Os X server for small business



Download 293.14 Kb.
Page2/4
Date02.02.2017
Size293.14 Kb.
#15509
1   2   3   4

Formats for server disks


When you erase a disk before installing OS X Server on it, select one of these formats:

Mac OS Extended (Journaled): 

This format is recommended, and is the most common format for Mac and Mac server startup disks.



Mac OS Extended (Case-sensitive, Journaled): 

This format is worth considering if you’re planning to have your server host a custom website with static web content instead of or in addition to wikis. A case-sensitive disk can host static web content with a more direct mapping between files and URLs.

You can erase other disks using one of the formats above, or a non-journaled variant: Mac OS Extended or Mac OS Extended (Case-sensitive).

If the server has a disk formatted using the UNIX File System (UFS) format by an earlier version of OS X or OS X Server, do not use the UFS disk for an OS X Server startup disk.


Volumes on a partitioned disk


Partitioning a hard disk creates a volume for OS X Server and one or more volumes for service data and other software. The volume you install OS X Server on should be at least 10 GB. This volume should be larger if you plan to store shared folders, wikis, and other service data on it.

The volumes on a partitioned disk are often simply called “disks.” Each volume appears as a disk in the Finder, and you use each volume as if it were a separate disk.


RAID sets


If you’re installing OS X Server on a computer with multiple internal hard disk drives, you can create a RAID (Redundant Array of Independent Disks) set to optimize storage capacity, improve performance, and increase reliability in case of a disk failure. For example, a mirrored RAID set increases reliability by writing your data to two or more disks at once. If one disk fails, your server automatically continues using other disks in the RAID set.

You can set up RAID mirroring or another type of RAID set when you begin installing OS X Server. After installing, you can set up RAID mirroring on a disk that isn’t partitioned. To prevent data loss, you should set up RAID mirroring as early as possible. For information about setting up a RAID set, search Disk Utility Help for “Using RAID sets.”

If you choose a RAID set, you won’t get a recovery partition or FileVault full disk encryption. A recovery partition allows you to reinstall OS X or recover your entire system from a Time Machine backup. Full disk encryption isn’t recommended for an OS X Server startup disk or any disk that stores service data. If these disks are encrypted, the server can’t restart until you go to the server and enter the password at the server’s keyboard. If you use OS X Server to share an encrypted disk, the disk isn’t available to users until you enter the password at the server’s keyboard.

https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

Port mapping for network and server protection

If you have a network router that shares its Internet connection with computers on your intranet, such as an AirPort Extreme Base Station (802.11n) or a Time Capsule, the router isolates your intranet from the Internet. These Internet-sharing routers protect your intranet against malicious attacks from the Internet by blocking communications that originate outside the intranet.

Computers on the Internet can’t access your server unless you configure your router to expose specific services on the Internet. For example, you might expose your Wiki and Websites services on the Internet, but not file sharing. You can still control access to wikis by requiring users to log in to view them. The process of exposing individual services to the Internet is called “port mapping” or “port forwarding.”

Internet users can access your exposed services by using an Internet host name, such as server.mycompany.com, that you register with a public DNS registrar or a DNS hosting service. Your registered host name points to the public IP address you got from your ISP and configured your router to use. Internet users can also access your exposed services by using your public IP address directly instead of by using an Internet host name.

When using your Internet host name or public IP address to access a specific service, such as your Wiki service, users actually reach your router. If you exposed the service, your router forwards the request to your server. If you didn’t expose the service, the router doesn’t forward the request, and the user can’t get that service from your server.

If you want to let Internet users with accounts on your server access services that aren’t exposed to the Internet, you can turn on VPN service. It provides a secure remote connection to all services on your intranet.

https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

Register the server’s Internet host name

To allow users to access the server by using its host name on the Internet, you must register the server’s host name.


  • Obtain an Internet domain name, such as example.com.

If you don’t already have a domain name, you can purchase one from a public domain name registrar. For information about domain name registrars, search the web.

  • Register a unique host name for this server, such as server.example.com, with your domain name registrar.

If your organization has a computer support group, request a host name from them. Otherwise, work with the domain name registrar where you obtained your domain name to assign a host name.

  • Have a DNS hosting service add records for this server to its DNS servers.

If your organization has a computer support group, ask if they host DNS servers. Otherwise, your DNS registrar might provide DNS hosting service, or you can search the web for a provider.

https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

DNS records for your server

Before you set up your server, have your DNS server administrator add records for your server to a DNS server. After these records are added, users can access your server by using its host name, such as server.mycompany.com.

Users can use your server’s host name on your intranet if the DNS server administrator for your intranet adds DNS records for your server. If your intranet doesn’t have a DNS server, users can access your server by using its local hostname, such as server.local.

Users can use your server’s host name on the Internet if a DNS hosting service adds the records described below to its DNS servers. These records must point your server’s host name to the public IP address of your Internet router, if you have one. The DNS registrar you obtained a domain name from might provide DNS hosting service, or you can search the web for a provider.

A (address)

An A record is required. It maps your server’s host name to its IP address. If you have an Internet router, your server has a unique, private IP address on your intranet, but on the Internet it uses the router’s public IP address.



PTR (pointer)

A PTR record is required. It provides a reverse lookup by mapping the server’s IP address to its host name. If you have an Internet router, your server has a unique, private IP address on your intranet, but on the Internet it uses the router’s public IP address.



MX (mail exchange)

If your server provides Mail service, the optional MX record specifies that your server is a mail server for your domain. An MX record lets users have an email address such as mchen@example.com. Without an MX record, email addresses must include your server’s full host name (for example, mchen@server.example.com).



CNAME (alias)

One or more optional CNAME records provide convenient access to services your server provides, such as mail.example.com and www.example.com.



SRV for Contacts service

If your server provides Contacts service, you can add an optional SRV record for Contacts service’s CardDAV protocol.



  • If you have an SSL certificate for Contacts service, add a record that maps _carddavs._tcp for port 8443 to your server’s host name. For example:

_carddavs._tcp 86400 IN SRV 0 1 8443 server.example.com

  • If you don’t have an SSL certificate for Contacts service, add a record that maps _carddav._tcp for port 8008 to your server’s host name. For example:

_carddav._tcp 86400 IN SRV 0 1 8008 server.example.com

SRV for Calendar service

If your server provides Calendar service, you can add an optional SRV record for Calendar service’s CalDAV protocol.



  • If you have an SSL certificate for Calendar service, you can add an optional record that maps _carddavs._tcp for port 8443 to your server’s host name. For example:

_caldavs._tcp 86400 IN SRV 0 1 8443 server.example.com

  • If you don’t have an SSL certificate for Calendar service, add a record that maps _caldav._tcp for port 8008 to your server’s host name. For example:

_caldav._tcp 86400 IN SRV 0 1 8008 server.example.com

SRV (service locator) for Messages service

If your server provides Messages instant messaging service, you can add two optional SRV (service locator) records for Messages server’s XMPP (Jabber) protocol.



  • One record controls connections between your server and other XMPP servers. It maps _xmpp-server._tcp for port 5269 to your server’s host name. For example:

_xmpp-server._tcp 86400 IN SRV 0 1 5269 server.example.com

  • Another record controls Messages and other XMPP client connections to your server. It maps _xmpp-client._tcp for port 5222 to your server’s host name. For example:

_xmpp-client._tcp 86400 IN SRV 0 1 5222 server.example.com

These SRV records let users have a Messages address such as mchen@example.com. Without these SRV records, Messages addresses must include your server’s full host name (for example, mchen@server.example.com).



https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

DHCP server configuration for your server

Before you set up your Mac server, configure your DHCP server to supply important network addresses to computers on your intranet.

The DHCP server can provide each computer with its own IP address, the IP address of your network router, and the IP addresses of DNS servers for your network.

When configuring your DHCP server, be sure to do the following:


  • Configure your network’s DHCP server to assign a fixed (static) IP address to your server. This feature is called “static mapping” or “DHCP reservations.” With a fixed IP address, your server always has the same IP address, so other computer users can connect to it reliably.

  • Configure your DHCP server to provide your server’s IP address as the DNS server address, unless your intranet has a DNS server. If your intranet doesn’t have a DNS server, your server is configured as a DNS server during initial server setup.

If your intranet connects to the Internet through a router supplied by your ISP or purchased from a computer retailer, the router is usually your DHCP server. For information about configuring your router, see its documentation.

If your intranet and Internet connections are managed by your organization, ask the DHCP administrator to configure the DHCP servers for your Mac server



https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

Ports used for administration

For Apple’s administration applications to function, specific ports must be enabled. In addition, other ports must be enabled for each service you want to run on your server.

Port number and type

Tool used

22 TCP

SSH command-line shell

389, 636 TCP

Directory

Was this page helpful?Send feedback.

© 2012 Apple Inc. All rights reserved.



https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

Restart computers

To restart a computer now or at a specific time, use the shutdown -r or systemsetup command. For more information, see their man pages.

HideRestart the local computer

Enter the following command in a Terminal window:

$ sudo shutdown -r now

HideRestart a remote computer immediately

Enter the following command in a Terminal window:

$ ssh -l admincomputer shutdown -r now

Replace admin with the short name of a user account on the remote computer.

Replace computer with the IP address or host name of the remote computer.

HideRestart a remote computer at a specific time

Enter the following command in a Terminal window:

$ ssh -l admincomputer shutdown -r hhmm

Replace admin with the short name of a user account on the remote computer.

Replace computer with the IP address or host name of the remote computer.

Replace hhmm with the hour and minute you want the remote computer to restart.

HideRestart automatically after power failure

You can also use the systemsetup command to set the computer to start up after a power failure or system freeze, by specifying a number of seconds.

Enter the following command in a Terminal window:

$ sudo systemsetup -setwaitforstartupafterpowerfailure seconds

Replace seconds with the number of seconds before the computer starts after a power failure. This value must be 0 (zero) or a multiple of 30.



https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

Shut down computers

To shut down a computer at a specific time, use the shutdown command. For more information, see the shutdown man page.

HideShut down a remote computer immediately

Enter the following command in a Terminal window:

$ ssh -l root computer shutdown -h now

Replace computer with the IP address or host name of the remote computer.

HideShut down a remote computer at a specific time

Enter the following command in a Terminal window:

$ sudo shutdown -h +mm

Replace mm with the number of minutes until the remote computer shuts down.

HideShut down while leaving the computer on and powered

To support UPS restart after power failure, the shutdown command provides the -u option. This option halts system shutdown before the shutdown command instructs the power manager to turn off the power supply.

The -u option keeps the system halted and waits for 5 minutes before removing power so an external UPS can forcibly remove power.

Using the -u option simulates a dirty shutdown, which allows a later automatic power-on. The operating system uses the -u option with supported UPS devices in emergency shutdowns.

https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

Change a remote computer’s startup disk

You can change a remote computer’s startup disk using SSH.

HideDetermine available startup disks

Log in to the remote computer using SSH, and enter:

$ systemsetup -liststartupdisks

HideChange the startup disk

Log in to the remote computer using SSH, and enter:

$ systemsetup -setstartupdisks path

Replace path with the path to an available startup disk on the remote computer.



https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

Manipulate firmware NVRAM variables

To manipulate firmware NVRAM variables, use the nvram tool. If you change a value with nvram, the value is saved only if the computer cleanly restarts or shuts down. For more information, see the nvram man page.

HideView NVRAM variables

$ nvram -p

https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

Overview of DNS setup

If you’re using an external DNS name server and you entered its IP address in the Gateway Setup Assistant, you don’t need to do anything else. If you’re setting up your own DNS server, you must do the following.

Register your domain name

Domain name registration is managed by IANA. IANA registration makes sure that domain names are unique across the Internet. (For more information, see http://www.iana.org.)

If you don’t register your domain name, your network can’t communicate over the Internet.

After you register a domain name, you can create subdomains as long as you set up a DNS server on your network to track the subdomain names and IP addresses.

For example, if you register the domain name example.com, you could create subdomains such as host1.example.com, mail.example.com, or www.example.com. A server in a subdomain could be named primary.www.example.com or backup.www.example.com.

The DNS server for example.com tracks information for its subdomains, such as host (computer) names, static IP addresses, aliases, and mail exchangers.

If your ISP handles your DNS service, you must inform them of changes you make to your domain name, including added subdomains.

The range of IP addresses used with a domain must be clearly defined before setup. These addresses are used exclusively for one specific domain, never by another domain or subdomain. Coordinate the range of addresses with your network administrator or ISP.



Learn and plan

If you’re new to DNS, learn and understand DNS concepts, tools, and features of OS X Server and BIND. See Find more DNS information.

When you’re ready, plan your DNS service. Consider the following questions:


  • Do you need a local DNS server? Does your ISP provide DNS service? Can you use multicast DNS names instead?

  • How many servers do you need? How many additional servers do you need for backup DNS purposes? For example, should you designate a second or third computer for DNS service backup?

  • What is your security strategy to deal with unauthorized use?

  • How often should you schedule periodic inspections or tests of DNS records to verify data integrity?

  • How many services or devices (such as intranet websites or network printers) need a name?

There are two ways to configure DNS service on a Mac server:

  • Use the Server app. This is the recommended method.

  • Edit the BIND configuration file. BIND is the set of programs used by OS X Server that implements DNS. One of those programs is the “name daemon,” or “named.” To set up and configure BIND, you must change the configuration file and the zone file. The configuration file is /etc/named.conf.

The zone file name is based on the name of the zone. For example, the zone file example.com is /var/named/example.com.zone.

If you edit named.conf to configure BIND, don’t change the inet settings of the controls statement. Otherwise, the Server app can’t retrieve status information for DNS.

The inet settings should look like this:

controls {

inet 127.0.0.1 port 54 allow {any;}

keys { "rndc-key"; };

};

https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

Add forwarding server

When your DNS server cannot resolve a DNS query locally, it can use a forwarding server to handle the query. The DNS server forwards the request to another DNS server that can respond to the DNS query. This can be used across separate subnets and networks.


  1. Select your server in the Server app sidebar, and then click DNS.

  2. Click Edit next to Forwarding Servers.

  3. Click Add (+), and enter the forwarding server's IP address.

You can enter multiple IP addresses.

  1. Click OK.

The number of forwarding servers you specified is shown.

https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

Set lookup behavior

Use the Server app to set lookup behavior for clients. Your DNS server can perform lookups for clients on all networks or only specific networks you choose.


  1. Select your server in the Server app sidebar, and then click DNS.

  2. Select the “Perform lookups for” checkbox.

  3. From the “Perform lookups for” pop-up menu, choose “all clients” or “only some clients.”

  4. If you choose “only some clients,” you have the following options:

    • Perform lookups for the server itself:  Performs DNS lookups for your server.

    • Perform lookups for clients on the local network:  Performs DNS lookups for clients on the same network your server is on.

  5. Click Add (+) to enter the IP address of the server or network.

CIDR notation is supported. For more information on CIDR notation, see the CIDR Notation article on Wikipedia.

https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

Set lookup behavior

Use the Server app to set lookup behavior for clients. Your DNS server can perform lookups for clients on all networks or only specific networks you choose.


  1. Select your server in the Server app sidebar, and then click DNS.

  2. Select the “Perform lookups for” checkbox.

  3. From the “Perform lookups for” pop-up menu, choose “all clients” or “only some clients.”

  4. If you choose “only some clients,” you have the following options:

    • Perform lookups for the server itself:  Performs DNS lookups for your server.

    • Perform lookups for clients on the local network:  Performs DNS lookups for clients on the same network your server is on.

  5. Click Add (+) to enter the IP address of the server or network.

CIDR notation is supported. For more information on CIDR notation, see the CIDR Notation article on Wikipedia.

https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

Set lookup behavior

Use the Server app to set lookup behavior for clients. Your DNS server can perform lookups for clients on all networks or only specific networks you choose.


  1. Select your server in the Server app sidebar, and then click DNS.

  2. Select the “Perform lookups for” checkbox.

  3. From the “Perform lookups for” pop-up menu, choose “all clients” or “only some clients.”

  4. If you choose “only some clients,” you have the following options:

    • Perform lookups for the server itself:  Performs DNS lookups for your server.

    • Perform lookups for clients on the local network:  Performs DNS lookups for clients on the same network your server is on.

  5. Click Add (+) to enter the IP address of the server or network.

CIDR notation is supported. For more information on CIDR notation, see the CIDR Notation article on Wikipedia.

https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

Add host name and aliases

Use the Server app to add host names and aliases to your DNS server.


  1. Select your server in the Server app sidebar, and then click DNS.

  2. Click Add (+) below the host names list.

  3. In the Host Name field, enter the host name of the computer.

  4. Below the IP Addresses list, click Add (+) to enter the IP address of the computer.

If your computer has more than one IP address, you can enter multiple IP addresses to the list. You can also add multiple addresses to help with load balancing.

  1. Below the Aliases list, click Add (+) to enter aliases for your computer.

You can add as many aliases as you want.

  1. If your server provides Mail service, select the “Create an MX record for this host name” checkbox.

The optional MX record specifies that your server is a mail server for your domain. An MX record lets users have an email address such as mchen@example.com. Without an MX record, email addresses must include your server’s full host name (for example, mchen@server.example.com).

  1. Click Done.

https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

Start DNS

You can stop or start DNS in the DNS pane of the Server app.


  1. In the Server app sidebar, select the service you want to start.

  2. Click the On/Off switch to turn on the service.

  3. If a dialog asks whether you want to allow Internet access to the service you turned on, click Allow to configure your AirPort device and make the service accessible to Internet users.

Click Don’t Allow if you don’t want the service to be accessible to computers on the Internet, or if you’re not sure. You can change Internet access to services later by selecting your AirPort device in the Server sidebar. For more information, see Manage AirPort port mapping and Wi-Fi login.

The dialog appears only if your AirPort device is listed in the Server sidebar and you turned on a service that the Server app can manage on your AirPort device.These services include Calendar, Contacts, Mail, Messages, and Websites.

If you have an Internet router that isn’t listed in the Server sidebar, you can configure it to allow Internet access to services. This process is called port forwarding or port mapping. For information, see Router port mapping.

https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

Edit host names and aliases

Use the Server app to change host names and aliases on your DNS server.


  1. Select your server in the Server app sidebar, and then click DNS.

  2. From the Host Name list, select the computer you want to change, and then select Edit Host Name from the Action pop-up menu (looks like gear).

  3. Make your changes to the DNS information for your server.

  4. Click Done.

https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

Remove host names and aliases

Use the Server app to remove host names and aliases from your DNS server.


  1. Select your server in the Server app sidebar, and then click DNS.

  2. From the Host Name list, select the computer you want to remove and then click Delete (–) below the list.

https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

Use zone transfers to defend against server mining

Server mining is the practice of getting a copy of a complete primary zone by requesting a zone transfer. In this case, a hacker pretends to be a secondary zone to another primary zone and requests a copy of the primary zone’s records.

With a copy of your primary zone, the hacker can see what kinds of services a domain offers and the IP addresses of the servers that offer them. He or she can then try specific attacks based on those services. This is reconnaissance before another attack.

To defend against this attack, specify which IP addresses have permission to request zone transfers (your secondary zone servers) and deny all others.

Zone transfers are accomplished over TCP on port 53. To limit zone transfers, block zone transfer requests from anyone but your secondary DNS servers.



  1. Create a firewall filter that permits only IP addresses that are inside your firewall to access TCP port 53.

  2. Follow the instructions for configuring firewall rules, using the following settings:

    • Packet: Allow

    • Port: 53

    • Protocol: TCP

    • Source IP: (the IP address of your secondary DNS server)

    • Destination IP: (the IP address of your primary DNS server)

https://help.apple.com/advancedserveradmin/mac/10.8/saic.png

Set up a VLAN

To set up and manage VLANs, you use the VLAN area of the Network pane of System Preferences.

Be sure that ports used by non-VLAN devices (non-802.1q-compliant) are configured to transmit untagged frames. If a noncompliant Ethernet device receives a tagged frame, it cannot understand the VLAN tag and drops the frame.




Download 293.14 Kb.

Share with your friends:
1   2   3   4




The database is protected by copyright ©ininet.org 2024
send message

    Main page