Archive for the ‘Directory Services’ Category

MacSysAdmin 2012 Slides and Videos are Live!

Thursday, September 20th, 2012

318 Inc. CTO Charles Edge and Solutions Architect alumni Zack Smith were back at the MacSysAdmin Conference in Sweden again this year, and the slides and videos are now available! All the 2012 presentations can be found here, and past years are at the bottom of this page.

Configuration Profiles: The Future is… Soon

Tuesday, September 4th, 2012

Let’s say, hypothetically, you’ve been in the Mac IT business for a couple revisions of the ol’ OS, and are familiar with centralized management from a directory service. While we’re having hypothetical conversations about our identity, let’s also suppose we’re not too keen on going the way of the dinosaur via planned obsolescence, so we embrace the fact that Configuration Profiles are the future. Well I’m here to say that knowing how the former mechanism, Managed Preferences (née Managed Client for OS X, or MCX) from a directory service interacted with your system is still important.

 
Does the technique to nest a faux directory service on each computer locally(ergo LocalMCX), and utilize it to apply management to the entire system still work in 10.8 Mountain Lion? Yes. Do applied Profiles show settings in the same directory Managed Preferences did? Yes… which can possibly cause conflicts. So while practically, living in the age of Profiles is great when 802.1x used to be so hard to manage, there are pragmatic concerns as well. Not everyone upgraded to Lion the moment it was released, just over a year ago, so we’re wise to continue using MCX first wherever the population is significantly mixed.

 
And then there’s a show-stopper through which Apple opened up a Third-Party Opportunity (trademark Arek Dreyer): Profiles, when coming straight out of Mac OS X Server’s 10.7 or 10.8 Profile Manager service, can only apply management with the Always frequency. Just like the former IBM Thinkpads, you could have any color you wanted as long as it’s black. No friendly defaults set by your administrator that you can change later, Profiles settings, once applied, was basically frozen in carbonite.

 
So what party stepped in to address this plight? ##osx-server discussions were struck up by the always-generous never-timid @gregneagle, about the fact that Profiles can actually, although undocumented, contain settings that enable Once or Often frequency. Certain preferences can ONLY by managed at the Often level, because they aren’t made to be manageable system-wide, like certain application (e.g. Office 2011) and Screen Saver preferences (since those live in the user’s ~/Library/ByHost folder.)

 
The end result was Tim Sutton’s mcxToProfile script, hosted on Github, which works like a champ for both of the examples just listed. Note: this script utilizes a Profiles Custom Settings section only, so for the things already supported by Profiles (like loginwindow) it’s certainly best to get onboard with what the $20 Server.app can already provide. But another big plus of the script is… you can use it script without having ProfileManager set up anywhere on your network.

 
So there you go, consider using mcxToProfile to update your management, and give feedback to Tim on the twitters or the GitHubs!

Open Directory Deployment Checklist

Thursday, April 12th, 2012

Open Directory on Lion Server, if deployed properly, is simple to set up, and is a stable and reliable directory service. If not deployed properly, it’s still simple to set up, but can be maddeningly difficult to troubleshoot and manage. It’s important to deploy it properly.

Some things to consider prior to deployment:

  • You should always discuss the purpose of a Directory service with the client, and make sure that you’ve evaluated their needs correctly. Some of Lion Server’s services absolutely require the system to be an Open Directory Master, but some function just fine on a Standalone system. Device Manager, in particular, will take you through OD Master configuration as a part of its own setup.
  • If legacy user records or other data need to be migrated, this will need to be taken into account, and time should be budgeted for managing this data. If you’re replacing a Leopard or Snow Leopard Open Directory server, you can import an OD Archive, but it may not always be the best idea.
  • Open Directory deployments should always include both an Open Directory Master and an Open Directory Replica. Plan accordingly.
  • Proper DNS resolution is absolutely essential to a successful Open Directory deployment. All servers must have correct forward and reverse lookups. Open Directory will not work properly if DNS is incorrect. If your OD deployment is going to be self-contained, you can set up the DNS service on the OD Master and Replica, so that they can resolve each other, and then the clients can refer to the OD Master for name resolution. If you’re deploying OD into a larger infrastructure, though, it’s adviseable to have consistent DNS across the whole organization.
  • It is not recommended that .local be used as TLD on the network where you’re deploying Open Directory. Though it is possible to successfully deploy Open Directory into a .local namespace, the odds are against you. Don’t do it unless there’s really no other options.

You can, if you like, use Server Admin to set up Open Directory, but Server.app performs some steps that Server Admin doesn’t. I don’t recommend using it to do the initial setup. However, Server Admin can be helpful in managing Open Directory after deployment. The Server Admin tools are not installed by default on Mac OS X 10.7, so you’ll need to download them from Apple.

When deploying Open Directory, the first thing you need to do is verify that DNS is resolving correctly:

$ sudo changeip -checkhostname

Primary address = 10.1.1.1

Current HostName = odserver.pretendco.com
DNS HostName = odserver.pretendco.com

The names match. There is nothing to change.
dirserv:success = “success”

If changeip outputs this error, or one that sounds like it, please repair DNS or set the hostname properly before proceeding.

The DNS hostname is not available, please repair DNS and re-run this tool.

In Server.app, there is a utility that helps you change your system’s hostname. Click on the computer name, under Hardware, then click the Network tab, and then click “Edit”.

If your hostname is good, open Server.app. From the Manage menu, choose “Manage Network Accounts”. (If this option isn’t available, then this server is already managing network accounts, either as an OD Master or Replica.) This will start the setup assistant. You’ll need to provide an administrative account for Open Directory. Please note that this is not the same as the local administrative account that you create on initial server setup, and they should not have the same name. The default, Directory Administrator, is a good choice. Enter your Organization name and an administrator’s email address.

When you’re done, click the “Set Up” button, and you should be shortly returned to Server.app, with an Open Directory Master to manage.

At this point, it’s always a good idea to open up Console and check the logs, to make sure that there’s no glaring errors. The really informative one is /Library/Logs/slapconfig.log, but slapd.log and opendirectoryd.log, which are in /var/log, can also be very helpful.

Auditing Email in Google Apps

Thursday, March 22nd, 2012

In order to address situations where a Google Apps admin needs access to a user’s mail data, Google provides an Email Audit API. It allows administrators to audit a user’s email and chats, and also download a user’s complete mailbox. While Google provides this API, third-party tools are required in order to make use of the functionality. While there are some add-ons in the Google Apps Marketplace that make email auditing available, the most direct method of gaining access to this is with a command-line tool called Google Apps Manager. GAM is a very powerful management tool for Google Apps, but here we will focus on just what’s required to use the Email Audit API.

Using GAM requires granting access, with a Google Apps admin account, to a specific system. An OAuth token for the domain is stored in the GAM folder. Also, if you’re going to download email exports, it’s necessary to generate a GPG key and upload that to Google Apps. In light of both of these factors, it’s best to designate a specific system as the GAM management system. GAM is a collection of Python modules, so whatever system you designate should be something that has a recent version of Python. We’ll assume that we’re using a fairly recent Mac.

What we’ll do is download GPG and generate a GPG key, and then download GAM and get it connected to Google Apps.

Generating a GPG key

The GPGTools installer is here: http://www.gpgtools.org/installer/index.html

After installation, open up Terminal, in the account that you’ll be using to manage Google Apps.

Run the command:

$ gpg –gen-key –expert

For type of key, choose “RSA and RSA (default)”. For key size, you can probably safely choose a smaller key. Bear in mind that all your mailbox exports will be encrypted with this key and then will need to be decrypted after download. This can take a non-trivial amount of time, especially for larger mailboxes, and a larger key will mean much longer encryption and decryption times. A 1024-bit key should be fine in most cases.

When asked for how long the key should be valid, choose 0 so that the key does not expire.

Next you’ll be prompted for your name, email address and a comment. This information is not, at the moment, used by Google for anything. However, in the interests of long-term usability, I would recommend using the email address and name of an actual admin for the Google Apps domain.

Finally, you’ll be asked for a passphrase. This passphrase will be required in order to decrypt the downloaded mailboxes. Do not forget it. You will be unable to decrypt the downloads without it.

When key creation is complete, you’ll see something like this:

pub 1024R/0660D980 2012-03-22
Key fingerprint = A642 0721 2D4A 9150 6ED1 DBD7 AFFF 992F 0660 D980
uid Apps Admin
sub 1024R/6D1C197B 2012-03-22

Make a note of the ID of the public key, which in this case is 0660D980. You’ll need the ID to upload the key to Google.

Installing GAM

Prior to installing GAM, you’ll want to open up your default browser and log into to your Google Apps domain as an administrator. It’s not technically necessary – you can log in as an admin when the GAM install needs access, but you’ll find it authenticates more reliably if log in in advance.

GAM can be found here: http://code.google.com/p/google-apps-manager/downloads/list

Download the python-src package, and put it somewhere in the home directory of the same user that generated the GPG key. The most reliable way to invoke GAM is using the python command to call the script:

$ python ~/Desktop/gam-2/gam.py

This assumes it was unzipped to the Desktop of the user account. Change the path where appropriate. In order to make this a bit easier, you can create an alias that will allow you to call it with just “gam”

$ alias gam=”python ~/Desktop/gam-2/gam.py”

From here on, we’ll assume you did this. Bear in mind that aliases created this way only last until the session ends (i.e. the Terminal window gets closed).

The first command you’ll need to run is:

$ gam info domain

You’ll be asked to enter your Google Apps Domain, and then you’ll be asked for a Client ID and secret. These are only necessary if you’ll be using Group Settings commands, which we won’t. Press enter to continue. You’ll now be presented with a list of scopes that this GAM install will be authorized for. You can just enter “16″ to continue with all selected, or you can just select Audit Monitors, Activity and Mailbox Exports for Email Audit functions. When you continue, you’ll see this:

You should now see a web page asking you to grant Google Apps Manager access. If you’re not logged in as an administrator, you can do that now, though you may experience some odd behavior. Once you grant access, return to the terminal Window and press Enter. At this point, GAM will retrieve information about your domain from Google Apps, and you’ll be returned to a shell prompt. GAM is installed and almost ready to use.

Uploading the GPG Key

There’s one final step to take before mailbox export requests are possible. The GPG key you generated earlier must be uploaded to Google. What you can do is have gpg export the key and pipe that directly to GAM. You’ll need the ID of the key so that you export the correct one to GAM. If you didn’t make a note of the ID earlier, you can see all the available keys with:

$ gpg –list-keys

pub 1024R/0660D980 2012-03-22
uid Apps Admin
sub 1024R/6D1C197B 2012-03-22

The ID you want is that of the public key. In this case, 0660D980. Now export an ASCII armored key and pipe it to GAM.

$ gpg –export –armor 0660D980 | gam audit uploadkey

Now you’re ready to request mailbox exports.

Dealing with mailbox exports

To request a mailbox export, use:

$ gam audit export includedeleted

This will submit a request for a mailbox export, including all drafts, chants, and trash. You can leave off “includedeleted” if you don’t want their trash. GAM will show you a request ID, which you can use to check the status of a request.

To check the status of one request, use:

$ gam audit export status

If you leave off either username or request ID, you’ll be shown the status of all requests, pending and completed. To download a request you can use:

$ gam audit export download

You must specify both the username and the request ID. Please note that GAM will download the files to the current working directory. The files will be named “export---.mbox.gpg. The numbers will start at 0. In order to decrypt the downloaded files, you’ll need to use GPG.

$ gpg –output –decrypt

This will decrypt one of the files. The predicatbility of the names makes it easy to programatically decrypt all the files. For instance if the username were bob, the ID were 53521381, and there were 8 files, you could use this command:

$ for i in {0..7}; do gpg –output export-bob-53521381-$i.mbox –decrypt export-bob-53521381-$i.mbox.gpg; done

When decryption is completed, you can take the resulting mbox files and import them into any mail client that supports mbox – Thunderbird is a good choice, though Mail.app should work as well – or you can just look at them in a text editor.

Further Reading

For more details about using GAM or the Email Audit API, please consult the official documentation.

Google Apps Manager Wiki: http://code.google.com/p/google-apps-manager/wiki/GettingStarted

Google’s Email Audit API reference: https://developers.google.com/google-apps/email-audit/

Installing and Configuring Active Directory Certificate Services

Wednesday, March 21st, 2012

This guide assumes that you have a Windows Server 2008 R2 installation on a physical or virtual machine, and that the system is a domain controller of an Active Directory domain:

  1. Open Server Manager. 
  2. Click on Roles on in the tree on the left, then click Add Roles
  3. Choose next to start the wizard. 
  4. Then enable the checkbox for Active Directory Certificate Services
  5.  Choose  next to start the AD CS role configuration
  6. Click on “Add Required Role Services”  to install the IIS and the related tools needed.
  7. Enable the check box for “Certification Authority Web Enrollment and click next.
  8. Choose “Enterprise” and click next.
  9. Choose “Root CA”and click next
  10. Choose “Create a new private key”
  11. Leave the default values for Configure Cryptography for CA and click next.
  12. Ensure that you have the proper values for Configure CA Name for your environment and click next. The default values will usually be right.
  13. Click next to set the default validity period  of 5 years
  14. Configure the locations of the database and logs if needed for your environment and click next
  15. You will now be prompted to configure IIS. 
  16. Make changes if needed, but be sure to leave Windows Authentication as it is required for Web Enrollment.
  17. After the  role configuration is complete, run IIS Manager from Administrative Tools.
  18. From the tree on the left, navigate to the default website. 
  19. Right click Default website, and choose bindings.
  20. Click the Add… button.
  21. Change the type to https, and choose the SSL certificate that matches the server’s FQDN, and click OK.

Microsoft’s System Center Configuration Manager 2012

Sunday, March 18th, 2012

Microsoft has released the Beta 2 version of System Center Configuration Manager (SCCM) aka System Center 2012. SCCM is a powerful tool that Microsoft has been developing for over a decade. It started as an automation tool and has grown into a full-blown management tool that allows you to manage, update, and distribute software, license, policies and a plethora of other amazing features to users, workstation, servers, and devices including mobile devices and tablets. The new version has been simplified infrastructure-wise, without losing functionality compared to previous versions.

SCCM provides end-users with a easy to use web portal that will allow them to choose what software they want easily, providing an instant response to install the application in a timely manner. For Mobile devices the management console has an exchange connector and will support any device that can use Exchange Active Sync protocol. It will allow you to push policies and settings to your devices (i.e. encryption configurations, security settings, etc…). Windows phone 7 features are also manageable through SCCM.

The Exchange component sits natively with the configuration manager and does not have to interface with Exchange directly to be utilized. You can also define minimal rights for people to just install and/or configure what they need and nothing more. The bandwidth usage can be throttled to govern its impact on the local network.

SCCM will also interface with Unix and Linux devices, allowing multiple platform and device management. At this point, many 3rd party tools such as the Casper Suite and Absolute Manage also plug into SCCM nicely. Overall this is a robust tool for the multi platform networks that have so commonly developed in today’s business needs everywhere.

Microsoft allows you to try the software at http://www.microsoft.com/en-us/server-cloud/system-center/default.aspx. For more information, contact your 318 Professional Services Manager or sales@318.com if you do not yet have one.

The Impact of Directory Services on Xsan

Monday, January 23rd, 2012

When you’re dealing with file ownership and permissions, context is very important. Xsan volumes, from the point of view of an Xsan client, are local storage. There’s no daemon acting as gatekeeper or mediator, so when files are created or modified, the clients will use the standard mechanisms for assigning ownership and access rights, as they would with any local drive. In the absence of a shared authentication context, local user accounts will end up owning the files, and their permissions will be according to the default umask.

Mac OS X keeps track of such things by numerical User ID, and all Mac OS X systems start assigning local UIDs beginning with 501. It shouldn’be be too difficult to see how this can end badly. Users will potentially be able to overwrite files owned by other users, or access files they shouldn’t be able to, or not be able to access files that they should.

A directory service, therefore, is a key component in a proper deployment of Xsan. A directory service provides a shared context that will keep User ID collisions from happening. Also, users and groups can be managed centrally, and not on each workstation. This is especially important in large Xsan environments. Also, it will be possible to leverage Access Control Lists, and not POSIX permissions, to manage access to files and folders. POSIX permissions aren’t flexible enough to effectively manage the requirements of most Xsan environments.

It doesn’t matter whether you’re using Open Directory, Active Directory, or a Golden Triangle. You can even integrate Xsan with Novell’s eDirectory. Any of these will provide a much smoother and easy to manage Xsan.

Apple Education Licensing for Microsoft’s Active Directory

Tuesday, October 25th, 2011

We have recently had a number of requests for licensing for Active Directory environments running Apple and Linux client computers. There seems to be a bit of a debate about whether or not you need one CAL (Client Access License) for each user or device in the environment, if the devices are Apple or Linux computers. The cause for the confusion seems to be Microsoft’s External licensing. External licensing only applies to computers that are not part of your network, but instead are outside of the network (e.g. coming in over a WAN). It can be frustrating because I’ve had multiple customers tell me that different resellers and even Microsoft sales reps will give them different answers, and that’s been going on for years. I’ve spent a good amount of time with the Microsoft licensing desks, our Partner reps and a number of others to figure out the correct answer.

Licensing CALs for onsite systems can be done in a couple different ways:

  • Per-Device: Each computer that is bound to Active Directory receives a CAL
  • Per-User: Each user that uses a computer that is bound to Active Directory receives a CAL

In an environment where there are many users per device, then per-device licensing is always going to be cheaper (unless of course there are more devices than users, which wouldn’t make sense in a many to one environment). In a one-to-one environment where users come and go (e.g. by transferring between schools), but the number of computers remains somewhat static, per-device licensing still works out better as it simplifies license allocation.

Per-User CALs for education environments typically run around $1 USD per CAL for students. Per-User CALs for educators that work in the environment and are bound in that same environment typically run around $8 USD per CAL. If the systems aren’t bound, then licensing is only based on users that access file and print services, or other services; however, this becomes a bit of a challenge to calculate unless you reactively look at triggers that can be generated. But because most environments now use Active Directory binding on client systems, the CALs end up becoming one-to-one about as quickly as the computers become one-to-one.

But you should most definitely not take this article as being the rules set in stone. There are a number of scenarios that can change the licensing situation (most of them have to do with not binding clients or running computers that are offsite and/or employee owned). Contact Microsoft’s licensing desk using the contact information here, or contact a reseller like 318 for more more information.

Will the future require CALs? In an increasingly iOS and Android world, there are a few issues to sort out in many environments (e.g. IIS vs. AD licensing). This has so far ended up being in a case-by-case basis. 318 is a Microsoft reseller and can help you through these complex licensing issues, if you need it. Please feel free to contact your 318 Professional Services Manager, or sales@318.com if you would like more information.

Deploying Font Servers

Friday, October 21st, 2011

Mac OS X has come with the ability to activate and deactivate Fonts on the fly since 10.5, when Font Book was introduced. Font Book allows a single user to manage their fonts easily. But many will find that managing fonts on a per-computer basis ends up not being enough. Which begs the question: who needs a font server? A very simplistic answer is any organization with more than 5 users working in a collaborative environment. This could be the creative print shops, editorial, motion graphics, advertising agencies and other creative environments. But corporate environments where font licensing and compliance is important are also great candidates.

Lack of font management is a cost center for many organizations. There is a loss of productivity every time a user has to manually add fonts when opening co-workers documents, or the cost of a job going out with the wrong version of a font. Some of the other benefits of fonts servers are separate font sets for different workgroups and isolating corrupt fonts to clean up large font libraries, along with quick searching and identification of fonts.

Font Management and Best Practices

Anyone who uses fonts for daily workflow needs font management. This could be a standalone product such as Suitcase Fusion or Font Agent Pro. But larger environments invariably need to collaborate and share fonts between users, meaning many environments need font servers. Two such products include Extensis Universal Type Server and Font Agent Pro Server. But before adding font management products, users should clean up and any fonts loaded or installed and added prior to moving to a managed font environment. Places to look for fonts when cleaning them up include the following:

  • ~/Library/Fonts
  • /Library/Fonts
  • /System/Library Fonts

Leaving any necessary system, Microsoft Web Core, and required Adobe fonts.

The best resource for this process can be found at Extensis Font Best Practices in OX v.7, which can be found at: http://www.extensis.com/en/downloads/document_download.jsp?docId=5600039

Types of Font Server Products Available

There are two major font server publishers: Extensis and Font Agent Pro. Both have workgroup and enterprise products. All server products from both products work on a client/server model. Both can sync entire font sets or serve fonts on-demand. The break down for the Extensis Universal Type Sever is at 10 clients. Below 10 clients Universal Type Server Lite is a 10 clients product, which lacks Enterprise features, such as the ability to use a SQL database or integrate in Open Directory or Active Directory. The full Universal Type Server Professional adds Directory integration, external database use, and font compliance features and is sold as 10-user license, with an additional per seat license.

Insider Software offers two levels of font servers. The first is FontAgent Pro Team Server designed for small workgroups and sold in a 5 or 10 client configuration. The next level of product is Font Agent Pro Enterprise server. This adds the same directory services integration as Universal Type Server Professional. This product also has Kerberos single sign on, server replication and fail over. It uses the same per-seat pricing structure as Universal Type Server Professional.

A third tool is also available in Monotype Font Explorer, at http://www.fontexplorerx.com, which we will look at later in this article.

Pre-Deployment Strategies and Projects

Before any font server deployment, there are a few things to take into consideration. First is number of clients. This will guide you to which product will be appropriate for installation. Also note if Directory integration and compliance is needed. Is failover or a robust database important. The most important part of any font server installation is the fonts. How may are there, where are they coming from, are separate workgroups needed? Are all your fonts legal? In my experience probably not. Is legal compliance required for you organization or your clients? What is the preferred font type, PostScript Type 1, Open Type? What version are the fonts? Most fonts have been “acquired” over time, with some Postscript fonts dating back to early to mid nineties. As a font server is just a database, the axiom “garbage in, garbage out” is true here as well. This should lead to a pre-deployment font library consolidation and clean up. This can be either be done by 318 or we can train the you to perform this task. If compliance is an issue this is where we would weed out unlicensed fonts. Which to my experience is about 90% of all fonts. A clean, organized font set is the most important part of pre-deployment.

A major part of any font server roll out should be compliance and licensing. This allows for the tracking and reporting of font licenses and to make sure that stays in licensing and compliance.

Extensis

Universal Type Server includes the ability to generate and export reports to help you determine if you are complying with your font licenses. The font compliance feature only allows you to track your licensing compliance and does not restrict access to noncompliant fonts. To help you understand how the font licensing compliance, let’s look at the following typical example of how to use licenses and the font compliance report in your environment.

Say you are starting up your own design shop and need a good group of licensed fonts for your designers to create projects that will bring you fame and fortune. You know that fonts are valuable, and you want to be sure that you have purchased enough licenses for your requirements. So, you purchase a 10­user license of a sizable font library. Using the Universal Type Client, these fonts are added to a Type Server workgroup as a set. A font license is then created and the Number of Seats field is set to 10. This license is then applied to all fonts in the set.

When you run the font compliance report, Universal Type Server compares the number of seats allowed to the total number of unique users who have access to the workgroup. If more users have access than licenses available, the fonts are listed as “non-­compliant.” You can now either remove users from the workgroup or purchase more font licenses to become compliant.

Universal Type Server is unique amongst other products in that it uses a checksum process to catalog fonts. Others just use file names and paths.

Universal Type Server can limit users to be able to only download fonts installed by administrators. For initial deployment, each user does not need to download all of the fonts, which helps in environments when you have a lot of fonts (e.g. more than 5 GB of fonts) that need to get distributed to several hundreds clients, so if each user had to download all of the fonts (e.g. each time they get imaged), they could loose a production system for some time.

Universal Type Server Deployment

Universal Type Server system requirements include the following:

Macintosh Server

•          Mac OS X v 10.5.7, 10.6 Mac OS X Server 10.5 or 10.6•          1.6 GHz or faster 32-bit (x86) or 64-bit (x64) processor (PowerPC is not supported)
•          1 GB available RAM
•          250 MB of hard disk space + space for fonts
•          Safari 3.0 or Firefox 3.0 or higher*
•          Adobe Flash Player 10 or higher*

Windows Server

•          Windows XP SP3 (32-bit only), Server 2003 SP2, Server 2008 SP2 (32 or 64-bit version**)
•          P4 or faster processor***
•          1 GB available RAM
•          250 MB of hard disk space + space for fonts
•          Internet Explorer 7 or Firefox 3.0 or higher*
•          Adobe Flash Player 10 or higher*
•          Adobe Reader 7 to read PDF documentation*
•          Microsoft .NET 3.5 or higher

Universal Type Server Installation Process:

1.         Verify server system requirements
2.         Run the installer on the target server machine
3.         Login to the Server Administration web interface
4.         Serialize the server
5.         Set the Bonjour Name
6.         Resolve any port conflicts
7.         Set any desired server configuration options, including backup schedule, log file configuration, secure connection options, and any other necessary server settings.
8.         After installing the server, configure workgroups, roles and add users.

The basic user and workgroup configuration steps include:

1.   Plan your configuration
2.   Create workgroups
3.   Create new users
4.   Add users to workgroups
5.   Assign workgroup roles to users
6.   Modify user settings as required

Optional Setup:

  1. Managing System Fonts with System Font Policy The System Font Policy feature allows Universal Type Server administrators to create a list of system fonts that are allowed in a user’s system font folder.
  2. Font Compliance Reporting
    The font compliance feature only allows you to track your licensing
    compliance and does not restrict access to noncompliant fonts.
  3. Directory Integration
    Directory integration allows network administrators to automatically
    synchronize users from an LDAP service
    (Active Directory on Windows or Open Directory on Mac OS X) with Universal Type Server workgroups.

* UTS Documentation:

http://tinyurl.com/4xgn9rr

Both Universal Type Server Professional and Font Agent Pro Enterprise can be configured for Open Directory, Active Directory, and LDAP integration. Both also can utilize Kerberos Single User sign on. Universal Type Sever Professional directory integration instructions can be found in the UTS 2 Users and Workgroups Administration Guide at http://tinyurl.com/4xgn9rr. Some users have reported issues connecting to Open Directory (which happens with all products, not just this one).

Universal Type Server runs in Flash for administrative functions, which many do not like.

Monotype Font Explorer

Monotype Font Explorer is a third tool that can be used to manage fonts. Available at http://www.fontexplorerx.com there are some things that some environments do not like about Universal Type Server or Font Agent Pro. Let’s face it, the reason there are multiple products and multiple workflows is that some work for some environments and others work for other environments/workflows better. For example, Font Agent Pro stores master fonts on one client machine, which is then synchronized to the server, and from there to the rest of the clients; not everyone wants a client system acting as a master to the server. Font Explorer keeps the master is on the server, groups and synchronization works well and the administration is in the same window as font management. And best of all, Font Explorer is also typically cheaper than its server-based competitors in the font management space.

Extensis publishes a guide as to which fonts to include in the system and which to handle in the font management software. According to Apple documentation, and fonts in my ~/Library/Fonts folder take precedence to fonts in /Library/Fonts, which again takes precedence to /System/Library/Fonts. That means that if I install Times in my ~/Library/Fonts folder, it will be used instead of the font with the same name in /Library/Fonts or in /System/Library/Fonts. So how is it that I should care which fonts is installed where, as the font management applocation should simple take precedence to the others? If it does not take precedence, then where in the chain is it actually activating fonts? Maybe fonts are handled in these solution in parallel with the system mechanism? Thats the only explanation I can find to that, but is then only valid for UTS, or is it also valid for the other solutions?

End User Training and Font Czar

No font server installation would be complete without end user training and the appointment of a Font Czar. User training can be a fairly easy endeavor if client systems are using the same publishers stand-alone font client. Other times it could entail discussing licensing and compliance concepts along with adding metadata to fonts. An onsite Font Czar (or more than one) is very important to font server installations. The Font Czar cleans up and ingests new fonts, adds new users to font server, and in general be the Font Admin. This is usually a senior designer or technical point of contact for the creative environment.

Conclusion

Font Book is adequate for most users that don’t need a server. Universal Type Server, Font Agent Pro and FontExplorer are all great products if you need a font server. They all are installed centrally and allow end users to administer fonts, based on the server configuration and group memberships. They all work with directory services (some better than others) and can be mass deployed. In big workgroups or enterprises, where only a few people are handling the administration of fonts for a lot of people, a centralized font management solution is a must. But in much smaller organizations, it requires care and feeding, which represents a soft cost that often rivals a cost to purchase the solution.

Finally, test all of the tools available. Each exists for a reason. Find the one that works with the workflow of your environment before purchasing and installing anything.

Note: Thanks to Søren Theilgaard of Humac for some of the FontExplorer text!

Create a User in Active Directory

Friday, January 7th, 2011

Yesterday, we looked at copying Active Directory accounts, but we hadn’t yet looked at creating new users. To create a new user, it is usually best to first log into a machine that has the Remote Server Administration Tools to run the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in… or the domain controller itself.  You will need to use the administrator login or an account that has administrative privileges.  On the domain controller, after you have logged in, go to the Start menu. Then click on Programs, Administrative Tasks, and choose Active Directory Users and Groups.

At the top click on action, choose new and then user.  It will then ask you for information about the user.  First Name, Last Name and the user name that you want to have the user use. Click next when complete.  The next window will ask you to type in a password for the user and then confirm it.  Standard policy is that you have at least one small character, one large character, and one special character and be at least 8 characters long.

Copy a User in Active Directory

Tuesday, January 4th, 2011

Creating new users in Active Directory is a fairly straight forward process. But often times it is easier to copy a user than create a new one. If you have a user that belongs to all the groups as you want a new user to be apart of, you can make life easy by making a copy of that user. To do that, you will need to remote into the domain controller with the domain administrator account or an account with administrator privileges.

Once you log on, go to start and then click on programs and choose Administrative Tools. Choose Active Directory Users and Groups. The best thing to do is to search for the user that you want to model the new user after. Before you do the search, go to view and chose Advanced Options. Then do a search. To do a search click on the search button at the top. It is the second to last button

In the next box, type in the name of the user that you want to use as the model. Make sure that Entire directory is selected.

Right click on the user and go to properties. Then click on the object tab. It will list what Organizational Unit that the user is in. Navigate to that user by using the folders on the left side of the screen, then right-click on the user and choose copy. A window will come up and you will need to type in the new users information.

After you complete this process, you will be asked to provide a password. By default, there are some password policies that you will want to maintain. Make sure that the password has at least one lower case, upper case and special case character. It has to be at least 8 characters long.

Once that completes, the new user has been completed and is ready to use, unless you would like to change group memberships, policies, etc.

DAVE 8.1 Available

Friday, September 3rd, 2010

A new version of DAVE is now available. According to the latest release information from Thursby:

DAVE 8.1 is geared to professional use in design, publishing, production, colleges and businesses requiring enterprise Mac-Windows file/print integration with:

- Snow Leopard (OS X 10.6) and Leopard (OS X 10.5)

- Includes full Microsoft DFS support, not part of OS X

- Includes commercial grade network volume support for files/directories/home folders around Mac apps such as Adobe Creative Suite, Apple Final Cut Pro, Avid and Microsoft Office for Macs

- Native OS X/SMB *enterprise* network volume use can lead to loss of files and corruption since it is geared to home/small office work

More details: http://www.thursby.com/products/dave.html

Changing The Password Policy on Windows Server 2008 Domain Controllers

Wednesday, June 2nd, 2010

There seems to be a bug (maybe feature?) in Windows Server 2008 where you cannot change the default password policies on at least the first Domain Controller in a new Domain via Group Policy Management and editing the Default Domain Controller security policy.

You must make the changes in the Local Policies section of Active Directory on the Windows Server 2008 Domain Controller.
1. Start > All Programs > Administrative Tools > Local Security Policy
2. Security Settings > Password Policy

NOTE: You will see that the Password Policy for the domain controller is populated, unlike in GPMC.MSC where everything is “Not Configured” but has a confusing note about default settings being other than “Not Configured”.

http://www.petri.co.il/three-steps-initial-configuration-windows-2008-server-installation.htm

To further confuse the issue, it seems that in Windows Server 2008 R2, using the Local Security Policy to change the Password policy on the DC will NOT work. It will be grayed out. The Domain Controller policy then seems to default to the Default Domain Security Policy (not Default Domain CONTROLLER Security Policy). After changing the password policies under GMPC.MSC for the Default Domain Policy I was able to successfully get the needed password configuration settings for the Domain Controller. It seems that the Default Domain Controller Security Policy password settings are either no longer separate from the Default Domain Security Policy, or now the Default Domain Security Policy overrides the Default Domain Controller Policy. This happened on a fully patched Windows Server 2008 R2 x64 OS.

Adding a User and Folder to FTP Running Active Directory in Isolation Mode

Thursday, January 21st, 2010

Note: For the purpose of these directions the username is MyUser

First, create a user in Active Directory (assuming, also, that there is an FTP users container in AD)

Next, create a home directory in the FTP share (for MyUser it might be D:\Company Data\FTP\MyUser *naming the home folder the same as the user name*)

Go to the command line use these commands to map the directories to the accounts:

iisftp /SetADProp MyUser FTPRoot “D:\company data\ftp”

*note the use of parenthesis outside the path to specify this directory since there is a space between company and data*

iisftp /SetADProp MyUser FTPDir LaBioMed

You can verify this by using the command line ftp localhost and logging in with the new user credentials

You can also create and delete a file to make sure it correctly edits the folder.

Note: If the password changes for the domain administrator account you must change it in IIS for this.

ACLs and NFS

Thursday, January 14th, 2010

The permissions that a user obtains for NFS shares will boil down to effective permissions. NFS doesn’t support ACLs, but it does honor them for Mac OS X NFS clients when bound to the directory.: if a user is granted read/write via an ACL, they WILL have read/write access via NFS. However, there are a few things to note here.

First and foremost, granular ACL’s won’t translate completely. Secondly, although you might have effective write privileges via ACL’s, if you don’t have write privileges via POSIX, it will *look* like you don’t have privileges when you do an `ls` on the mounted NFS volume, however, if you try to read or write a file, it will work without issue. Poorly written software might inspect the POSIX permissions and determine that you don’t have access when you really do. Most software will attempt to read/write an asset and will report errors when encountered (as it should).  Lastly, ACL inheritance IS honored over NFS as well, so any files/dirs your users will create will have the appropriate ACL’s assigned on the backend, though displayed POSIX permissions once again won’t be especially accurate.

Changing Administrator Passwords in Windows

Tuesday, December 29th, 2009

When changing Administrator passwords, administrators will often times not be aware of the impact that changing the password will have on the server/network.

When changing the Administrator password on a Windows Server, please be aware of the following.
1. This will effect the login on ALL servers in a Domain.
2. The Administrator account may be used on services. Please check the services to note which are tied to the Administrator account, and change the password tied to the service accordingly:
a. Open up the Services console
b. Find the “Logon As” column, and click on it to begin a sort by Logon name.
c. Find all the services that use Domain\Administrator for their Logon credential and change the password accordingly.
3. Check the backup programs and change the Administrator password within here. Each backup program has a different way of doing this. Here’s a very general how to of what to look for:
a. If you open Backup Exec, you can change the password for all the services at the credential window that pops up.
b. In Backup Exec, click on the property of each job and see if the jobs are using the Administrator account to access servers. If they are, change the password for it on EACH job.
c. If the client is using NTBackup, change the credentials for the Schedule that’s tied to the job in NTBackup if it’s using the Administrator account.
d. If you’re using Retrospect, check to see if it’s using the Administrator account for anything, if it is, change the password accordingly.
4. Check to see if any database application services are tied to the Administrator account. if they are, change the password credentials accordingly and test.
5. Ask the client if they wish to change network passwords as well. Often times the administrator password on network equipment is the same as the Administrator password for the domain.

Open Directory Auto Archiver

Saturday, October 3rd, 2009

Have you struggled with Open Directory backups? Do you open up Server Admin and click on the Archive button when an alarm in your calendar tells you to do so? Well, we’re gonna’ help you out then. We’re going to automate backing up your Open Directory. We’re going to invoke the backups through launchd and we’re going to keep them for an amount of time you determine and automatically prune the old ones. We’re going to let you choose the location to store them and the password to unlock them. And we’re going to let you do all this through a graphical package called the 318 Auto Archiver.

Originally written for our own staff, we now open it up to you as well.

Oracle Buys Sun

Monday, April 20th, 2009

Sun was in merger talks with IBM.  Talks that had fallen through.  Today, the Sun website says “Oracle to Buy Sun.” Oracle is the largest database company in the world and has been tinkering with selling support contracts for Linux and the Oracle suite of database products, that already includes PeopleSoft, Hyperion and Siebel. This merger, valued at $7.4Billion, will give Oracle access to sell hardware bundled solutions, further the Oracle development product offerings and give Oracle one of the best operating systems for running databases on the planet.

Oracle doesn’t just get hardware and Solaris though.  This move also solidifies a plan for Oracle customers to integrate Sun storage.  Oracle had previously been working with HP in a partnership that never seemed to gain traction.  Then there is Java, MySQL, VirtualBox, GlassFish and OpenOffice.org.  A number of the Sun contributions will be Open Source projects, but overall it’s possible to see a strategy that can emerge from a new Oracle + Sun organization.

As a Sun partner, 318 can assist its clients through this transition, be it with storage, MySQL, Java, Solaris or Oracle middleware scripting.  Overall, this deal makes a lot of sense and 318 is behind doing whatever possible to ease our clients through the transition.

Finally, for those concerned that Oracle might just be buying Sun to kill off MySQL, keep in mind that the Open Source community built MySQL in the first place (or was integral to building it) and it can build another in its place just as easily, this time faster and with less required legacy support.  MySQL is not a fluke.  PostgreSQL or a newer solution will take its place if MySQL were to fall by the wayside under the Oracle helm. Oracle is not going to make MySQL into a martyr of sorts, and is going to want to capitalize on their investment (a Billion dollar purchase by Sun and obviously part of this purchase); especially with a clear business plan for MySQL to be profitable (which is why Sun bought them for such a lofty price in the first place). Overall, Oracle has no reason to kill MySQL; instead, with Siebel, MySQL, Oracle, PeopleSoft, etc – they can simply tout “All Your Databasen Are Belong To Us!”

Changing Passwords on Windows Computers

Tuesday, April 7th, 2009

For a Domain Password:
1. Go to Active Directory Users and Computers
2. Locate user account
3. Change Password for user account
4. Wait 15 minutes for Changes to propagate in large domain with more than 2 DCs
5. Done

Local Password Change on Windows Computers on a Domain:
1. Create batch file with following script:

net user usernamethatyouwantmakechangesto newpassword

2. Edit/Create GPO for OU that has computers in question
3. Place the script as Computer startup/shutdown script GPO
4. Wait for computer GPO to propagate, and users to shutdown/startup later that evening.
5. Done

Stand-alone Workstations:
1. Ensure Workstations are XP Pro (wont work on XP Home – you’ll have to use sneakernet for password changes)
2. Ensure Simple File Sharing is TURNED OFF (if not, then Sneakernet)
3. Get PsPasswd http://technet.microsoft.com/en-us/sysinternals/bb897543.aspx
4. Make a list of all windows computers on your network, and save it to a file (a computer on each line)
5. run: pspasswd @file -u localadministrator -p password username newpassword
6. Done

Ensure the credentials you are changing are not being used for any services (On Server and Workstation):
1. Start > run > services.msc
2. Click on “Standard “Tab
3. Sort by “Log On As”
4. Note which ones are being used by non system accounts. Ensure your changes are not going to effect them. If they are, please consider making separate service user accounts for the services in question, or change the password for the service as well.
a) Get to the Properties of the service
b) Click on the Log On tab
c) Enter in the correct changed password, and confirm it.

Unraveling Unified Messaging

Friday, March 13th, 2009

There’s been a lot of talk the past year or two about unified messaging. You may remember the old ATT All in One commercial where a person was golfing and his important call would find him, and he wouldn’t miss the call. Or have you ever had a job where every morning you had to check your e-mail, then your voicemail on your phones, and then walk to the fax machine to check your faxes? Well, Google this week released a new service called Google Voice. Google Voice is just a revamp of their system called Google GrandCentral. You have one number that people will call, and Google will route the call to all of your phones to try and locate you, and allow you to essentially ignore the call or accept it. You can also search your emails, voicemails, and SMS messages from the web. Microsoft Exchange offers a system that will allow you to get all your email, voicemail and faxes in one centralized location. Weaver just released a service in February that will allow Asterisk users to have their voicemail transcribed automatically and e-mailed to them. Below is a chart of services offered by Google, Asterisk, and Microsoft Exchange 2007 Unified Messaging to give you a better understanding of what technology route you may want to go.

Microsoft Exchange 2007 Unified Messaging
Microsoft’s Exchange 2007 Unified Messaging goal is to tie in Email, Fax and Phone into one manageable place. An example that Microsoft uses is that first thing in the morning most people check their email, then check their voicemail, and after check their faxes. Exchange Unified Messaging has the ability to tie together all three of these communication technologies into a single place for management.

Exchange Unified Messaging on it’s own cannot serve a PBX function, but harnesses a current PBX infrastructure into Exchange for end users to have a seamless place to manage their communications. The current iteration of Exchange Unified Messaging is with Exchange 2007. To leverage the entire suite of features, you must use Outlook 2007.

Google Voice
Google Voice is a communication infrastructure much like Exchange Unified Messaging, but seems to be targeted for non-business consumers. Google Voice is the current iteration of what was once known as Google GrandCentral. Its purpose is unified messaging as well, as it ties in your Gmail, SMS and incoming phone calls into your phone account created on Google Voice. Google Voice is an IP-PBX (VoIP) that allows you to make and receive calls with unified messaging capabilities.

Receiving calls can be done through any cell phone that you have, or through their Google Voice web interface. Making calls can be done via GoogleVoice (web-based), or through any other phone (landline or cell phone). The price point is very good (as in free). The price is free for all calls made to US numbers (long distance charges to other countries apply, of course). It requires no additional hardware.

Asterisk
Asterisk is an open source IP-PBX (VoIP) platform based on Linux. It requires a computer to run on and can tie in your existing land line with almost any VoIP provider of your choice. Call pricing depends on your phone carriers.

 

Google Voice

Asterisk

Exchange 2007

Voicemail

Yes, stored on Google’s PBX Server.

Yes, stored on PBX Server.

Yes, originating from current PBX, but forwarded and stored in Exchange

Email

Yes, integrated with Gmail.

Yes, SMTP’d to host of your choice.

Yes, integrated with Exchange and Outlook

Transcribing VoiceMail

Yes

Yes, not natively as it needs to use VoiceScribe[1] and then emails you the trasncript

No, but allows the user to take notes (including manually transcribing voicemail) to allow voicemail to be searchable via Outlook

Price

The use is free, and calls to US numbers are free.  Your cell provider rates still apply, and Google has their own price for long distance calling[2].

Free to install and use, and configure.  The call price rate depends on your local and/or VoIP carrier.

Phone calls rates are based on your PBX/Call Provider.  Only certain PBXs are supported[3].  The price for Exchange is $699 for Standard or $3,999 for Enterprise depending on how many storage groups and databases per mailbox server role you need.[4]  Both come with unified messaging.

Can call more than one of your phones at a time to try to locate you.

Yes

Yes, but you need to purchase additional trunks (VoIP or PSTN)

Depends on PBX

Can automatically locate you and route calls depending on bluetooth proximity.

No

Yes

No

Native Address Book

Yes, integrated with your Google Account.

No

Yes, integrated with Exchange Contacts

Call Management

Yes, via your phones (and possibly through Google Voice)

Yes, via your phones or through HUD

Yes, through Outlook and possibly through your PBX Software

Fax

No

Yes, but it’s through VoIP, and not realiable[5]

Yes, through a standard fax line

VoIP

Yes

Yes

Depends on PBX

Listen to voice messages without changing their context to another application

Yes, integrated with Google Voice

No – you need to use whatever sound application is installed on your computer

Yes integrated with Outlook

Multiplatform

Unknown, but since it’s web based, it may work on Linux, Mac, and Windows.

Yes – Linux, Mac, and Windows

No, just Windows with Outlook 2007. You can play messages in Entourage, but may either have to change file type in Exchange from *.wma to *.wav, or have Mac users install WMP 9 for OS X[6]

Configure individual voice mail settings

Via phone or web

Via phone or web

Yes integrated with Outlook

View all voicemail in one location

Yes

Yes

Yes

Distinguish voice and fax messages from email messages within mailbox

No, just voice mail from email, and only through Google Voice

No

Yes integrated with Outlook

Determine whether a voice message has already been played

Unknown

No

Yes integrated with Outlook

Add notes to a voicemail message natively

Unknown

No

Yes integrated with Outlook

Reply to a voice mail with email

Unknown – not sure if it can work with blocked numbers or telephone numbers not in contacts.

No

Yes integrated with Outlook

Add telephone numbers received to Contacts natively

Unknown

No

Yes integrated with Outlook

Share VoiceMail

Yes

Yes

Yes

Adding a user

Free.  Requires that each user is registered with a Google account.

Free.  Just create a new extension for IP phones.  For non-IP hard phones, you must buy a FXS card (or to connect a regular phone to an ATA).

You must buy CALs for each user.  For unified messaging, you must have both the Exchange Standard AND Entprise CAL.  Exchange Standard CAL is $67, Exchange Enterprise CAL is $35.[7]  You must purchase both CALs for each user.  You also need to add a user to your PBX – pricing and licensing depends on PBX provider.

There are some things that may catch your eye (or not) when you first see this chart. Exchange Unified Messaging is expensive, but offers a lot of features that the other two don’t. From a “birds eye view” it may also fit your enterprise better if your companies’ locations use different types of PBXs, but you want to “unify” all of the communication in Exchange.

If you have a heterogeneous environment or non Windows environment, Asterisk or Google Voice may be a better route for you.

If you are concerned with regulatory compliance, Google Voice may not be your best choice since you do not have a centralized location of all your communication readily available.

When determining which choice is a better fit for your business, carefully weigh your options (price, compliance and room for expansion to name a few). It will be exciting to see how the technologies are managed, and what the future holds for unified communications. If you plan to roll out any of these services, or are in need of consultation, please don’t hesitate to let us know. We’re here to help.


Managing Global Address Lists in Exchange 2003

Thursday, December 4th, 2008

1. Open ‘Active Directory Users and Computers’ –
Start → All Programs → Administrative Tools → Active Directory Users and Computers

2. Select the user that you would like to update on the Global Address List

3. Right-click on that user and select ‘Properties’ in the resulting pop-up menu

4. Go to the ‘Exchange Advanced’ tab for the user

5. Check the box to ‘Hide from Exchange address lists’ and delete the ‘Simple Display Name’ to remove the user from the Global Address List. To add the user to the Global Address List, then un-check the ‘Hide from Exchange address lists’ and enter an alias in the ‘Simple Display Name’ text box.

6. Click on ‘Apply’ then click ‘OK’ to submit the changes.
The changes can take anywhere from a few minutes to a few hours to propagate.

7. To confirm updates via the Exchange System Manager then open the manager
Start → All Programs → Microsoft Exchange → System Manager

8. On the right side navigation panel go to
Recipients → All Global Address Lists → Default Global Address List

9. Right-click on ‘Default Global Address List’ then click ‘Properties’ on the pop-up menu.

10. Click on ‘Preview’ to generate the current Global Address List

Mac OS X Server: Dealing with Directory Services Woes

Sunday, June 22nd, 2008

In Mac OS X Server occasionally the Directory Services daemon will just stop working. To jiggle the handle you can just run the following command in Terminal:

killall DirectoryService

Leopard Server: New Managed Preferences

Wednesday, June 11th, 2008

If you’re familiar with Managed Preferences in Tiger then you’re basically already familiar with Managed Preferences in Leopard Server. But there are some great new features that Apple has provided us with by popular demand. These include the following:

Applications
There are now more features to the Applications Managed Preference. You can allow or disallow applications by selecting them individually or a folder. This means that you can allow access to applications located in the /Applications folder but disallow all applications located in the /Applications/Utilities folder. There are also now controls for allowing specific widgets and disabling Front Row.

Finder
There are new options to limit users from doing tasks when in the Finder such as Ejecting a disk, connecting to servers, rebooting and burning disks.

Login
You can now control the list of users that are displayed to a user during login times to show Mobile accounts and network users. You can show/hide the restart button, disable automatic logon, enable Fast User switching, set the local computer record name to the name of the computer on the server, enable guest access, control the inactive time to logout users and configure computer based Access Control Lists.

Mobility
Mobility now allows administrators to set an expiry for a users home folder on the system they are logging into. This allows administrators to keep local desktop systems from getting polluted with hundreds of home folders without using custom scripts to do so. Administrators can also now force accounts on local systems to use FileVault with Mobility accounts to keep data on local systems as secure as possible and set quota’s for user home directories. Finally, it is also now possible to control the path that the user home folder is located on local desktops.

Network
Administrators can now Disable Internet Sharing, Airport and Bluetooth for client computers.

Parental Controls
Hide profanity in the dictionary, control access to web sites, set the amount of time per day that a computer is allowed to be used and set times when login is not allowed in this new Managed Preference.

Printing
Force users to put their user name, date and/or MAC address in a page that is sent with each print job.

System Preferences
Allow or deny access to each System Preference (including the new ones).

Creating Alternate User Logins in Active Directory

Friday, May 30th, 2008

The User Principal Name (UPN) provides an easy-to-use naming style for users to log on to Active Directory. The style of the UPN is based on Internet standard RFC 822, which is sometimes referred to as a mail address. The default UPN suffix is the forest DNS name, which is the DNS name of the first domain in the first tree of the forest.

You can add alternate UPN suffixes, which increase logon security. You can also simplify user logon names by providing a single UPN suffix for all users. The UPN suffix is only used within the Windows Server 2003 domain and is not required to be a valid DNS domain name.

[Before following the steps below, ensure that the Administrative account being used is a member of Enterprise Admins.]

To add additional UPN suffixes

1. Select Active Directory Domains and Trusts in the upper left pane, right-click it, and then click Properties.
2. Enter any preferred alternate UPN suffixes in the Alternate UPN Suffixes box and click Add.
3. Click OK to close the window.

When accessing Active Directory Users and Computers, the account tab now has the option to select this newly created UPN for login access.

Leopard: What, No NetInfo?

Thursday, May 15th, 2008

As many will already be aware, there’s no NetInfo in Leopard. So where are those pesky account settings stored? Well, local user account settings are now stored in plist files. The plist files are stored in the /var/db/dslocal/nodes/Default/users directory for users or /var/db/dslocal/nodes/Default/groups folder for groups. Password hashes are stored in the /var/db/shadow/hash folder. Inside each plist file for user accounts you can augment (or create) attributes required in order to perform certain actions. So, for example, if you want to change the location of your home folder you can open the users plist file and search for the home key and edit it’s contents.

Scripting Printers in Windows

Wednesday, May 14th, 2008

It’s possible to deploy printers to a windows environment when all the client computers are joined to the domain.

First, add the printers to the print server.
Second, make sure that on the print server you have also installed the drivers that the clients will require.

Open up notepad and use the following script template:

rundll32 printui.dll,PrintUIEntry /in /n \\servername\hplj4025
rundll32 printui.dll,PrintUIEntry /in /n \\servername\hpp2015

Save the text file as [whatevernameyouwant].bat

Place it somewhere in Sysvol Scripts or netlogon.

Open up Group Policy Management.
Create the GPO where you would like (in SBS put it with all of the others at the root of the domain).
Go to User Configuration > Windows Settings > Scripts
Go to “logon” and add the script location.

You have now added a logon script that will deploy Printers via a GPO. If the printers are already there, then it will not error, but it wont crash anything either.

Setting Up Delegates in Microsoft Exchange

Saturday, April 19th, 2008

Exchange 2003 allows you to administer it granularly from Exchange System Manager (”ESM”), but this cannot be done with users that already are administrators (Domain Admins, Exterprise Admins, etc.)

First, create a user that you would like to have Administrator Delegate Access to Exchange and all of the information stores. Do Not make this user a member of any admin security groups.

Next, create a group for administering Exchange, usually this can be called “exadmin” without quotes.

Start populating that security group with the people you would want to have access to the Information Store(s). Next, open up ESM and right mouse-click on the top level of the tree. Go to Delegate Control, and add the newly created group FULL ADMINISTRATIVE ACCESS.

Press, “Next” until all of the windows close.

After you have given the group access, wait approximately 30 minutes for the settings to propagate through Exchange.

Members of this group can now take control of items in user’s inboxes and can also administer public folders via Outlook. They can also now run exmerge.

Domain Controller Capacity Planning In Active Directory

Friday, April 18th, 2008

The memory requirements per DC is calculated based on the number of DCs and how spread out they are. Any time we are doing this type of planning we start out with the number of users that interact with a given DC and how much replication it does with other DCs. If a DC is processing logins for 1,000 users then it can easily be run from a fairly unsubstantial host – as would be the example with a Global Catalog sitting at a smaller school. However, as the number of users interacting with a single DC goes up, the RAM goes up. The minimum recommended memory is approximately 2GB per 1,000 users and a minimum of 1 dual CPU system per 10,000 users – but again loads may vary based on various aspects of the domain.

In terms of bandwidth utilization the number of users logging in concurrently per school will use practically no bandwidth compared to a fiber connection if they have a DC at the school. However, if the school does not have a DC then you can expect approximately 64k per concurrent login for remote users not counting any network profiles or login scripts. More speed will allow for faster login windows which will in turn allow for the system load to decrease faster following large quantities of users logging in concurrently. The bandwidth utilization can be slightly higher than other LDAP types of environments for Windows hosts but not typically for Linux or Mac clients.

Policies will create additional load. The more layered the policies the higher this load will become. Flattening the policy structure as much as possible will help reduce this overhead. But in the beginning some monitoring and tuning will need to be done. Monitoring the Database Cache % Hit on the server, you will be able to track whether additional memory is required.

Disk space is typically not a factor when planning an Active Directory deployment. But before factoring the size of logs a good setup should accommodate for 4GB plus installers/drivers and .5GB per 1,000 users for non Global Catalogs and an additional 50% for Global Catalogs.

Create Mobile Accounts From Local Accounts in 10.4 and 10.5

Sunday, March 2nd, 2008

This setup can be performed locally or remotely via Apple Remote Desktop 1. Have the user change the local password to the network password via the System preferences, if this step is skipped , add the Keychain minder application as a login item.

http://www.afp548.com/article.php?story=20050306085715981

2 . Login as the 318admin account ( Create if necessary ) Do not use Fast User Switch!

3 . Verify the Bind for the system to Open or Active Directory

4 . Survey the existing home directory permissions viewing them numerically:

ls –lnd /Users/anna

# drwxr-xr-x+ 38 505 505 1292 Feb 29 14:36 anna

In this example 505 is the local users UID 5 . Obtain the UID of the local user:

id –u anna

# 505

6. Obtain the UID of the network user ,in this example the network username and local username are the same, the steps are the same if they are different

6.1 When using Active Directory Note “WALLCITY” is the NT STYLE DOMAIN for wallcity.org.

id –u ‘WALLCITY\anna’

# 138809240

6.2 When using Open Directory: Note iduro.wallcity.org is the Open Directory Server that the client is bound to.

dscl /LDAPv3/iduro.wallcity.org/ -read /Users/anna uidNumber

# uidNumber: 1035

Note the UID discovered for both the local user and the network user

7. Delete the local user account reference If configuring remotely via ARD, lock the screen before performing this step, so that the user cannot accidentally login during the process.

dscl . -delete /users/anna

8. Change the ownership (recursively) numerically using the network uid and the “staff” group in this example 138809240 is the AD network uid discovered on step 6.

chown -R 138809240:staff /Users/anna

9. Create the mobile account

9.1 For Leopard 10.5 Systems sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n anna Note: NO line break above

9.2 For Tiger 10.4 Systems Note: MCXCacher-Uanna sudo /System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher -U anna

10. Verify permissions where changed to network account numerically ls -lnd /Users/anna

# drwxr-xr-x+ 39 138809240 20 1326 Feb 29 16:04 /Users/anna

10.1 Verify uid->username resolution works (i.e. 138809240 equals anna or WALLCITY\anna and 20 equals staff as shown

ls -ld /Users/anna

# drwxr-xr-x+ 39 anna staff 1326 Feb 29 16:04 /Users/anna

Joining Windows to Mac OS X Server’s PDC

Friday, February 8th, 2008

Go to Server Admin, go to SMB and promote to PDC. Give it a domain name.

Enable WINS.

Go to the properties on the NIC for the Windows computer, and point WINS to the OD’s IP Address. Ping the IP address of OD from the Windows Server to ensure things are resolving correctly.

edit /etc/smb.conf and ADD the following entries:

Time server = true Security = user Preferred master = yes Domain logon = yes Local master = yes Workgroup = dees.com

Restart smb daemon.

You should now be able to join the domain, if you get an “internal error” every time you attempt to join, check the logs in OS X for SMB and see if there’s an error – something along the lines of a forked issue with SMB. If so, ensure that Guest Access is enabled. If that still does not work, then you are probably running Leopard, and as of Feb 2008 this is a known problem. You will have to demote SMB to standalone and Demote OD back to standalone (blowing away everything) and then promote OD back to Directory Master, and then reimplement SMB as a PDC. In that exact order.

You will now be able to successfully join the domain.

Create a non-admin test user

Login to Windows with the new test account to confirm that everything works.