Tiny Deathstars of Foulness

OS X and iOS developers need a continuous integration system. This automates the build, analysis, and testing solution for software development using Xcode. OS X Server has an Xcode service, capable of integrating your developer account with git, providing many of the options required to build a continuous integration system.

Before you configure the Xcode service that can take committed code and then test and build your software, you’ll need an Apple developer account. The Xcode service then links git to a developer account and runs automations, referred to as bots, in Xcode. Therefore, you’ll also need to have Xcode installed on the computer running the Xcode service. Bots are then managed and reported on using a web app that the Server app runs.

Once the pre-requisites are met, open the Server app and click on the Xcode service.

Screen Shot 2015-09-24 at 10.11.10 PM

Click on the Choose Xcode button.

Screen Shot 2015-09-24 at 10.11.30 PM

When prompted, browse to the version of Xcode you have installed on the server.

Screen Shot 2015-09-24 at 10.11.37 PM

If you haven’t accepted the Xcode licensing agreement, when prompted, click on Agree to do so.

Screen Shot 2015-09-24 at 10.11.46 PM

Xcode will require access to the Accessibility framework to run unit tests. Click on Request Access to provide the rights to Xcode to do so.

Screen Shot 2015-09-24 at 10.19.13 PM

Once access has been granted to Xcode, you’ll see the version indicated in the Build Using field.

Screen Shot 2015-09-24 at 10.19.23 PM

Next, click on Add Team, in order to identify the correct team from your Apple Developer account that will have access to the Xcode service.

Screen Shot 2015-09-24 at 10.19.32 PM

When prompted, select the team from your Apple Developer account that you wish to provide access to the server.

Screen Shot 2015-09-24 at 10.20.27 PM

Click on the Repositories tab. Here, you will define repositories for your Xcode projects. Click on the Repository Access button to define what protocols git should be accessible via.

Screen Shot 2015-09-24 at 10.20.30 PM

At the Repository Access screen, select HTTPS or SSH. Click OK.

Screen Shot 2015-09-24 at 10.20.41 PM

Click the Edit Repository Creators button. At the Repository Access screen, add any groups of users that should have access to create new git repositories. Once all of the appropriate users or groups have been added, click on OK.

Finally, click on the plus sign to add your first repository.

Screen Shot 2015-09-24 at 10.20.55 PM

At the new repository screen, provide a name for the repository. Then, use the Edit button to choose the level of access that logged in users have. Back at the repository screen, click on the HTTPS Access button to provide access via HTTPS. Once saved, double-click on the repository again to see the uri for each type of access. And that’s it.

Screen Shot 2015-09-25 at 7.02.47 PM

Next, you’ll want to add a repository to the Xcode app. To do so, open Xcode and then use the Source Control menu to select Check Out. From there, you’ll get a Check Out screen.

Screen Shot 2015-09-25 at 7.04.42 PM

At the Check Out screen, enter the uniform the repository screen, shown in the previous step of this article and click on the Next button. Next, you’ll need to create bots to automate your build process.


October 7th, 2015

Posted In: Mac OS X Server

Tags: , , , , , ,

Leave a Comment

By default, screenshots are pretty big on a retina display on an El Capitan machine. Like about 4 times the size they should be. I haven’t found a defaults key I can use yet to reduce them, so I’ve been using this little screenshotting app called RetinaCapture, available at

Basically, when you’re running it, you just open it up and click on the Window button. There, you can select a window to screenshot.

Screen Shot 2015-09-24 at 8.37.33 AM

Once you’ve selected the window, you’ll be prompted to save it somewhere with a name.

Screen Shot 2015-09-24 at 8.38.00 AM


I don’t love having to use any 3rd party apps for my screenshotting workflow. Screens get resized for books and so I’m really only using this for my site. But, hopefully it helps someone else along the way. Happy screenshotting!

October 6th, 2015

Posted In: Mac OS X

Tags: , , , , , ,


In case your Mac just isn’t emo enough for ya’, Apple’s provided us a cool little new feature in Yosemite called dark mode. No, this won’t cause Hellboy to leap forth from your MacBook Air. Well, maybe he’ll visit your MacBook Pro, but I haven’t tested that so please don’t quote me on that. Instead, you’ll get the nice new dark menu bar:

Screen Shot 2015-09-10 at 10.41.10 PM

But that’s not all folks! Your dock will also get all dark and gothy!

Screen Shot 2015-09-10 at 10.41.29 PM

To turn it on, just open the General System Preference pane and check the box for “Use dark menu bar and Dock”.

Screen Shot 2015-09-10 at 10.42.23 PM

Enjoy! Oh, and if that’s not emo enough for you feel free to watch this sad emo love song video (yes, I googled for “sad emo” to find it; no, it’s not bookmarked; yes, I bought eyeliner after watching it; yes, then my high school self time travelled to present day and kicked the crap out of me; yes, I thanked him).

October 5th, 2015

Posted In: Mac OS X

Tags: , , , , , ,

Leave a Comment

The Server 5 app that installs on Yosemite and El Capitan is great. But when you go making changes to some things, you’re just going to cause problems, sometimes something as simple as just upgrading to the latest and greatest version of Server… I know, you’ve been told that host name changes and IP changes are all kinds of OK at this point; “look, Charles, there’s a button!” Well, go ahead, click it. Don’t mind me, you might just be alright. But then again, you might not if you’re running Open Directory, Profile Manager, or a few other services… When it works it’s a thing of beauty. But when it doesn’t, you might be restoring some stuff from backup. But just before you do that restore, let’s try one more thing. Let’s try and rebuild some certificates and configuration settings that shouldn’t impact actual service operation. Let’s try to reset the Server app and let a fresh install of the Server see if it can fix issues.

Now, I want to be clear, this is the last resort before restoration. I’ve had a lot of luck with services remaining functional and preserving settings when I do this, but don’t expect that. Basically, we’re going to do what we looked at doing back in ’09 with AppleSetupDone but one designed just for servers, so the file is in the same place (/var/db) and called .ServerSetupDone. To remove it, close Server app and run the following command:

sudo rm /var/db/.ServerSetupDone

Once removed, open the Server app again and then let the Server app run as though it’s new. Cruft, begone!

September 29th, 2015

Posted In: Mac OS X Server

Tags: , , , , ,

Leave a Comment

OS X Server 5, running on El Capitan or Yosemite, comes with a few new alerting options previously unavailable in versions of OS X. The alerts are sent to administrators via servermgrd and configured in the 5th version of the Server app. To configure alerts on the server, open the Server app and then click on Alerts in the Server app sidebar. Next, click on the Delivery tab.

Screen Shot 2015-09-08 at 12.32.32 AM

At the Delivery screen, click on the Edit button for Email Addresses and enter every email address that should receive alerts sent from the server. Then click on the Edit button for Push Notifications. Here, check the box for each administrator of the server. The email address on file for the user then receives push notifications of events from the server.

Screen Shot 2015-09-08 at 12.33.13 AM

Click on OK when you’ve configured all of the appropriate administrators for alerting. Click on the Edit… button for Push and if Push notifications are not already enabled you will run through the Push Notification configuration wizard.

Screen Shot 2015-09-08 at 12.34.08 AM

Then, check the boxes for Email and Push for each of the alerts you want to receive (you don’t have to check both for each entry). Alerts have changed in OS X Server, they are no longer based on the SMART status of drives or capacity; instead Delivery is now based on service settings.

Finally, as with previous versions of OS X Server, EL Capitan Server has snmp built in. The configuration file for which is located in the /private/etc/snmp/snmpd.conf and the built-in LaunchDaemon is, where the actual binary being called is /usr/sbin/snmpd (and by default it’s called with a -f option). Once started, the default community name should be COMMUNITY (easily changed in the conf file) and to test, use the following command from a client (the client is in the following example):

snmpwalk -On -v 1 -c COMMUNITY

September 29th, 2015

Posted In: Mac OS X Server

Tags: , , , , , ,

Leave a Comment

OS X has an application called Contacts. OS X Server 5, running on Yosemite or El Capitan, has a service called Contacts. While the names might imply very different things that they do, you’ll be super-surprised that the two are designed to work with one another. The Contacts service is based on CardDAV, a protocol for storing contact information on the web, retrievable and digestible by client computers. However, there is a layer of Postgres-based obfuscation between the Contacts service and CardDAV. The Contacts service is also a conduit with which to read information from LDAP and display that information in the Contacts client, which is in a way similar to how the Global Address List (GAL) works in Microsoft Exchange.

I know I’ve said this about other services in OS X Server, but the Contacts service couldn’t be easier to configure. First, you should be running Open Directory and you should also have configured Apple Push Notifications. To setup Push Notifications, have an Apple ID handy and click on the Contacts entry in the SERVICES section of Server app.

Screen Shot 2015-09-10 at 8.13.53 AM

Click the Edit Notifications button to configure the Apple Push Notification settings for the computer. When prompted, click on Enable Push Notifications.

Screen Shot 2015-09-10 at 8.15.49 AM

If prompted, provide the username and password for the Apple ID and then click on Finish.
To enable the Contacts service, open the Server app and then click on Contacts in the SERVICES section of the List Pane. From here, use the “Include directory contacts in search” checkbox to publish LDAP contacts through the service, or leave this option unchecked and click on the ON button to enable the service.

Screen Shot 2015-09-10 at 8.19.12 AM

The Contacts service then starts and once complete, a green light appears beside the Contacts entry in the List Pane. To configure a client open the Contacts application on a client computer and use the Preferences entry in the Contacts menu to bring up the Preferences screen. From here, click the Accounts menu and then click on Add Accounts.

Screen Shot 2015-09-10 at 8.19.36 AM

At the Add Account screen, scroll down and click Add Other Account… to bring up an expanded menu of account types.

Screen Shot 2015-09-10 at 8.20.32 AM

Click Add a CardDAV account.

Screen Shot 2015-09-10 at 8.21.10 AM

At the “Add a CardDAV Account” screen, enter the email address and password of the user. Auto discovery doesn’t always work, so you might end up using the manual button to add the account using the server’s address. Alternatively, if you’ve mapped CardDAV to custom ports, you may use the advanced option to have paths and ports available.

Screen Shot 2015-09-10 at 8.24.03 AM

When the account is finished creating, you can click on the account again to see the settings used. Otherwise, close the Preferences/Accounts screen and then view the list of Contacts. Click on View and then Show Groups. This will show you the name of the servers that you’re connected to in the sidebar. There won’t be any contacts yet, so click on the plus sign to verify you have write access to the server.

Screen Shot 2015-09-10 at 8.27.44 AM
Next, let’s get access to the LDAP-based contacts. To do so, bring up the Add Account screen again and this time select LDAP Account from the Account Type field.

Screen Shot 2015-09-10 at 8.29.02 AM

Provide the name or IP address of the server and then the port that LDAP contacts are available over (the defaults, 389 and 636 with SSL are more than likely the settings that you’ll use. Then click on the Continue button.

At the Account Settings screen, provide the name that will appear in the Contacts app for the account in the Description field and then enter the search base in the Search base field. To determine the search base, use the serveradmin command. The following command will output the search base:

sudo /Applications/ settings dirserv:LDAPSettings:LDAPSearchBase

Then set Authentication to simple and provide the username and password to access the server for the account you are configuring. The list then appears.

The default port for the Contacts service is 8443, as seen earlier in the configuration of the client. To customize the port, use the serveradmin command to set addressbook settings for BindSSLPorts to edit the initial array entry, as follows:

sudo /Applications/ settings addressbook:SSLPort = 8443

The default location for the files used by the Contacts service is in the /Library/Server/Calendar and Contacts directory. To change that to a folder called /Volumes/Pegasys/CardDAV, use the following command:

sudo /Applications/ settings addressbook:ServerRoot = "/Volumes/Pegasys/CardDAV"

When changing the ServerRoot, you’ll likely need to change the DataRoot, which is usually the Data directory immediately underneath the ServerRoot. To do so, run serveradmin and put the DataRoot entry under the addressbook settings:

sudo /Applications/ settings addressbook:DataRoot = "/Volumes/Pegasys/CardDAV/Data"

The service is then stopped with the serveradmin command:

sudo /Applications/ stop addressbook

And started with the serveradmin command:

sudo /Applications/ start addressbook

And whether the service is running, along with the paths to the logs can be obtained using the fullstatus command with serveradmin:

sudo /Applications/ fullstatus addressbook

The output of which should be as follows:

status addressbook
addressbook:state = “RUNNING”
addressbook:setStateVersion = 1
addressbook:readWriteSettingsVersion = 1

If you’re easily amused, run the serveradmin settings for calendar and compare them to the serveradmin settings for addressbook:

sudo /Applications/ settings calendar

By default, the Contacts server allows basic authentication. We’ll just turn that off real quick:

sudo /Applications/ settings addressbook:Authentication:Basic:Enabled = no

And then let’s see what it is in addressbook:

/Applications/ settings addressbook:Authentication:Basic:Enabled

September 28th, 2015

Posted In: Mac OS X Server

Tags: , , , , , , , ,

One Comment

OS X Server has long had a VPN service that can be run. The server is capable of running the two most commonly used VPN protocols: PPTP and L2TP. The L2TP protocol is always in use, but the server can run both concurrently. You should use L2TP when at all possible.
Sure, “All the great themes have been used up and turned into theme parks.” But security is a theme that it never hurts to keep in the forefront of your mind. If you were thinking of exposing the other services in OS X Server to the Internet without having users connect to a VPN service then you should think again, because the VPN service is simple to setup and even simpler to manage.

Setting Up The VPN Service In OS X Server

To setup the VPN service, open the Server app and click on VPN in the Server app sidebar. The VPN Settings  screen has two options available in the “Configure VPN for” field, which has two options:

  • L2TP: Enables only the L2TP protocol
  • L2TP and PPTP: Enables both the L2TP protocol and the PPTP protocol

Screen Shot 2015-09-22 at 10.23.05 PM

The VPN Host Name field is used by administrators leveraging profiles. The setting used becomes the address for the VPN service in the Everyone profile. L2TP requires a shared secret or an SSL certificate. In this example, we’ll configure a shared secret by providing a password in the Shared Secret field. Additionally, there are three fields, each with an Edit button that allows for configuration:

  • Client Addresses: The dynamic pool of addresses provided when clients connect to the VPNScreen Shot 2015-09-22 at 10.24.23 PM
  • DNS Settings: The name servers used once a VPN client has connected to the server. As well as the Search Domains configuration.Screen Shot 2015-09-22 at 10.25.11 PM
  • Routes: Select which interface (VPN or default interface of the client system) that a client connects to each IP address and subnet mask over. Screen Shot 2015-09-22 at 10.25.50 PM
  • Save Configuration Profile: Use this button to export configuration profiles to a file, which can then be distributed to client systems (OS X using the profiles command, iOS using Apple Configurator or both using Profile Manager).

Once configured, open incoming ports on the router/firewall. PPTP runs over port 1723. L2TP is a bit more complicated (with keys bigger than a baby’s arm), running over 1701, but also the IP-ESP protocol (IP Protocol 50). Both are configured automatically when using Apple AirPorts as gateway devices. Officially, the ports to forward are listed at

Using The Command Line

I know, I’ve described ways to manage these services from the command line before. But, “tonight we have number twelve of one hundred things to do with your body when you’re all alone.” The serveradmin command can be used to manage the service as well as the Server app. The serveradmin command can start the service, using the default settings, with no further configuration being required:

sudo serveradmin start vpn

And to stop the service:

sudo serveradmin stop vpn

And to list the available options:

sudo serveradmin settings vpn

The output of which shows all of the VPN settings available via serveradmin (which is many more than what you see in the Server app:

vpn:vpnHost = "elcapserver.krypted.lan" = "/var/log/ppp/vpnd.log" = 1 = 128 = _empty_array = _empty_array = "1" = "" = "2" = "" = yes = "PPTP" = "PPP" = 5 = 1 = "EAP-RSA" = "DSACL" = 1 = 0 = 1 = 1 = 60 = 1 = "MSCHAP2" = 0 = "DSAuth" = "/var/log/ppp/vpnd.log" = 1 = 7200 = "MPPE" = "Manual" = "" = "" = _empty_array = _empty_array = _empty_array = "" = 128 = 0 = "/var/log/ppp/vpnd.log" = 1 = _empty_array = _empty_array = "1" = "" = "2" = "" = yes = "L2TP" = "PPP" = 5 = 1 = "EAP-KRB" = "DSACL" = 1 = 0 = 1 = 60 = 1 = "MSCHAP2" = "DSAuth" = "/var/log/ppp/vpnd.log" = 7200 = "Keychain" = "" = "" = "SharedSecret" = "" = "None" = <> = "Manual" = "" = "" = _empty_array = _empty_array = _empty_array = "IPSec" = "yaright"

To disable L2TP, set to no:

sudo serveradmin settings = no

To configure how long a client can be idle prior to being disconnected:

sudo serveradmin settings = 10

By default, each protocol has a maximum of 128 sessions, configureable using

sudo serveradmin settings = 200

To see the state of the service, the pid, the time the service was configured, the path to the log files, the number of clients and other information, use the fullstatus option:

sudo serveradmin fullstatus vpn

Which returns output similar to the following:

vpn:servicePortsAreRestricted = "NO"
vpn:readWriteSettingsVersion = 1 = "MSCHAP2" = 0 = yes = "MPPEKeySize128" = "PPP" = "PPTP" = "DSAuth" = "MSCHAP2" = "PPP" = yes = 0 = "L2TP" = "DSAuth"
vpn:servicePortsRestrictionInfo = _empty_array
vpn:health = _empty_dictionary
vpn:logPaths:vpnLog = "/var/log/ppp/vpnd.log"
vpn:configured = yes
vpn:state = "STOPPED"
vpn:setStateVersion = 1

Security folk will be stoked to see that the shared secret is shown in the clear using: = "a dirty thought in a nice clean mind"

Configuring Users For VPN Access

Each account that accesses the VPN server needs a valid account to do so. To configure existing users to use the service, click on Users in the Server app sidebar.

Screen Shot 2015-09-22 at 10.28.10 PM

At the list of users, click on a user and then click on the cog wheel icon, selecting Edit Access to Services.

Screen Shot 2015-09-22 at 10.28.30 PM

At the Service Access screen will be a list of services that could be hosted on the server; verify the checkbox for VPN is highlighted for the user. If not, click Manage Service Access, click Manage and then check the VPN box.

Screen Shot 2015-09-22 at 10.29.07 PM

Setting Up Client Computers

As you can see, configuring the VPN service in OS X Server 5 (running on El Capitan and Yosemite) is a simple and straight-forward process – much easier than eating your cereal with a fork and doing your homework in the dark.. Configuring clients is as simple as importing the profile generated by the service. However, you can also configure clients manually. To do so in OS X, open the Network System Preference pane. From here, click on the plus sign (“+”) to add a new network service.

Screen Shot 2015-09-22 at 10.30.27 PM

At the prompt, select VPN in the Interface field and then either PPTP or L2TP over IPSec in the VPN Type. Then provide a name for the connection in the Service Name field and click on Create.

Screen Shot 2015-09-22 at 10.31.01 PM

At the list of network interfaces in the Network System Preference pane, provide the hostname or address of the server in the Server Address field and the username that will be connecting to the VPN service in the Account Name field. If using L2TP, click on Authentication Settings.

Screen Shot 2015-09-22 at 10.31.35 PM

At the prompt, provide the password entered into the Shared Secret field earlier in this article in the Machine Authentication Shared Secret field and the user’s password in the User Authentication Password field. When you’re done, click OK and then provided you’re outside the network and routeable to the server, click on Connect to test the connection.


Setting Up the VPN service in OS X Server 5 (for Yosemite or El Capitan) is as simple as clicking the ON button. But much more information about using a VPN can be required. The natd binary is still built into OS X at /usr/sbin/natd and can be managed in a number of ways. But it’s likely that the days of using an OS X Server as a gateway device are over, if they ever started. Sure “feeling screwed up at a screwed up time in a screwed up place does not necessarily make you screwed up” but using an OS X Server for NAT when it isn’t even supported any more probably does. So rather than try to use the server as both, use a 3rd party firewall like most everyone else and then use the server as a VPN appliance. Hopefully it can do much more than just that to help justify the cost. And if you’re using an Apple AirPort as a router (hopefully in a very small environment) then the whole process of setting this thing up should be super-simple.

September 23rd, 2015

Posted In: Mac OS X Server, Mac Security

Tags: , , , , , , , , , , ,

Leave a Comment

Under the hood, OS X Server has a number of substantial changes; however, at first the Server app (Server 5) appears to have had very few changes. The changes in the Server app were far more substantial in the El Capitan version (and Yosemite for that matter) of OS X Server. All of the options from OS X are still there and using the new command line interface for managing the service, there are far more options than ever before.

The DNS service in OS X Server, as with previous versions, is based on bind 9 (BIND 9.9.7-P2 to be exact). This is very much compatible with practically every DNS server in the world, including those hosted on Windows, OS X, Linux and even Zoe-R.

The first time you open the DNS Service click on the DNS service in the ADVANCED section of the list of SERVICES.

Screen Shot 2015-09-08 at 10.15.41 PM

Then, click on the cog wheel icon below the list of records and click on Show All Records.

Screen Shot 2015-09-08 at 10.16.09 PM

At the Records screen, you’ll now see forward and reverse record information. Click the Edit… button for the Forwarding Servers field. Here, you’ll be able to enter a Forwarders, or DNS servers that resolve names that the server you’re using can’t resolve using its own DNS records.

Screen Shot 2015-09-08 at 10.17.27 PM

Click the plus sign to enter the IP address of any necessary Forwarders. Enter the IP address of any Forwarding servers, then click OK to save your changes.

Screen Shot 2015-09-08 at 10.18.27 PM

Once back at the main DNS service control screen, click the Edit… button for Perform lookups for to configure what computers the DNS server you are setting up can use the DNS service that the server is hosting.

Screen Shot 2015-09-08 at 10.27.31 PM

At the Perform Lookups screen, provide any additional subnets that should be used. If the server should be accessible by anyone anywhere, just set the “Perform lookups for” field at the DNS service screen to “all clients”.

All you have to do to start the DNS is click on the ON button (if it’s not already started, that is). There’s a chance that you won’t want all of the records that are by default entered into the service. But leave it for now, until we’ve covered what everything is. To list the various types of records:

  • Primary Zone: The DNS “Domain”. For example, would likely have a primary zone of
  • Machine Record: An A record for a computer, or a record that tells DNS to resolve whatever name is indicated in the “machine” record to an IP address, whether the IP address is reachable or not.
  • Name Server: NS record, indicates the authoritative DNS server for each zone. If you only have one DNS server then this should be the server itself.
  • Reverse Zone: Zone that maps each name that IP addresses within the zone answer with. Reverse Zones are comprised of Reverse Mappings and each octal change in an IP scheme that has records mapped represents a new Reverse Zone.
  • Reverse Mapping: PTR record, or a record that indicates the name that should respond for a given IP address. These are automatically created for the first IP address listed in a Machine Record.
  • Alias Record: A CNAME, or a name that points to another name.
  • Service Record: Records that can hold special types of data that describe where to look for services for a given zone. For example, iCal can leverage service records so that users can just type the username and password during the setup process.
  • Mail Exchanger Record (aka MX record): Mail Exchanger, points to the IP address of the mail server for a given domain (aka Primary or Secondary Zone).
  • Secondary Zone: A read only copy of a zone that is copied from the server where it’s a Primary Zone when created and routinely through what is known as a Zone Transfer.

Screen Shot 2015-09-08 at 10.26.44 PM

When you click on the plus sign, you can create additional records. Double-clicking on records (including the Zones) brings up a screen to edit the record. The settings for a zone can be seen below.

 Screen Shot 2015-09-08 at 10.28.19 PM

These include the name for the zone. As you can see, a zone was created with the hostname rather than the actual domain name. This is a problem if you wish to have multiple records in your domain that point to the same host name. Theoretically you could create a zone and a machine record for each host in the domain, but the right way to do things is probably going to be to create a zone for the domain name instead of the host name. So for the above zone, the entry should be rather than (the hostname of the computer). Additionally, the TTL (or Time To Live) can be configured, which is referenced here as the “Zone data is valid for” field. If you will be making a lot of changes this value should be as low as possible (the minimum value here is 5 minutes). Once changes are made, the TTL can be set for a larger number in order to reduce the amount of traffic hitting the server (DNS traffic is really light, so probably not a huge deal in most environments using an El Capitan Server as their DNS server). Check the box for “Allow zone transfers” if there will be other servers that use this server to lookup records.

Additionally, if the zone is to be a secondary zone configured on another server, you can configure the frequency to perform zone transfers at this screen, how frequently to perform lookups when the primary name server isn’t responsive and when to stop bothering to try if the thing never actually ends up coming back online. Click on Done to commit any changes made, or to save a new record if you’re creating a new zone.

“Note: To make sure your zone name and TLD don’t conflict with data that already exists on the Internet, check here to make sure you’re not using a sponsored TLD.” —

Double-click on a Machine record next (or click plus to add one). Here, provide a hostname along with an IP address and indicate the Zone that the record lives in. The IP Addresses field seems to allow for multiple IPs, which is common in round robin DNS, or when one name points to multiple servers and lookups rotate amongst the servers. However, it’s worth mentioning that when I configure multiple IP addresses, the last one in the list is the only one that gets fed to clients. Therefore, for now at least, you might want to stick with one IP address per name.

Screen Shot 2015-09-08 at 10.29.37 PM

Note that the above screen has the domain in the zone field and the name of a record, such as www for the zone called, for example, krypted.lan. Click Done to commit the changes or create the new record.

Next, let’s create a MX record for the domain. To create the MX for the domain, click on the plus sign at the list of records.

Screen Shot 2015-09-08 at 10.31.46 PM

Select the appropriate zone in the Zone field (if you have multiple zones). Then type the name of the A record that you will be pointing mail to. Most likely, this would be a machine record called simply mail, in this case for krypton.lan, so mail.krypted.lan. If you have multiple MX records, increment the priority number for the lower priority servers.

As a full example, let’s create a zone and some records from scratch. Let’s setup this zone for an Xsan metadata network, called krypted.xsan. Then, let’s create our metadata controller record as starbuck.krypted.xsan to point to and our backup metadata controller record as apollo.krypted.xsan which points to First, click on the plus sign and select Add Primary Zone.

Screen Shot 2015-09-08 at 10.33.11 PM

At the zone screen, enter the name krypted.xsan, check the box for Allow zone transfers (there will be a second server) and click on the Done button. Click on the plus sign and then click on Add Machine record.

Screen Shot 2015-09-08 at 10.33.56 PM

At the New Machine Record screen, select krypted.xsan as the Zone and then enter starbuck as the Host Name and click on the plus sign for IP Addresses and type in Click on Done to commit the changes.

 Screen Shot 2015-09-08 at 10.34.35 PM

Repeat the process for Apollo, entering apollo as the Host Name and 10.0.03 as the IP address. Click Done to create the record.

Setting Up Secondary Servers

Now let’s setup a secondary server by leveraging a secondary zone running on a second computer. On the second El Capitan Server running on the second server, click on the plus sign for the DNS service and select Add Secondary Zone.

Screen Shot 2015-09-08 at 10.25.19 PM

At the Secondary Zone screen, enter krypted.xsan as the name of the zone and then the IP address of the DNS server hosting that domain in the Primary Servers field. Click Done and the initial zone transfer should begin once the DNS service is turned on (if it hasn’t already been enabled).

Managing DNS From The Command Line

Now, all of this is pretty straight forward. Create a zone, create some records inside the zone and you’re good to go. But there are a lot of times when DNS just needs a little more than what the Server app can do for you. For example, round robin DNS records, bind views, etc. Therefore, getting used to the command line is going to be pretty helpful for anyone with more than a handful of records. The first thing to know about the DNS command line in OS X El Capitan Server is to do everything possible using the serveradmin command. To start the service, use the start option:

sudo serveradmin start dns

To stop the service, use the stop option:

sudo serveradmin stop dns

To get the status of the service, including how many zones are being hosted, the last time it was started, the status at the moment, the version of bind (9.8.1 right now) and the location of the log files, use the fullstatus option:

sudo serveradmin fullstatus dns

A number of other tasks can be performed using the settings option. For example, to enable Bonjour Client Browsing, an option previously available in Server Admin, use the following command:

sudo serveradmin settings dns:isBonjourClientBrowsingEnabled = yes

Subnets can be created programmatically through serveradmin as well. Let’s look at what our krypted.xsan subnet looks like, by default (replace your zone name w/ krypted.xsan to see your output):

sudo serveradmin settings

Now, let’s say we’d like to disable bonjour registration of just this zone, but leave it on for the others on the server:

sudo serveradmin settings = no

The entire block can be fed in for new zones, if you have a lot of them. Just remember to always make sure that the serial option for each zone is unique. Otherwise the zones will not work properly.

While serveradmin is one way to edit zone data, it isn’t the only way, you can also use the dnsconfig options described in In /private/var/named are a collection of each zone the server is configured for. Secondary zones are flat and don’t have a lot of data in them, but primary zones contain all the information in the Server app and the serveradmin outputs. To see the contents of our test zone we created, let’s view the /Library/Server/named/db.krypted.xsan file (each file name is db. followed by the name of the zone):

cat /var/named/db.krypted.xsan

Add another record into the bottom and stop/start DNS to immediately see the ramification of doing so. Overall, DNS is one of those services that seems terribly complicated at first. But once you get used to it, I actually find manually editing zone files far faster and easier than messing around with the Server app or previously Server Admin. However, I also find that occasionally, because the Server app can make changes in there that all my settings will vanish.

Troubleshooting is another place where the command line can be helpful. While logs can be found in the Server app, I prefer to watch log entries live as I perform lookups using the /Library/Logs/named.log file. To do so, run tail -f followed by the name of the file:

tail -f /Library/Logs/named.log

Also, see for information on forcing DNS propagation if you are having issues with zone transfers. Finally, you can manage all records within the DNS service using the new /Applications/ command line tool. I’ve written an article on managing DNS using this tool, available here.

September 21st, 2015

Posted In: Mac OS X Server, Xsan

Tags: , , , , , , , , ,

One Comment

Push Notifications can be used in most every service that OS X Server 5 (for El Capitan and Yosemite) can run. Any service that requiring Push Notifications will often provide the ability to setup APNS during the configuration of the service. But at this point, I usually just set up Push Notifications when I setup a new server.
Screen Shot 2015-09-08 at 10.05.44 PM
To enable Push Notifications for services, you’ll first need to have a valid AppleID. Once you have an AppleID, open the Server app and then click on the name of the server. Then click on the Settings screen and click on the checkbox for Notifications.

Screen Shot 2015-09-08 at 10.06.17 PM

At the Settings screen for your server, click on the check-box for Apple Push Notifications (APN). Next, click on another screen and then click back to get the Edit Apple ID… button to appear. Click on Edit Apple ID…

Screen Shot 2015-09-08 at 10.09.14 PM

At the Apple Push Notification Services certificate screen, enter an AppleID if you have not yet configured APNS and click on OK. The Apple Push Notification Service certificate will then be configured.

Screen Shot 2015-09-08 at 10.09.46 PM

The certificate is valid for one year, by default. Administrators receive an alert when the certificate is due to expire. To renew, open the same screen and click on the Renew button.

September 21st, 2015

Posted In: Mac OS X Server

Tags: , , ,

Leave a Comment

DHCP, or Dynamic Host Control Protocol, is the service used to hand out IP addresses and other network settings by network appliances and servers. The DHCP Server built into OS X Server 5, installed on El Capitan or Yosemite is easy-to-use and fast. It’s pretty transparent, just as DHCP services should be. To install the service, open the Server app and then click on the Show button beside Advanced in the server sidebar. Then click on DHCP.

Screen Shot 2015-09-08 at 10.41.07 PM

At the DHCP screen, you’ll see two tabs: Settings, used for managing the service and Clients, used to see leases in use by computers that obtain IP address information from the server. You’ll also see an ON and OFF switch, but we’re going to configure our scopes, or Networks as they appear in the Server app, before we enable the service. To configure a scope, double-click on the first entry in the Networks list.

Screen Shot 2015-09-08 at 10.42.41 PM

Each scope, or Network, will have the following options:

  • Name: A name for the scope, used only on the server to keep track of things.
  • Lease Duration: Select an hour, a day, a week or 30 days. This is how long a lease that is provided to a client is valid before the lease expires and the client must find a new lease, either from the server you’re configuring or a different host.
  • Network Interface: The network interface you’d like to share IPs over. Keep in mind that you can tag multiple VLANs on a NIC, assign each an interface in OS X and therefore provide different scopes for different VLANs with the same physical computer and NIC.
  • Starting IP Address: The first IP address used. For example, if you configure a scope to go from to you would have 50 useable IP addresses.
  • Ending IP Address: The last IP address used in a scope.
  • Subnet Mask: The subnet mask used for the client configuration. This setting determines the size of the network.
  • Router: The default gateway, or router for the network. Often a .1 address for the subnet used in the Starting and Ending IP address fields. Note that while in DHCP you don’t actually have to use a gateway, OS X Server does force you to do so or you cannot save changes to each scope.
  • DNS: Use the Edit button for DNS to bring up a screen that allows you to configure the DNS settings provided as part of each DHCP scope you create, taking note that by default you will be handing out a server of if you don’t configure this setting.

Screen Shot 2015-09-08 at 10.43.39 PM

The DNS settings in the DHCP scope are really just the IP addresses to use for the DNS servers and the search domain. The search domain is the domain name appended to all otherwise incomplete Fully Qualified Domain Names. For example, if we use internal.krypted.lan and we have a DNS record for wiki.internal.krypted.lan then we could just type wiki into Safari to bring up the wiki server. Click the minus sign button to remove any data in these fields and then click on the plus sign to enter new values.

Screen Shot 2015-09-08 at 10.45.05 PM

Click OK to save DNS settings and then OK to save each scope. Once you’ve build all required scopes, start the service. Once started, verify that a new client on the network gets an IP. Also, make sure that there are no overlapping scopes and that if you are moving a scope from one device to another (e.g. the server you’re setting up right now) that you renew all leases on client systems, most easily done using a quick reboot, or using “ipconfig /release” on a Windows computer. If you have problems with leases not renewing in OS X, check out this article I did awhile back.

So far, totally easy. Each time you make a change, the change updates a few different things. First, it updates the /etc/bootpd.plist property list, which looks something like this (note the correlation between these keys and the settings in the above screen shots.:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
<string>192.168.210 Wi-Fi</string>

Settings from this file include:

  • dhcp_enabled – Used to enable dhcp for each network interface. Replace the <false/> immediately below with <array> <string>en0</string> </array>. For additional entries, duplice the string line and enter each from ifconfig that you’d like to use dhcp on.
  • bootp_enabled – This can be left as Disabled or set to an array of the adapters that should be enabled if you wish to use the bootp protocol in addition to dhcp. Note that the server can do both bootp and dhcp simultaneously.
  • allocate – Use the allocate key for each subnet in the Subnets array to enable each subnet once the service is enabled.
  • Subnets – Use this array to create additional scopes or subnets that you will be serving up DHCP for. To do so, copy the entry in the array and paste it immediately below the existing entry. The entry is a dictionary so copy all of the data between and including the <dict> and </dict> immediately after the <array> entry for the subnet itself.
  • lease_max and lease_min – Set these integers to the time for a client to retain its dhcp lease
  • name – If there are multiple subnet entries, this should be unique and reference a friendly name for the subnet itself.
  • net_address – The first octets of the subnet followed by a 0. For example, assuming a /24 and 172.16.25 as the first three octets the entry would be
  • net_mask – The subnet mask clients should have
  • net_range – The first entry should have the first IP in the range and the last should have the last IP in the range. For example, in the following example the addressing is to
  • dhcp_domain_name_server – There should be a string for each DNS server supplied by dhcp in this array
  • dhcp_domain_search – Each domain in the domain search field should be suppled in a string within this array, if one is needed. If not, feel free to delete the key and the array if this isn’t needed.
  • dhcp_router – This entry should contain the router or default gateway used for clients on the subnet, if there is one. If not, you can delete the key and following string entries.

If you run the serveradmin command, followed by the settings verb and then the dhcp service, you’ll see the other place that gets updated:

serveradmin settings dhcp

The output indicates that

dhcp:static_maps = _empty_array
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_secondary_server = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:selected_port_name = "en0"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_router = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_domain_name_server:_array_index:0 = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_mask = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_NBDD_server = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_range_start = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:lease_max = 3600
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_domain_search:_array_index:0 = "internal.krypted.lan"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:descriptive_name = "192.168.210 Wi-Fi"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_primary_server = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_range_end = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_ldap_url = _empty_array
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_node_type = "NOT_SET"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_address = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_enabled = yes
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_domain_name = "internal.krypted.lan"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_scope_id = ""
dhcp:subnet_defaults:logVerbosity = "MEDIUM"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:0 = "BROADCAST_B_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:1 = "HYBRID_H_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:2 = "NOT_SET"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:3 = "PEER_P_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:4 = "MIXED_M_NODE"
dhcp:subnet_defaults:dhcp_domain_name = ""
dhcp:subnet_defaults:WINS_node_type = "NOT_SET"
dhcp:subnet_defaults:routers = _empty_dictionary
dhcp:subnet_defaults:logVerbosityList:_array_index:0 = "LOW"
dhcp:subnet_defaults:logVerbosityList:_array_index:1 = "MEDIUM"
dhcp:subnet_defaults:logVerbosityList:_array_index:2 = "HIGH"
dhcp:subnet_defaults:dhcp_domain_name_server:_array_index:0 = ""
dhcp:subnet_defaults:selected_port_key = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:0 = "bridge0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:1 = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:2 = "p2p0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:3 = "en1"
dhcp:logging_level = "MEDIUM"

Notice the correlation between the uuid string in /etc/bootp.plist and the arrayid entry for each subnet/network/scope (too many terms referring to the same thing, ahhhh!). Using the serveradmin command you can configure a lot more than you can configure in the Server app gui. For example, on a dedicated DHCP server, you could increase logging level to HIGH (as root/with sudo of course):

serveradmin settings dhcp:logging_level = "MEDIUM"

You can also change settings within a scope. For example, if you realized that you were already using and 201 for statically assigned IPs elsewhere you can go ahead and ssh into the server and change the first IP in a scope to 202 using the following (assuming the uuid of the domain is the same as in the previous examples):

serveradmin settings dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_range_start = ""

You can also obtain some really helpful information using the fullstatus verb with serveradmin:

serveradmin fullstatus dhcp

This output includes the number of active leases, path to log file (tailing that file is helpful when troubleshooting issues), static mappings (configured using the command line if needed), etc.

dhcp:state = "RUNNING"
dhcp:backendVersion = "10.11"
dhcp:timeOfModification = "2015-10-04 04:24:17 +0000"
dhcp:numDHCPActiveClients = 0
dhcp:timeOfSnapShot = "2015-10-04 04:24:19 +0000"
dhcp:dhcpLeasesArray = _empty_array
dhcp:logPaths:systemLog = "/var/log/system.log"
dhcp:numConfiguredStaticMaps = 1
dhcp:timeServiceStarted = "2015-10-04 04:24:17 +0000"
dhcp:setStateVersion = 1
dhcp:numDHCPLeases = 21
dhcp:readWriteSettingsVersion = 1

Once started, configure reservations using  the /etc/bootptab file. This file should have a column for the name of a computer, the hardware type (1), the hwaddr (the MAC address) and ipaddr for the desired IP address of each entry:

# hostname hwtype hwaddr ipaddr bootfile
a.krypted.lan 1 00:00:00:aa:bb:cc
b.krypted.lan 1 00:00:00:aa:bb:cc

You can start and stop the service either using the serveradmin command:

serveradmin stop dhcp
serveradmin start dhcp

Or using the launchctl:

sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/bootps.plist
sudo /bin/launchctl load -w /System/Library/LaunchDaemons/bootps.plist

September 21st, 2015

Posted In: Mac OS X Server

Tags: , , , , ,

Leave a Comment

Next Page »