Tiny Deathstars of Foulness

Backblaze is a great cloud and on-prem backup tool for Mac and Windows. You can download Backblaze at Once downloaded, extract the DMG and open the Backblaze Installer. 

At the Installer screen, enter your existing credentials or create a new account and click Install Now.

The drive will then be analyzed for backup.

By default, once the analysis is complete, the computer will immediately start backing up to the Backblaze cloud. Let’s click on the Settings button to configure how the Backblaze app will work.

This opens the Backblaze System Preference pane. At the Settings tab, you’ll see a list of drives to back up and an option to set when to receive warnings when the computer hasn’t completed a backup recently.

By default, performance is throttled so as not to cause your computer to run poorly. Click on the Performance tab. Here, you can disable that option, 

By default, backups run continuously, as files are altered. You can use the schedule screen to move backups to a specific time (e.g. at 1am every night). I personally like having continuous backups if you have enough bandwidth to account for them. 

By default, the whole system is not going to get backed up. Click Exclusions and you can see what will be skipped and disable some of the skips.

By default, backups are encrypted using public keys. I inherently trust the people at Backblaze. But I still use an encryption key to add an extra layer of security to my backups.

To set that, click on the Security tab.

At the Security screen, click on Enter Your Private Encryption Key.

Once you’ve got a good backup policy set. Click on the Reports screen to see what’s getting backed up!

April 10th, 2018

Posted In: Mac OS X, Mac Security

Tags: , , ,

It’s not likely that your Synology is going to get infected with a virus of some kind. It’s also not likely that, if you’re switching to Synology from a macOS Server, that most of your clients will get infected or be using infected files. But you probably have that one Windows accounting machine in the back of the office. So you should scan your Synology routinely. To do so, Synology provides a clamav bundle, much like what I usually told people to use on macOS file servers.

To install antivirus on your Synology, open Package Center and search for antivirus. Click on Antivirus Essential and then click on Install.  

Once installed, open Antivirus Essential from the Main Menu. From here, you can perform a Full Scan, a Custom Scan (which allows you to select the shared folders to scan), or perform a System Scan (which scans everything else). To automate scans, click Scheduled Scan. 

At the Scheduled Scan screen, click Create. 

At the Schedule screen, choose the type of scan (the same options as when run manually) and when the scan should run. I definitely recommend daily scans. Then, click on OK and check the box for Enable. 

Click on Settings. Here, you can define what happens when an infected file is found (Quarantine is usually the best option as you can then click on Quarantine in the sidebar routinely to check on what files might have been moved). Whitelist allows you to define exclusions. Good files to exclude are Quickbooks files, and other files that aren’t very friendly to antivirus scanning, as they’re open a lot. And use the Update option to have the virus definitions updated before every scan. 

If you ever want to check that the definitions are indeed updated, click on Update in the sidebar. And that’s it, you’re now automatically scanning for viruses on the schedule you defined. I recommend setting a reminder to check on it every now and then. At first maybe weekly and later maybe monthly, depending on how many quarantined files are found when you check in. Just make sure the defs are up-to-date and sift through the logs every now and then and you should be good!

April 9th, 2018

Posted In: Small Business, Synology

Tags: , , , ,

You can backup a Synology in a number of ways. Even if you have a local backup, you should have a backup offsite. Here, we’ll walk through backing up a Synology using Acronis True Image. Before doing so, it’s worth noting that the only things backed up this way are the ones that are by default accessible through an app, and that you’ll have to give access to each of those entitlements in order for the backup to run. These include Contacts, Photos, Videos, Calendars, and Reminders.

To get started, first go to the Package Center on a Synology. Then, search for Acronis.

At the listing for Acronis True Image, click Install. Once installed, make sure you’re accessing your Synology through the web interface directly rather than through QuickConnect. This would be http://<IPADDRESS>:5000. From there, open the Main Menu and then open Acronis True Image from there.

Now, install the Acronis Mobile app from the iOS App Store ( ) on the iOS device you’ll be backing up. Once installed, open the app and tap on Back up to computer or NAS.
Then tap SCAN QR CODE.

Then provide access to the camera in order to scan the QR code. 

Then choose what you’d like to back up and tap on Back up now.

Once the backup is complete, you’ll see the backup shown on the Synology when you open up the Acronis app.

Backing up to iCloud is still the only way to get everything else. But it’s still useful in some ways (e.g. if you are a real estate agency and just want to back up Contacts and Photos in case something happens).

April 8th, 2018

Posted In: Synology

Tags: , , ,

Synology is able to do everything a macOS Server could do, and more. So if you need to move your VPN service, it’s worth looking at a number of different solutions. The most important question to ask is whether you actually need a VPN any more. If you have git, mail/groupware, or file services that require remote access then you might want to consider moving these into a hosted environment somewhere. But if you need access to the LAN and you’re a small business without other servers, a Synology can be a great place to host your VPN services. 

Before you setup anything new, first snapshot your old settings. Let’s grab  which protocols are enabled, running the following from Terminal:

sudo serveradmin settings

sudo serveradmin settings

Next, we’ll get the the IP ranges used so we can mimic those (or change them) in the new service:

sudo serveradmin settings

Now let’s grab the DNS servers handed out so those can be recreated:

sudo serveradmin settings
sudo serveradmin settings

Finally, if you’re using L2TP, let’s grab the shared secret:

sudo serveradmin settings

Once we have all of this information, we can configure the new server using the same settings. To install the VPN service on a Synology, first open the Synology and click on Package Center. From there, click on All and search for VPN.

Then click on the Install button for VPN. Once installed, open VPN Server from the application launcher in the upper left-hand corner of the screen. Initially, you’ll see a list of the services that can be run, which include the familiar PPTP and L2TP, along with the addition of Open VPN.

Before we potentially open up dangerous services to users we might not want to have access to, click on Privilege. Here, enable each service for each user that you want to have access to the VPN services.

Now that we can safely enable and disable each of the services, click on PPTP in the sidebar of the VPN Server app (if you want to provide PPTP-based services to clients).

Here, check the box for “Enable PPTP VPN server” and enter the following information:
  • Dynamic IP address: The first DHCP address that will be given to client computers
  • Maximum connection number: How many addresses that can be handed out (and therefore the maximum number of clients that can connect via PPTP).
  • Maximum number of connections with the same account: How many sessions a given account can have (1 is usually a good number here).
  • Authentication: Best to leave this at MS-CHAP v2 for compatibility, unless you find otherwise.  
  • Encryption: Leave as MPPE optional unless all clients can do MPPE and then you can enforce it for a stronger level of encryption.
  • MTU: 1400 is a good number.
  • Use manual DNS: If clients will connect to services via names once connected to the VPN, I’d put your primary DNS server in this field.

Click Apply and open port 1723 so clients can connect to the service. If you’ll be using L2TP over IPSec, click on “L2TP/IPSec” in the sidebar. The settings are the same as those above, but you can also add a preshared key to the mix. Go ahead and check the enable checkbox, provide the necessary settings from the PPTP list, and provide that key and then click on Apply. Note that the DHCP pools are different between the two services. Point UDP ports 1701, 500, and 4500 at the new server to allow for remote connections and then test that clients can connect.

That’s it. You’ve managed to get a new VPN setup and configured. Provided you used the same IP address, same client secret, and the ports are the same, you’ll then be able to probably use the same profile to install clients that you were using previously.

April 6th, 2018

Posted In: Mac OS X Server, Mac Security, Synology

Tags: , , , , , , ,

People who have managed Open Directory and will be moving to Synology will note that directory services really aren’t nearly as complicated was we’ve made them out to be for years. This is because Apple was protecting us from doing silly things to break our implementations. It was also because Apple bundled a number of seemingly disparate technologies into ldap. It’s worth mentioning that LDAP on a Synology is LDAP. We’re not federating services, we’re not kerberizing services, we’re not augmenting schemas, etc. We can leverage the directory service to provide attributes though, and have that central phone book of user and group memberships we’ve come to depend on directory services to provide.

To get started, open the Package Center and search for Directory. Click Install for the Directory Server and the package will be installed on the Synology.

When the setup is complete, open the Directory Server from the launcher available in the upper right hand corner of the screen. 

The LDAP server isn’t yet running as you need to configure a few settings before starting. At the Settings screen, you can enable the LDAP service by checking the box to “Enable LDAP Service” and providing the hostname (FQDN) of the service along with a password.

Once the service is configured, you’ll have a base DN and a bind DN. These are generated based on the name provided in that FQDN field. For example, if the FQDN is “”, its Base DN will be “dc=synology,dc=krypted,dc=com”. And the Bind DN would add a lookup starting a root, then moving into the users container and then the hostname: uid=root,cn=users,dc=synology,dc=krypted,dc=com

If this is for internal use, then it’s all setup. If you’ll be binding external services to this LDAP instance, make sure to open ports 389 (for LDAP) and/or 636 (for LDAP over SSL) as well. 

Once you have information in the service, you’ll want to back it up. Click on Backup and Restore. Then click on Configure.

At the Configure screen, choose a destination.

I prefer using a directory I can then backup with another tool. Once you have defined a place to store your backups using the Destination field, choose a maximum number of backups and configure a schedule for the backups to run (by default backups run at midnight). Then click OK. You now have a functional LDAP service. To create Groups, click on the Group in the left sidebar. 

Here, you can easily create groups by clicking on the Create button. At the wizard, provide a group name and then enter the name of a group (accounting in this example).

Click Next, then Apply to finish creating the group. One you have created your groups, click on User to start entering your users. Click Create. At the User Information screen, enter the name, a description if needed, and the password for a user. You can also restrict password changes and set an expiration for accounts. Click Next to create the user. 

At the next screen, choose what groups the new user will be in and click Next.

Enter any extended attributes at the next screen, if you so choose (useful for directories).

Click Next and then Apply.

For smaller workgroups, you now have a functional LDAP service! If you’d like a nice gui to access more options, look at FUM ( ), LAM ( ), LinID ( )or other tools. I wrote an article on LDAP SACLs awhile back, so I’ll try and track that down and update it for Synology soon!

April 5th, 2018

Posted In: Mac OS X Server, Synology

Tags: , , , , , , , , ,

Don’t let the name fool you, RADIUS, or Remote Authentication Dial-In User Service is more widely used today than ever before. This protocol enables remote access to servers and networks and is frequently a fundamental building block of VPNs, wireless networks and other high-security services that have nothing to do with dialup bulletin boards from the 80s. 

I’ve run RADIUS services on Mac servers for years. But as that code starts to become stale and no longer supported, let’s look at running a basic RADIUS service on a network appliance, such as a Synology. To get started, open Package Manager, click All in the sidebar and then search for RADIUS. 

Click Install for the RADIUS service.

Once installed, open RADIUS Server from the application menu in the upper left hand corner of the screen.

The options aren’t like raccoon. You can select a port, choose a directory service (which covers the authentication and a bit of the authorization portions of RADIUS. Click Clients and then Add.

Here you can configure a shared secret for a client, and allow for the source IP and netmask. To grab your certificate for deployment to clients, open the Control Panel, then Security, then Certificate and export the .p12. If you’re using this RADIUS service to enable other services for Macs, you’ll likely then want to distribute that certificate in a profile. We’ll cover how to leverage RADIUS for other services in other articles.

March 31st, 2018

Posted In: Synology

Tags: , , , ,

DNS is an integral service to most modern networks. The Domain Name System, or DNS is comprised of hierarchical and decentralized Domain Name Servers, or DNS Servers. This is how we connect to computers and the websites that reside on computers by their names, rather than having to memorize the IP addresses of every single computer out there. So you get to type and come to my website instead of typing the IP address. Or more likely,, but just because my website is older, I’m not mad about that. No really…

So you have a macOS Server and you need to take your DNS records out of it and move them to another solution. Luckily, DNS on any operating system is one of the easiest to manage. So let’s start by dumping all of our zone records and settings using the dnsconfig command:

/Applications/ list

directory: /Library/Server/named
allow-transfer: none 
allow-transfer: none 
allow-update: none 
Resource Recs: (CNAME) (SOA) (NS) (MX) (A)
Resource Recs:
no resource recs
allow-update: none 
Resource Recs: (SOA) (NS) (PTR)
allow-transfer: none 
allow-update: none 
Resource Recs: (PTR) (SOA) (NS)

Now that we have our records, let’s think of how to use them in the new server. In the above example, we list as a zone. And in that zone we have an A record for and a CNAME for that points to – but we don’t know where resolves to. Each of those domains has a corresponding file that starts with db. followed by the name of the domain in the /Library/Server/named directory. So we can cat the file as follows:

cat /Library/Server/named/   10800 IN SOA (
 10800 IN NS
 10800 IN MX 0   10800 IN A   10800 IN CNAME

Now we know the IP address that each record points to and can start building them out in other systems. If you only have 5-20 records, this is pretty quick and easy. If you have hundreds, then you’re in luck, as those db files per domain are portable between hosts. Some of the settings to look out for from macOS Server include:
  • Primary Zone: The DNS “Domain”. For example, would likely have a primary zone of
  • Machine Record: An A record for a computer, or a record that tells DNS to resolve whatever name is indicated in the “machine” record to an IP address, whether the IP address is reachable or not.
  • Name Server: NS record, indicates the authoritative DNS server for each zone. If you only have one DNS server then this should be the server itself.
  • Reverse Zone: Zone that maps each name that IP addresses within the zone answer with. Reverse Zones are comprised of Reverse Mappings and each octal change in an IP scheme that has records mapped represents a new Reverse Zone.
  • Reverse Mapping: PTR record, or a record that indicates the name that should respond for a given IP address. These are automatically created for the first IP address listed in a Machine Record.
  • Alias Record: A CNAME, or a name that points to another name.
  • Service Record: Records that can hold special types of data that describe where to look for services for a given zone. For example, iCal can leverage service records so that users can just type the username and password during the setup process.
  • Mail Exchanger Record (aka MX record): Mail Exchanger, points to the IP address of the mail server for a given domain (aka Primary or Secondary Zone).
  • Secondary Zone: A read only copy of a zone that is copied from the server where it’s a Primary Zone when created and routinely through what is known as a Zone Transfer.
The settings for the domains are as follows:
  • allow-transfer Takes one or more address match list entry. Address match list entries consist of any of these forms: IP addresses, Subnets or Keywords.
  • allow-recursion Takes one or more address match list entry.
  • allow-update Takes one or more address match list entry.
  • allow-query Takes one or more address match list entry.
  • allow-query-cache Takes one or more address match list entry.
  • forwarders Takes one or more IP addresses, e.g.
  • directory Takes a directory path
  • tkey-gssapi-credential Takes a kerberos service principal
  • tkey-domain Takes a kerberos realm
  • update-policy Takes one complete update-policy entry where you can grant or deny various matched objects and specify the dentity of the user/machine that is allowed/disallowed to update.. You can also identify match-type (Type of match to be used in evaulating the entry) and match-name (Name used to match) as well as rr-types (Resource record types that can be updated)
You can also use the serveradmin command, and should certainly back up all of your settings and records this way. This is easily done using the serveradmin command as follows:

serveradmin settings dns

And the output would look something like this: 

dns:acls:_array_index:0:name = “”
dns:acls:_array_index:0:addressMatchList:_array_index:0 = “localhost”
dns:acls:_array_index:0:addressMatchList:_array_index:1 = “localnets”
dns:forwarders:_array_index:0 = “”
dns:forwarders:_array_index:1 = “” = _empty_array = 1209600 = 2018033001 = no = “” = _empty_array = “” = “” = 3600 = _empty_array = “” = “” = 900 = 86400 = _empty_array = “” = no = “” = “” = 1209600 = 2018033001 = no = “” = “” = “” = “” = “” = 3600 = “” = 0 = _empty_array = 900 = 86400 = _empty_array = “” = no = “” = _empty_array

Or to output it to a file, just pipe it as follows:

sudo serveradmin settings dns > test.dns

March 30th, 2018

Posted In: Mac OS X Server

Tags: , , ,

Services that run on a Synology are constantly being updated. Software updates for the binaries and other artifacts can quickly and easily be updated. To do so, open the Synology web interface and then open Package Center. From Package Center, click Update for each or Update All to upgrade all services at once, as seen below.

You will then be prompted to verify that you want to run the update.

Any services that are being updated will restart and so end users might find those services unresponsive or have to log back in after the service comes back online.

March 27th, 2018

Posted In: Network Infrastructure, Small Business, Synology

Tags: , , , , , ,

March 24th, 2018

Posted In: Programming, Salesforce

Tags: , , , , ,

The first step to moving services from macOS Server for pretty much all services is to check out the old settings. The second step is to probably ask if where you’re going to put the service is a good idea. For example, these days I prefer to run DHCP services on a network appliance such as a Synology. And so let’s look at how to do that. Here, we’ll use the serveradmin command to view the settings of the DHCP service:

/Applications/ settings dhcp

The output is an array of subnets with different settings per subnet.

dhcp:static_maps = _empty_array
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_primary_server = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_router = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_secondary_server = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_range_start = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_range_end = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_domain_name = "clients.msp.jamfsw.corp"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_domain_name_server:_array_index:0 = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_domain_name_server:_array_index:1 = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:lease_max = 36000
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_mask = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_ldap_url = _empty_array
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_node_type = "NOT_SET"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_enabled = yes
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_NBDD_server = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_address = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_scope_id = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:selected_port_name = "en1"
dhcp:subnet_defaults:logVerbosity = "MEDIUM"
dhcp:subnet_defaults:routers:en0 = ""
dhcp:subnet_defaults:WINS_node_type_list:_array_index:0 = "BROADCAST_B_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:1 = "HYBRID_H_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:2 = "NOT_SET"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:3 = "PEER_P_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:4 = "MIXED_M_NODE"
dhcp:subnet_defaults:WINS_node_type = "NOT_SET"
dhcp:subnet_defaults:dhcp_domain_name = ""
dhcp:subnet_defaults:logVerbosityList:_array_index:0 = "LOW"
dhcp:subnet_defaults:logVerbosityList:_array_index:1 = "MEDIUM"
dhcp:subnet_defaults:logVerbosityList:_array_index:2 = "HIGH"
dhcp:subnet_defaults:dhcp_domain_name_server:_array_index:0 = ""
dhcp:subnet_defaults:dhcp_domain_name_server:_array_index:1 = ""
dhcp:subnet_defaults:selected_port_key = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:0 = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:1 = "bridge0"
dhcp:logging_level = "MEDIUM"

Next, we’ll setup a Synology NAS using the instructions found here:

Basic Synology NAS Setup

 Once you’ve setup your Synology NAS, you can install a dhcp server on it, if you need to provide those services. To get started, first open Control Panel and then find DHCP Server in the Control Panel sidebar. 

From here, click on the LAN port.

Because DHCP requires a subnet mask, and a pool of IP addresses that can be shared, the “Enable DHCP server” button will initially be greyed out. Click on the Edit button to define these.

Click on the checkbox for “Enable DHCP server” and enter the following settings:
  • Address lease time: The number of seconds the lease will be valid.
  • Primary DNS: The first DNS server provided to client computers.
  • Secondary DNS: The second DNS server provided to client computers.
  • Domain name: The automatic suffix applied to hostnames of clients (e.g. if you enter Synology in a web browser and this setting was then you would be routed to 
  • Enable Web Proxy Automatic Discovery: provide a PAC file (using DHCP options)
  • URL: The PAC file.
  • Subnetlist: Here you add subnets, which we’ll describe next.

At the Create DHCP Subnet screen, you’ll be prompted for the following fields:

  • Start IP address: The first IP address in the pool that will be handed out.
  • End IP address: The last IP address in the pool that will be handed out (note that in my example, I’m handing out to, so 11 addresses – make sure these don’t overlap with other devices that are already using addresses or with other DHCP pools or you will have sporadic device connectivity for some devices).
  • Netmask: The subnet mask to be given to devices along with their lease.
  • Gateway: The default gateway, or router for the network.
  • DHCP Options: I cover these in, but this list includes those supported on the Synology. 

Once your settings are configured, click Create. You’ll then see your pool configured. Click the OK button.

You’ll then see a list of subnets and settings. Click “Enable DHCP server” to start the service. 

Once started, click “Disable DHCP server” to stop the service or go back to the edit screen and click on the DHCP Clients tab to see what IP each client has been provided.

March 21st, 2018

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , ,

Next Page »