps its a photo where they’ve added your profile picture or your name for a character from a comic book or video game. There’s really no reason for them to do this. You click on their profile and they have thousands of friends and have posted hundreds of these things, perhaps too many to do by hand. Wondering why they’re doing it I browse around their profile, looking for links or something to explain why – but nothing…
Most spam that we get is for someone to make a buck off a product. Maybe they’re selling Viagra, maybe it’s someone trying to get you to wire them money so they can send you that $10,000,000 check that only you can cash or maybe it’s for some seedy website. Either way they want you to do something that results in payment being made to them through some fashion. This is different. It’s people just posting weird collages of other people’s profile pictures and then tagging 16 to 20 people. But there’s no apparent financial gain. It’s confusing to me… Why do it?
The only fix I can think of is to de-friend them and/or just untag the photos. But now I feel the need to track them and try and figure out what the point is, or whether there is a point…
The first sessions for MacIT have been announced at the talk I will be giving posted on http://www.macworldexpo.com/sessions?s=QEXPOA00009N.
In addition, the HandsOn talk I will be giving has been posted at http://www.macworldexpo.com/sessions?s=QEXPOA0000C7.
If you only plan on attending the expo then if you register today it’s free! If you plan on attending the sessions then you may have a little more time than deciding today. Either way, you can register for either at the registration page.
Now that Mac OS X Server 10.6 has been out for a little while and the new features have able to sink in a bit, it seems like a good time to lay out what those new features are. While on the outside Mac OS X Server 10.6 has been described as a minor update outside of the whole 64-bit thing, it’s worth noting that it sports about as many new features as every version of Mac OS X Server that it follows. These include:
- You can now move journaling to a dedicated drive (ie – SSD) to offload potential IO performance bottlenecks
- Directory Utility was moved to CoreServices and can now be accessed through the Accounts System Preference pane
- Hard drive spaces now reported more accurately, changing the game in capacity planning for all those Nagios/Zenoss hooha’s
There’s also more, which I’ll write up as I get some of the details sorted out. If there’s a glaring omission please feel free to drop it into a comment! :)
Looking at the difference between 10.5 Server and 10.6 it seems this is a similar enhancement in terms of the number of new features. Some are more subtle but will allow for more agile development of features in subsequent releases.
Active Directory (45)
Articles and Books (92)
Final Cut Server (44)
Home Automation (12)
Mac OS X (852)
Mac OS X Server (672)
Mac Security (410)
Mass Deployment (329)
Microsoft Exchange Server (48)
Network Infrastructure (72)
Network Printing (4)
On the Road (58)
public speaking (59)
Social Networking (32)
Time Machine (6)
Windows Server (97)
Windows XP (105)