Tag Archives: DNS

Active Directory Mac OS X Mac OS X Server Mac Security Network Infrastructure Ubuntu Unix VMware Windows Server Windows XP Xsan

List All DNS Records For A Domain

May 8, 2013 – 6:00 am

Sometimes you want to move a domain but you don’t have a copy of the zone file in order to recreate records. The easy way to do this is to grab a zone transfer. To do so, dig is your friend:

dig -tAXFR mycompany.com

Sometimes though (and actually more often than not) a zone transfer is disabled. In that case you’ll need to dig the domain a bit differently. I like to use +nocmd, query for any and list the results (+answer):

dig +nocmd krypted.com any +answer

Which results in the following:

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39183
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;krypted.com. IN ANY

;; ANSWER SECTION:
krypted.com. 1262 IN A 97.74.215.39
krypted.com. 3600 IN MX 0 smtp.secureserver.net.
krypted.com. 3600 IN MX 10 mailstore1.secureserver.net.
krypted.com. 3600 IN NS ns25.domaincontrol.com.
krypted.com. 3600 IN NS ns26.domaincontrol.com.
krypted.com. 3600 IN SOA ns25.domaincontrol.com. dns.jomax.net. 2010010400 28800 7200 604800 3600

;; Query time: 127 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Tue May 7 22:31:15 2013
;; MSG SIZE rcvd: 207

The above shows the naked domain name entry (yes, I still giggle every time I write the word naked so it’s ok if you giggled when you read it), all of the mail (which btw I don’t actually use that mail so please don’t try and send any at this time) and the ns servers. Now, the serial and refresh information isn’t included in this output. Actually, it is but it might not make sense, so we’ll just add the +multiline option which will make this look strangely like a zone file:

dig +nocmd krypted.com any +multiline +answer

Notice the serial, refresh, retry, expire and minimum options are now listed in a much more fashionable way:

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10965
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;krypted.com. IN ANY

;; ANSWER SECTION:
krypted.com. 3225 IN A 97.74.215.39
krypted.com. 3225 IN MX 0 smtp.secureserver.net.
krypted.com. 3225 IN MX 10 mailstore1.secureserver.net.
krypted.com. 3225 IN NS ns25.domaincontrol.com.
krypted.com. 3225 IN NS ns26.domaincontrol.com.
krypted.com. 3225 IN SOA ns25.domaincontrol.com. dns.jomax.net. (
2010010400 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)

;; Query time: 22 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Tue May 7 22:32:20 2013
;; MSG SIZE rcvd: 207

And there ya’ go. You’ve basically done a zone transfer on a box, even though zone transfers are disabled. Silly DNS admins, disabling zone transfers and all that… Yes, I disable zone transfers on most of my DNS boxen as well, or at least only allow them for specific IPs… ;)

Tags , , , , , , , , , | Permalink | Comments Off
Mac OS X Server Mass Deployment

Managing DNS Using Mac OS X Mountain Lion Server

August 6, 2012 – 5:00 am

The most impactful aspect of the changes in OS X Mountain Lion Server at first appears to be the fact that DNS looks totally different in the Server app than it did in Server Admin. For starters, most of the options are gone from the graphical interface and it looks a lot less complicated, meaning that there are indeed fewer options. However, all of the options previously available are still there. And, the service behaves exactly as it did before, down to the automatically created host name when a server is configured and doesn’t have correctly configured forward and reverse DNS records that match the host name of the computer.

The DNS servicein OS X Mountain Lion Server, as with previous versions, is based on bind 9 (9.8.1 to be exact). This is very much compatible with practically every DNS server in the world, including those hosted on Windows, OS X, Linux and even Zoe-R.

Installing DNS

For many, at installation OS X Mountain Lion Server will already be running the DNS service. This is because DNS wasn’t ready for the server when the Server app was first run. In order to protect itself from misconfiguration, the server then configures DNS to what it thinks is appropriate based on the initial setup assistant. While initially the service appears to only be running with the one record, several are actually created. The initial zone, a reverse zone, the NS record for the zone, the NS record for the reverse zone, the reverse record for the initially created zone, etc. To see all of this, open Server app and then click on the DNS service in the list of SERVICES. Then, click on the cog wheel icon below the list of records and click on Show All Records.

Show All Records Option For DNS In Mountain Lion Server

Show All Records Option For DNS In Mountain Lion Server

Use the Edit button for Forward Servers to configure servers that DNS requests that aren’t resolvable by the local service for. For example, if you want your DNS service to look to 4.2.2.2 and 4.2.2.3 if it can’t find a record and then cache what it finds there, click Edit.


At the Forwarding Servers screen, use the plus sign to assign the two IPs you would like to use. All records are then cached based on TTL of the zone.

By default the “Perform lookups for” option is set to “only some clients”. Click the Edit button here to define what computers can perform DNS lookups through this server.

At the Perform Lookups screen, provide any additional subnets that should be used. If the server should be accessible by anyone anywhere, just set the “Perform lookups for” field at the DNS service screen to “all clients”.

Managing Records

All you have to do to start the DNS is click on the ON button (if it’s not already started, that is). There’s a chance that you won’t want all of the records that are by default entered into the service. But leave it for now, until we’ve covered what everything is. To list the various types of records:

  • Primary Zone: The DNS “Domain”. For example, www.krypted.com would likely have a primary zone of krypted.com.
  • Machine Record: An A record for a computer, or a record that tells DNS to resolve whatever name is indicated in the “machine” record to an IP address, whether the IP address is reachable or not.
  • Name Server: NS record, indicates the authoritative DNS server for each zone. If you only have one DNS server then this should be the server itself.
  • Reverse Zone: Zone that maps each name that IP addresses within the zone answer with. Reverse Zones are comprised of Reverse Mappings and each octal change in an IP scheme that has records mapped represents a new Reverse Zone.
  • Reverse Mapping: PTR record, or a record that indicates the name that should respond for a given IP address. These are automatically created for the first IP address listed in a Machine Record.
  • Alias Record: A CNAME, or a name that points to another name.
  • Service Record: Records that can hold special types of data that describe where to look for services for a given zone. For example, iCal can leverage service records so that users can just type the username and password during the setup process.
  • MX Record: Mail Exchanger, points to the IP address of the mail server for a given domain (aka Primary or Secondary Zone).
  • Secondary Zone: A read only copy of a zone that is copied from the server where it’s a Primary Zone when created and routinely through what is known as a Zone Transfer.
Click on the Plus Sign To See A List of Record Types

Click on the Plus Sign To See A List of Record Types

When you click on the plus sign, you can create additional records. Double-clicking on records (including the Zones) brings up a screen to edit the record. The settings for a zone can be seen below.

Configuring Zones in Mountain Lion Server

Configuring Zones in Mountain Lion Server

These include the name for the zone. As you can see, a zone was created with the hostname rather than the actual domain name. This is a problem if you wish to have multiple records in your domain that point to the same host name. Theoretically you could create a zone and a machine record for each host in the domain, but the right way to do things is probably going to be to create a zone for the domain name instead of the host name. So for the above zone, the entry should be pretendco.com rather than c.pretendco.com (the hostname of the computer). Additionally, the TTL (or Time To Live) can be configured, which is referenced here as the “Zone data is valid for” field. If you will be making a lot of changes this value should be as low as possible (the minimum value here is 5 minutes). Once changes are made, the TTL can be set for a larger number in order to reduce the amount of traffic hitting the server (DNS traffic is really light, so probably not a huge deal in most environments using a Mountain Lion Server as their DNS server). Check the box for “Allow zone transfers” if there will be other servers that use this server to lookup records.

Additionally, if the zone is to be a secondary zone configured on another server, you can configure the frequency to perform zone transfers at this screen, how frequently to perform lookups when the primary name server isn’t responsive and when to stop bothering to try if the thing never actually ends up coming back online. Click on Done to commit any changes made, or to save a new record if you’re creating a new zone.

Note: To make sure your zone name and TLD don’t conflict with data that already exists on the Internet, check here to make sure you’re not using a sponsored TLD.

Double-click on a Machine record next (or click plus to add one). Here, provide a hostname along with an IP address and indicate the Zone that the record lives in. The IP Addresses field seems to allow for multiple IPs, which is common in round robin DNS, or when one name points to multiple servers and lookups rotate amongst the servers. However, it’s worth mentioning that when I configure multiple IP addresses, the last one in the list is the only one that gets fed to clients. Therefore, for now at least, you might want to stick with one IP address per name.

Note that the above screen has a match for the host name to the zone name, including the zone name. This is not to be done for manually created records. Enter the name of a record, such as www for the zone called, for example, krypted.com and not www.krypted.com in the Host Name record, or you will end up creating a host called www.krypted.com.krypted.com, which is likely not very desirable. Given that this wasn’t the default behavior back in Server Admin, I personally consider this something that will likely get fixed in the future. Click Done to commit the changes or create the new record.

Next, let’s create a MX record for the domain. We’re going to stick with the c.pretendco.com subdomain as it provides us with a nice walled garden for our DNS. To create the MX for the domain, click on the plus sign at the list of records.

Select the appropriate zone in the Zone field (if you have multiple zones). Then type the name of the A record that you will be pointing mail to. Most likely, this would be a machine record called simply mail, in this case for pretendco.com, so mail.pretendco.com. If you have multiple MX records, increment the priority number for the lower priority servers.

As a full example, let’s create a zone and some records from scratch. Let’s setup this zone for an Xsan metadata network, called krypted.xsan. Then, let’s create our metadata controller record as starbuck.krypted.xsan to point to 10.0.0.2 and our backup metadata controller record as apollo.krypted.xsan which points to 10.0.0.3. First, click on the plus sign and select Add Primary Zone.

At the zone screen, enter the name krypted.xsan, check the box for Allow zone transfers (there will be a second server) and click on the Done button. Click on the plus sign and then click on Add Machine record.

At the New Machine Record screen, select krypted.xsan as the Zone and then enter starbuck as the Host Name and click on the plus sign for IP Addresses and type in 10.0.0.2. Click on Done to commit the changes.

Repeat the process for Apollo, entering apollo as the Host Name and 10.0.03 as the IP address. Click Done to create the record.

Setting Up Secondary Servers

Now let’s setup a secondary server by leveraging a secondary zone running on a second computer. On the second Mountain Lion Server running on the second server, click on the plus sign for the DNS service and select Add Secondary Zone.

At the Secondary Zone screen, enter krypted.xsan as the name of the zone and then the IP address of the DNS server hosting that domain in the Primary Servers field. Click Done and the initial zone transfer should begin once the DNS service is turned on (if it hasn’t already been enabled).

Managing DNS From The Command Line

Now, all of this is pretty straight forward. Create a zone, create some records inside the zone and you’re good to go. But there are a lot of times when DNS just needs a little more than what the Server app can do for you. For example, round robin DNS records, bind views, etc. Therefore, getting used to the command line is going to be pretty helpful for anyone with more than a handful of records. The first thing to know about the DNS command line in OS X Mountain Lion Server is to do everything possible using the serveradmin command. To start the service, use the start option:

sudo serveradmin start dns

To stop the service, use the stop option:

sudo serveradmin stop dns

To get the status of the service, including how many zones are being hosted, the last time it was started, the status at the moment, the version of bind (9.8.1 right now) and the location of the log files, use the fullstatus option:

sudo serveradmin fullstatus dns

A number of other tasks can be performed using the settings option. For example, to enable Bonjour Client Browsing, an option previously available in Server Admin, use the following command:

sudo serveradmin settings dns:isBonjourClientBrowsingEnabled = yes

Subnets can be created programmatically through serveradmin as well. Let’s look at what our krypted.xsan subnet looks like, by default (replace your zone name w/ krypted.xsan to see your output):

sudo serveradmin settings dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan

Which outputs the following:

dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:allowZoneTransfer = yes
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:aliases = _empty_array
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:expire = 1209600
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:serial = 2012080505
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:allow-update = no
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:adminEmail = "admin@krypted.xsan"
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:machines:_array_index:0:name = "starbuck.krypted.xsan."
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:machines:_array_index:0:ipAddresses:_array_index:0:ipAddress = "10.0.0.2"
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:machines:_array_index:1:name = "apollo.krypted.xsan."
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:machines:_array_index:1:ipAddresses:_array_index:0:ipAddress = "10.0.0.3"
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:nameservers:_array_index:0:name = "krypted.xsan"
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:nameservers:_array_index:0:value = "starbuck.krypted.xsan."
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:refresh = 3600
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:mailExchangers = _empty_array
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:reverseMappings = _empty_array
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:retry = 900
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:timeToLive = 86400
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:serviceRecords = _empty_array
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:bonjourRegistration = yes
dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:name = "krypted.xsan"

Now, let’s say we’d like to disable bonjour registration of just this zone, but leave it on for the others on the server:

sudo serveradmin settings dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:bonjourRegistration = no

The entire block can be fed in for new zones, if you have a lot of them. Just remember to always make sure that the serial option for each zone is unique. Otherwise the zones will not work properly.

While serveradmin is the preferred way to edit zone data, it isn’t the only way. In /private/var/named are a collection of each zone the server is configured for. Secondary zones are flat and don’t have a lot of data in them, but primary zones contain all the information in the Server app and the serveradmin outputs. To see the contents of our test zone we created, let’s view the /var/named/db.krypted.xsan file (each file name is db. followed by the name of the zone):

cat /var/named/db.krypted.xsan

The output of which is similar to the following (YMMV based on record composition):

krypted.xsan. 10800 IN SOA krypted.xsan. admin.krypted.xsan. (
2012080507 ; serial
3600 ; refresh (1 hour)
900 ; retry (15 minutes)
1209600 ; expire (2 weeks)
86400 ; minimum (1 day)
)10800 IN NS starbuck.krypted.xsan.
apollo.krypted.xsan. 10800 IN A 10.0.0.3
starbuck.krypted.xsan. 10800 IN A 10.0.0.2

Add another record into the bottom and stop/start DNS to immediately see the ramification of doing so. Overall, DNS is one of those services that seems terribly complicated at first. But once you get used to it, I actually find manually editing zone files far faster and easier than messing around with the Server app or previously Server Admin. However, I also find that occasionally, because the Server app can make changes in there that all my settings will vanish.

Troubleshooting is another place where the command line can be helpful. While logs can be found in the Server app, I prefer to watch log entries live as I perform lookups using the /Library/Logs/named.log file. To do so, run tail -f followed by the name of the file:

tail -f /Library/Logs/named.log

Finally, see http://krypted.com/mac-os-x-server/os-x-server-forcing-dns-propagation for information on forcing DNS propagation if you are having issues with zone transfers.

Conclusion

Because DNS is one of the most critical aspects of getting your server or servers configured properly, set up the name of your server before you do anything else. Then the very first thing you should do when you open the Server app on your first server is configure DNS. The next thing you should do is test DNS. The first thing you should do on each subsequent server is check DNS. Overall, the DNS service is very straight forward, once you get used to setting up records. There is a ton of flexibility around using the command line to manage the service as well; however, be aware when you do so that you could end up loosing data if you aren’t careful not to make any changes in the Server app!

As for getting used to the changes with every new version of OS X, Daniel Graystone once said “She’ll adjust. She’s probably very confused by everything. It’s only natural.”

Tags , , , , , , , , , , , , , , , , | Permalink | Comments (8)
Mac OS X Server

Changes in Mountain Lion Server

July 26, 2012 – 5:00 am

Mountain Lion Server is now available on the OS X App Store and as with the last few updates there are some things missing that you might be expecting and depending on. First up, three major services are gone: Podcast Producer, RADIUS and dhcp. You can still do dhcp as you always did with OS X client as those features work on OS X Server, but the more granular controls available in OS X Server are now gone. The biggest impact of dhcp is probably in testing NetBoot services when there are network issues and you need to prove to network admins that it’s the network and not your server…

I had written an article before about FTP still being in OS X Server from the command line, but now it’s back in the GUI, which should make many an administrator happy. NAT is also gone from the GUI, but natd and natutil are still available from the command line. Might as well just use the Sharing System Preference pane for such things though… Server Admin is now gone (long live Server Admin!) and Workgroup Manager is now a download to be performed and installed following installation. Support for Managed Preferences is gone, even though most manifests technically still work.

Many services also got some pretty nice updates. These include:

  • Calendar – There are a few updates on the client side, but not on the server side. Most notably, the option to publish calendars is now gone. If you used that, it’s time to get used to manually exporting, copying to a share and then distributing links. This is going to likely cause more use of the Calendar server itself, to some degree. Also, it’s not iCal or iCal Server, it’s now Calendar and Calendar server. Seems to me that this isn’t obviously an Apple-centric naming structure as with most other things they do, but sometimes you’re gonna’ have that…
  • Contacts – Nope, it’s not called Address Book server, it’s the Contacts service. Same with the client side application.
  • DNS – DNS management is moved into the Server application. You can also now restrict who you do lookups for in the GUI. Under the hood very little changes.
  • File Sharing – Nothing really changes with file sharing, except the wiki integration described in the Wiki section in a little bit.
  • Firewall – The firewall option is gone, as is the ipfilter at the command line, but pf is easy to configure from the command line.
  • FTP – It’s a quick and easy single share solution from the GUI. Using the sharing command there’s still tons available to administrators.
  • Mail – Authentication mechanisms and domains are in the GUI, but very little changes otherwise.
  • Messages – The service name has changed from iChat to Messages in the GUI but is still jabber from the command line. The big change with this service is that the client side is now able to leverage iCloud to instant message mobile devices as well. Therefore, the text messaging component is client-side and has no impact on the jabber service itself.
  • NetInstall – The “NetInstall” service is NetBoot. It can host NetRestore or NetInstall images, but the heavy lifting for that stuff is done in System Image Utility. And the output of the SIU commands are now more scriptable through the automator command line interface. The NetInstall screen is now in Server app and is a good port from Server Admin in that it’s similar in look and feel to the NetBoot screen in Server Admin. A feature that isn’t in the GUI is diskless NetBoot, which is fine because I documented how to do it when I realized it would be an issue for a few customers.
  • Open Directory – Given that Server Admin is gone, something had to happen with Open Directory. The Open Directory screens have been moved to Server app where it’s fast to setup and tear down Open Directory. Open Directory based Users and Groups are also created through the Server App, although Workgroup Manager can be downloaded and used still. Immediately following upgrades, the add and remove users buttons are gone for previously stand-alone hosts. Also the Manage Network Accounts option is now gone from Server app, replaced with the traditional ON button supplied by Apple for other services.
  • Profile Manager – This deserves its own post, which is in the queue, but suffice it to say that while you can’t tell when looking in Server app, there are a number of upgrades to Profile Manager.
  • Software Update – Management of the service is moved from Server Admin to Server app. There are now fewer options in the GUI, but the same in the command line. Cascading is a little different.
  • Time Machine – Time Machine server is the same… The versions option from the Time Machine Server preference pane is gone and the layout is a little changed, but the server component is identical in functionality as well as look and feel.
  • VPN – Unless you add another supported VPN protocol there’s not much to do after fixing most issues in 10.7.4. Except fixing the last issue with search bases, seemingly resolved as it’s working for me pretty well.
  • Websites – There are more options in the GUI for new sites. The default site appears twice (once for 80 and once for 443), but there are more options, such as the Web App functionality that comes with a default Python “Hello World” app. Also the server is still called web from the serveradmin command line, but is now called Websites through the GUI.
  • Wiki – The wiki has themes again, although they’re just color schemes. And you can create your own custom banners and upload, which brings back two of the most common feature requests from people that hack the look and feel of the wiki in versions previous to Lion. But the most substantial aspect of the Wiki to change to me is the document management options, available to users in WebDAV or through the portal. This allows for a very mobile-friendly file management tool. Blogs and wikis for the most part stay the same and have a very clean upgrade process from Lion. The command line tools also feature some new options for indexing, etc., which many will find helpful.
  • Xsan – cvadmin, cvlabel, cvversions, etc are now stored in /System/Library/Filesystems/acfs.fs/Contents/bin/ and Xsan has its own entry in the Server app. Despite hearing people question its future, I’ve never seen as many questions flying around about how to do things with Xsan than I do now. Storage sales are up, monkey chatter on the web is up, deployments are being booked and Xsan looks here to stay. The Server app only really shows you a status of things, but the Xsan Admin app is now embedded in the Server app and available through the Server app Tools directory.

Configuring Websites in Server app

The Alerts options are much more robust in Mountain Lion than they were previously. You  can now get alerts on a myriad of things, incuding certs, disks, space, storage quotas, virus detection, network changes and software updates.

Configuring Alerts in Mountain Lion Server

The Server commands also moved and in fact the whole file and folder structure mostly fit nicely inside of the Server app. There are certain things that haven’t been dealt with in this regard such as NetBoot’s library, but for the most part Apple is getting Server to the point where it’s very self-contained. The ramification of which is that upgrades for future releases (and from Lion to Mountain Lion for that matter) are much simpler. Simply downloading a new version informs administrators that the app has been replaced and is good to go, service data in tact. In real world, this has been a little hit or miss but should prove to make our lives much easier in the future.

Reducing scope, aligning with better development practices and all the work to merge all of the remaining services into Server app are huge undertakings. I would fully expect no further support or updates to Workgroup Manager, no more testing of managed preferences in deference to profiles and a few other culture shifts that still need to shake themselves out. Most of us are going to seem underwhelmed (if that’s a word, no it’s not ’cause I looked it up -> awesome video below –> ’cause affection has 2 fs, especially when you’re dealin’ with me). But here’s the thing, with an incremental update, you’re not going to get massive changes. Instead we will get slow and steady updates hopefully continuing to build faster towards a better end goal. What’s important is that the foundation is actually better now, given changes to other parts of OS X and so Server is likely now better positioned than ever for great new features in subsequent releases.

Oh, and did I forget to mention that Xgrid is gone. I guess no one really noticed anyway…

Tags , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Permalink | Comments (6)
public speaking

MacTech InDepth In New York

April 5, 2012 – 8:22 pm

I have been added as a speaker at MacTech InDepth in New York. If you haven’t signed up yet, and you work with Mac OS X Server then you should really check out the sessions that have been planned:

  • The Elephant in the Room: The New Lion OS X is out, now what? There are a lot of differences to contend with between Lion and Snow Leopard. Now with the new Mountain Lion update, what changes can we expect to see? We discuss the differences in advanced services, GUI simplicity, and Apache management GUI’s. We help you understand the updates in the new OS and make the transition easier. We go over the new updates of Lion over the Snow Leopard server.
  • Setting solid foundations: To truly grasp the power of Lion, you need to set up solid foundations. We go over minimum requirements for internet DNS, and tackle router tricks. We discuss open directory and what it was used for.
  • Mobile Device Management 101: Apple’s IPCU/Apple Configurator: Mobile Device Management is vital to businesses, large or small. We have an extensive overview of profile manager and how you can use mobile device management on OS X. For those still using Snow Leopard, we go over your options and discuss the possibility of using third parties as a solution.
  • DNS, Ahh, run away, run away: In this session, we tackle DNS and break it down and show how simple it is to work with. We go over how DNS works and cover different components such as internet DNS and internal DNS.
  • Administering a Server with just Server.app: We show you how to use server.app and control administrative programs. For the services, we go over Address Book, iCal, iChat, and Mail.
  • Web Administration of OS X Server : Web Admin on Lion Server versus Snow Leopard is covered, dealing with the differences and how to use each system effectively. On Lion server, we cover using FTP without a GUI.
  • Going old school, using the old tools: After getting used to Snow Leopard we go over the major differences between Snow and Lion and how you can handle the transition. We go over server admin and what is still left in the program and why it has been left.
  • Deployment Part I: Tools & Concepts: In tools and concepts we learn that there aren’t stark differences between Lion server and Snow Leopard. NetBoot, NetRestore and third party tools are covered; we talk about how NetBoot works and what the differences between NetBoot and NetRestore are. Along with this we cover Network configuration requirements and using software update server.
  • Deployment Part II: DeployStudio: DeployStudio is covered in-depth; we cover creation techniques and management techniques.

Overall, this represents a nice, fast way to update your skills to allow for managing Lion Server and to get up to speed with those new to the platform. One thing I like about the session list is that it goes beyond the stock server implementation and looks at DeployStudio, MDM and other important topics not purely server oriented. I hope to see you all there!

These vagabond shoes, are longing to stray
Right through the very heart of it – New York, New York

Tags , , , , , , , , , , , , , , , , , , , , , , , | Permalink | Comments Off
iPhone

5 Free Network Troubleshooting Tools for iPhone and iPod Touch (and iPad of course)

February 13, 2012 – 3:01 pm

There are a number of ways to troubleshoot network connections on (or using) an iOS device. These can be common troubleshooting steps that you might run from the command line or a third party app on a desktop computer or they could be specific to testing the network environment for an iOS device. Some of these apps are even free.

Ping Lite
One of the most common tasks that most administrators routinely do to test both DNS resolution and connectivity is pinging something. Ping Lite comes with a function to show your IP, a ping tool, a tool to ping the subnet, the ability to run trace routes and for good measure a little telnet love as well. Not bad for the fat price of nothing. Developed by MochaSoft, Ping Lite is a must for anyone who does any kind of network troubleshooting, unless you’re paying good money for a more robust tool!

NSLookup
Ping Lite is a great tool for isolating whether you’re having connectivity problems to an IP address. However, if Exchange’s auto discover isn’t working or some other

Bonjour Browser
One of my favorite tools for finding things on the network, Bonjour is a multicast tool and what many of the features meant to be used in a home where zero configuration networking is important

Speed Test
I think that one of the more common tasks in troubleshooting network connections is to determine whether Internet speed is satisfactory. Satisfactory is a relative term. Both relative to the expected performance and relative to the perception of users. For example, the bandwidth that a user is getting on a device may exceed the expected performance based on the speed provided by the DSL, cable modem or other WAN connection provided. However, that speed may be less than what the user’s would like (one can never have enough bandwidth!).

ezShare
ezShare is a nice little tool that lets administrators log into shares of various types. The cool thing about this little tool is that you can connect via SSH, FTP, WebDAV, S3, Google Docs, Box.net, SMB/CIFS, or NFS. This allows you to test WebDAV from a different tool if you’re having a problem opening WebDAV connections from within Pages, test the speed of downloading a document from a FTP site, check Google Docs or Box.net connectivity and even see if that file server is available when users call in with problems connecting to SMB/CIFS shares on Windows servers.

Bonus App:
AirPort Utility
If you have an Apple AirPort acting as a WAP or the gateway to your office/home then this little app is awesome. Apple has eased the setup process for their Wireless Access Points to the point that you can set the entire thing up, change settings and even troubleshoot the odd connectivity issue without ever touching a desktop computer. AirPort Utility is also a great way to test whether you can connect to shares hosted by devices and update passwords on the fly.

Tags , , , , , , , , , , , , , , , | Permalink | Comments Off
Mac OS X Mass Deployment Microsoft Exchange Server Windows Server

How Exchange’s Autodiscover Works With Mail.app

January 6, 2012 – 8:00 am

Autodiscover automatically configures profile settings for Exchange clients. These clients include Microsoft Outlook 2007 or Outlook 2010, Outlook for Mac, Mail.app in Mac OS X, iPhone, iPad and ActiveSync enabled phones. Autodiscover is often made out to be complicated. There’s an Autodiscover service that gets installed when a Client Access Server (CAS) role is setup for Exchange 2010 in the form of a default virtual directory named Autodiscover for the default Web site in Internet Information Services (IIS). You then forward an autodiscover service locater record in DNS in the form of _autodiscover._tcp.

The virtual directory handles Autodiscover requests. But what about other vendors, and even for Exchange, how do you verify that it’s working correctly? If clients automatically configure then it’s working, obviously. But when it isn’t, what do you need to do? The most obvious step is to check that the DNS record responds appropriately. To do so, we can use nslookup. To use nslookup, run it from the command line, followed by the DNS name. For me.com, this might be:

nslookup _autodiscover._tcp.me.com

But note that there’s not a response. This is because me.com doesn’t use _autodiscover (why would it, it’s not EWS/ActiveSync after all. But other domains that are configured for autodiscover would respond. For example, look at the output for 318.com:

nslookup _autodiscover._tcp.318.com

Which looks like this:

Non-authoritative answer:
Name: _autodiscover._tcp.318.com
Address: 66.209.67.173

Provided that the answer section is the address of the CAS Exchange server that sits in front of your organization (the one that runs the Autodiscover virtual directory in IIS) then you are more than likely off to a great start using autodiscover. If not, then that’s the first thing that likely needs to get fixed if you actually want clients to use autodiscvoer. Also keep in mind that you’ll want to check internally and externally, as you will likely have different domain names setup for these. I often find that people will configure the _autodiscover records in their public DNS but not in their private views. Also keep this in mind when acquiring SSL certificates for Exchange’s CAS instance.

Note: Autodiscover, as its implemented in Office Exchange clients, also has the ability to change configurations in Office on the fly as network settings change on internal networks (e.g. users get moved to different information stores, IPs of servers change, etc). This does not seem to work with Apple’s Mail. One could write a script to check for a change in the records nightly (or more frequently of course) if this is needed.

Sometimes the mail clients can interpret things differently than we do manually from the command line, including autodiscover. When the Apple Mail client is attempting to connect to Exchange, you can also get more information about the EWS autodiscovery process by capturing logs about it, not done by default, but invoked by firing up mail using the –LogEWSAutodiscoveryActivity option followed by a YES, as follows:

/Applications/Mail.app/Contents/MacOS/Mail 
--LogEWSAutodiscoveryActivity YES

By reading these logs, you can learn way more than you ever wanted to know (or thought was possible) about Autodiscover. Given that Autodiscover is similar in iOS, most of this rings true in the Mail app there as well. However, given that you can’t view the activity in as granular a detail by invoking Mail through the command line, you can watch it in the logs in iPhone Configuration Utility while you’re setting up Mail, Contacts & Calendars in the Settings app, which should provide information about any connection failures.

While Autodiscover is awesome, you should still be able to connect without it. The only time I really both to troubleshoot Autodiscover itself is when I can install an account but I cannot get Autodiscover to eliminate the need for the second setup screen in Mail on iOS and OS X (possibly with the exception of Lion). If you can setup mail, but it requires two screens then the problem is basically always Autodiscover. If you can’t setup mail at all then the problem is basically never Autodiscover. Good luck, and hope someone finds this useful!

Tags , , , , , , , , , , , , , | Permalink | Comments (8)
Mac OS X Mac OS X Server Mac Security Mass Deployment Network Infrastructure Unix Windows Server

“Don’t Go Near There”: Sponsored Top Level Domain Names

October 25, 2011 – 7:00 am

Any time I think of something you’re not supposed to do with network architecture, I always think of Good Morning Vietnam. When Robin Williams says: “Don’t go near there!” But Betty! “Don’t go near there…get away from the river! Stay away from there!”

One of the things you’re not supposed to do on networks is have conflicting DNS information. One example is to use a www record on one DNS server and a different one on another DNS server. This introduces a potential problem when some users end up with one DNS server and others end up with another. IP, DNS and other conflicts are usually a bad thing.

Another example is to use sponsored Top Level Domains for internal purposes as they’re used for specific purposes. We often use various TLD (Top Level Domains), which are often referred to as domain extensions, when building out internal DNS for various purposes. For example, when building DNS for an internal Xsan network, we might use organizationname.xsan (where organizationname is replaced by the company or school’s name. In the Apple world, we’re taught not to use .local extensions, even though it is OK for users of most every other platform. Zeroconf is growing in popularity though, and so using .local extensions is basically not a great idea these days.

But other than that, we just use domains, other than those that are country coded (e.g. .zw for Zimbabwe, .au for Australia, .dk for Denmark and .tv for Tuvala), general (gTLDs include .com, .info, .net and .org) and .arpa (as any good DNS server admin will quickly note).

These include the following:

  • .aero – Used by aerospace and air transit organizations (obviously major airlines have .coms)
  • .asia – Used by Asia-Pacific organizations
  • .cat – For Catalan
  • .coop – For co-ops (cooperatives) – must have long hair and a beard to participate (yay, I’m in this week but maybe not next week if it gets itchy)
  • .edu – Reserved for schools
  • .gov – Reserved for member organizations of the US Government
  • .int – Reserved for International treaties, such as NATO (and randomly the YMCA)
  • .jobs – For posting jobs and cavorting with other HR managers
  • .mil – Reserved for the US military (e.g. Army, Navy, Air Force and Dick Cheney)
  • .mobi – Mobile providers
  • .museum – Um, museums I think
  • .tel – Contact information on businesses (short for telephone number, but can use lots of different contact info)
  • .travel – Travel agents and other people involved in travel (who aren’t already part of one of the previous TLDs)
  • .xxx – Guessing I don’t need to explain what this one is for

Be careful when picking a TLD to use in a network environment. Reserved TLDs of various types are tracked and used through IANA. You can look up those that are currently reserved by IANA at http://www.iana.org/domains/root/db. And of course, you can try and register your own. But they’re a little strict about that. It’s not like they let just anyone (cough, ICM Registry, cough) get one of their own…

In addition to Sponsored TLDs, there are also four that were reserved in RFC 2606 and should not be used. These include example, invalid, localhost and test. Example is also a reserved second level domain name, per RFC 2606 as well. Some other TLDs have also been retired, but would likely be poor practice to put into circulation when attempting to avoid conflicts. These include .nato, .cs, .ba, .dd, .yu, and .zr.I wouldn’t use proposed TLDs that ICANN is actually considering either, which include free, music, shop, berlin and nyc (just in case – never hurts to future proof). Most single letter second level domain names are reserved. Two letter domain names aren’t reserved but are all taken. The regulations regarding second level domain names are usually up to the entity that sponsored the domain in the first place.

If you use internal DNS, even if the environment doesn’t route, make sure there are no conflicts. Unless of course, those conflicts are planned for (for example, re-routing sites that you don’t want users to visit in DNS, which there are arguably better ways to do, but whatever). Finally, you shouldn’t use single-label domain names. These are domains with no TLD (or where the TLD is the domain name). For example, a domain name of CONTOSO is not a good domain name and is illegal in most uses (despite what your LanManager and NT 4.0 books tell you). These were popular back in the days of Windows NT, but were pretty exclusively used in naming Windows Domains in the days before Active Directory brought sanity such nonsense.

Tags , , , , , , , , , , , , , , , , , , , , , | Permalink | Comment (1)
Mac OS X Server

Big Changes in Lion Server

July 20, 2011 – 6:00 am

OK, by now I’m sure everyone has heard that OS X Server is a download off the App Store. For a whoppin’ $50 you get the OS that was once called “Open Source Made Easy” until someone at Apple realized that GPLv3 might mean that Open Source doesn’t always mean “free as in beer”. Wait, did I say that out loud? Point is, there are bigger changes here than just moving the server to the App Store.

There are also some pretty big changes to the GUI of OS X Server. The first and most obvious is the LoginWindow, which is different in OS X in general. It obviously looks different. The ability to click on the items above the username and password is gone. You can still see indicators of green and orange in the username field to indicate directory service availability though, which was one of the bigger things we’ve used that for over the past few years.

Once downloaded, the Server app will be in the /Applications directory, in Launchpad and useable. But the Server Admin tools are a separate (free) download from the Apple downloads page. This is a nice nickel and dime way of keeping the Server app small. Once installed, note that if you open About this Mac, the OS does reflect that you are running Mac OS X Server Lion (not OS X Server Lion btw for all you marketing nerds), so it is actually a registered different version of the operating system.

Now open up Workgroup Manager. The Inspector option in Workgroup Manager is gone. Actually, this is kinda’ true. The option is greyed out in the Workgroup Manager prefs (com.apple.WorkgroupManager.plist) but easily enabled using defaults to add the -dict for “Application Preferences” with a key of ”Show \\”All Records\\” Tab” set to a value of 1. But more importantly, there’s now a tool called the Directory Editor that is part of Directory Utility (still located at /System/Library/CoreServices). It looks a lot like the Inspector, but it’s a bit more appropriate for local stuff.

Now open up Server Admin. Most of the services are gone. We’re left with nat (does anyone really still use OS X Server as a border device?!?!) and a few other services that were either too boring to get moved to the Server app or too unwanted. Expect these to disappear one by one if there are future releases of OS X Server. In fact, if OS X Server is $50 I’d say building a better DHCP (that maybe has a GUI for DHCP options and other cool stuff) or a better DNS is a worthy of a $10 or $20 app on the app store. After all, given the Mini platform it seems a decent platform as a network appliance in that fashion… But back to it.

Now go into Server. Wow. Super easy. The only challenging thing in here is Profile Manager. And the only challenging thing about it is that it a) most people aren’t going to let it build Open Directory for them (but should) and b) some people are going to get stumped when asked for a username and password for a developer account. Get yourself an Apple ID with a developer cert and Profile Manager will be really easy to use, especially if you’re used to working with Workgroup Manager to build Managed Preference manifests. Once in, if you will even note that you can assign specific defaults domains and push keys to clients. Of course, the big thing here is the wipe. The most important thing to note about that is that the clients need to run FileVault and there’s not a great mass deploy strategy for that yet (IMHO).

While I said Profile Manager could be challenging, there are some really cool things waiting for people to start hacking away at. The fist is scripting profile creation and management. Profiles are stored in /var/db/ConfigurationProfiles/Store. Much to the chagrin of 3rd party MDM developers, this solution works great for OS X and iOS. Much to the delight of MDM developers, the whole App Store look and feel that someone like JAMF has is still something that really sets them apart and the ability to have Casper assist you with managing those VPP keys is what will be the crazy huge value add that it will continue to bring to the table. Having said that, a lot of smaller organizations can now use Profile Manager where they might have just used iPhone Config Utility before.

Profiles can be pushed out in a number of ways. The user can download it out of the goodness of their heart. In iOS you’re kinda’ stuck with that deployment methodology. But not in OS X. Help comes in the form of the profiles command, located in /usr/sbin. Profiles is explained further in this other post of mine here.

The serveradmin app (serveradmin list shows a few less results than it used to), slap* commands and other tools server admins are used to are all still there. There’s a better webmail (much, much better), Wiki’s are a little different (not much), NFS (kinda’) and FTP are gone, Podcast Producer keeps getting easier, the twisted stuff (iCal and Address Book Server) is the same as it was in Snow Leopard and Server app gets more functional whereas Server Admin gets less functional. Server got a little easier. Or at least on the outside. But presumably it can, given that it’s likely to be asked to do less than it once was moving forward.

But as with previous versions of OS X Server, there are a lot of settings under the hood that aren’t exposed in any app. Let’s look at the devicemgr service, which is Profile Manager in the GUI:

sudo serveradmin settings devicemgr

One thing I do find interesting is the inclusion of postgres in serveradmin but not in Server app or Server Admin. MySQL is gone, but postgres is there.

You’ll also see settings like mdm_acl and user_timeout that can be pretty helpful (which is why they’re in there in the first place) but aren’t in the GUI. I’m all for keeping GUI’s clean, not giving admins the ability to easily enable something they shouldn’t and keeping away from having screens and screens of rolling settings. So for the most part I’m OK with this. My point with this paragraph (and every paragraph should have a point even though I forget that sometimes) is that if there’s a setting you need that you think got taken out or if there’s a setting that would be cool to have, check serveradmin settings and see if it’s there before just taking the Server app’s word for it…

Tags , , , , , , , , , , , , , | Permalink | Comments (2)
Mac OS X Server

When Zones Just Won’t Die

July 12, 2011 – 5:00 am

At times, you may find that information gets stuck in Server Admin and can’t be removed. For example, you see a Zone in Server Admin, and it doesn’t have a Name Server record attached to it. You can’t delete it but every time you add a Name Server it just disappears. This is often caused when you remove or change something and it gets dumped from the zone files in /var/named but not from the BIND view. Running serveradmin will show the data but as it’s serialized it can’t be removed:

serveradmin settings dns

Without a Name Server record, the zone is unresponsive to queries. Removing the zone can delete the zone file from /var/named/zones but doesn’t delete it from Server Admin. To go ahead and get rid of the bad records, open the /etc/dns/publicView.conf.apple file with your favorite text editor. Here, each zone in OS X Server has a corresponding block, such as:

*+zone "1.168.192.in-addr.arpa." {+*
*+type master;+*
*+file "db.1.168.192.in-addr.arpa.";+*
*+allow-transfer {none;};+*
*+allow-update {none;};+*
};

Locate the offending block for the jacked up and remove or comment it out. Don’t delet this block though:

+zone "." {+
+type hint;+
+file "named.ca";+
};

+zone "localhost" IN {+
+type master;+
+file "localhost.zone";+
+allow-update { none; };+
};

+zone "0.0.127.in-addr.arpa" IN {+
+type master;+
+file "named.local";+
+allow-update { none; };+
};

That block should stay in place. The Server Admin generated blocks should be towards the top and the above block that shouldn’t be removed should be at the bottom.

Tags , , , , , , , , , , , | Permalink | Comments Off
Mac OS X Server

Adding Recursion in named.conf

September 29, 2009 – 9:00 am
In DNS, recursion references the process where a name server will make DNS queries to other name servers on behalf of client systems. Most name servers are simply DNS clients that cache information for a specified amount of time. Recursion is disabled by default on most name servers. In Mac OS X recursion is enabled for subnets local to the server only.
In environments where you wish to provide recursive queries you can enable recursion by opening Server Admin, clicking on the disclosure triangle for the server you will be configuring and then clicking on the DNS service. From here, click on the Settings icon in the Server Admin toolbar and then in the section for Accept recursive queries from the following networks you would click on the plus sign (+). In this field provide the IP address or netmask that you would like to enable recursion for. For example, if you’re enabling recursion for all computers on the 192.168.0.0 subnet and the subnet mask for those clients is 255.255.255.0 then you would enter:
192.168.0.0/24
This will allow recursion for those clients by updating the /etc/dns/options.conf.apple file. Alternatively you can edit the setting by hand yourself, but don’t do so using the /etc/dns/options.conf.apple file or you could introduce instability into the DNS service and Server Admin could overwrite your settings. Rather, edit the /etc/named.conf file. In named.conf add the following line in the options section:
allow-recursion {192.168.0.0/24;};
Overall, this is a fairly straight forward technical note, but there is an underlying theme that Apple is doing a really good job of leveraging an include methodology with regards to configuration files. Inside the /etc/named.conf, also in the options section, you’ll notice that there is a line that begins with include and specifies the path of the Server managed file, which uses the word apple at the end of it. This is mirrored in zone files as well. While not all open source services use this method for allowing different configurations in the GUI and the command line, I hope they all will at some point.
Tags , , , , , , | Permalink | Comments Off

Next Page »

Next Page »