Enterprise IT • 22:05
A Tiger Server is highly secure out of the box and can effectively replace a Windows server, even in an all-Windows client environment. Learn how to move to Tiger Server with minimal disruption to your users and your network.
Speaker: Damien Weiss
Unlisted on Apple Developer site
Transcript
This transcript was generated using Whisper, it has known transcription errors. We are working on an improved version.
Well, we're going to begin off with the hand mic and then we're going to move to the body mic here, it sounds like. My name is Damien Weiss. I work for the Enterprise Consulting Group. We're going to talk about moving to Tiger Server from Windows. This is going to be a mainly NT-focused presentation.
So first I want to begin off, when we were writing the presentation, we were really doing this, we really sat down and tried to figure out who the main audience was. And really we came up with one of three groups. And as an audience participation, I'd like to get the old raising of the hands just to see who we have here.
I had a bet on who the majority would be. So the first group is the Windows admins. You know who you are. Go ahead, raise your hands. See it? Wow. Not bad, not bad. You guys are probably trying to figure out a way of getting out of Windows, maybe.
Maybe. Maybe not. We'll see. The Mac programmers are admins who are here trying to figure out a way to convince their managers we can do it. I swear we can. A few. A few more. And then finally a consultant who's just trying to figure out a way of making, doing this for their customers.
It's actually evenly split, pretty evenly split, a little bit more heavily towards the Mac side. I was actually thinking that it would be nearly 90% Mac side, so a little surprised by that. So for all of y'all, you probably want to figure out a way of ending the server licensing fees. And we're going to take a break and we're going to think about ending licensing fees. Keep talking. And figuring out a way to have a server that integrates. And then finally, a-- there we go.
And finally, getting a server you don't hear about on the news. I tell you, it's bad news when you have your parents call you up and say, "Is this machine that I'm running on my desktop? I heard about it on Channel 7 tonight. Is everything all right?" It's always bad news. Damien Weiss So, in other words, you have something like this, probably. You've got a lot of Windows boxes, the occasional one Mac that might be your machine, and a big, hunkin' Windows box in the middle.
What you want is a drop-in replacement, something really easy, and that's what we're here to do. And most of all, you want it without this, without the axe-wielding users. This is a -- I used to work at a bank, and this was a common problem that we had.
So how do you get there? Well, since we're at WWDC 2005, of course, the answer is going to be Tiger Server. In fact, it's even in the title of this session. So, for most of you, this is going to be a review, but I just wanted to go over it real fast.
What is Tiger Server? We're going to talk about a few things here. First off, we all know, we should all know it's Unix-based, right? It's open source out the wazoo. I love this phrase. Everything just about is open source, it seemed like, especially on the server side. So many of those projects open sourced out. It integrates very well. There's very little issue getting it to integrate with most of the other projects. It's very standard stuff. And for the non-standard stuff, there's a little bit of work involved, but still very well to integrate.
And it's very reliable. Ten years ago, if you were to ask me if we could have a Unix-based machine that I could ever get on stage in front of folks and say is reliable, I would have had a hard time doing it. But we've really done a really good job. And same thing with secure. We've really taken security and really built it into the machine. We administrate it through three different applications, right? First one for hardware administration, we use server monitor. It looks something like this.
We're monitoring the fans on this machine right now. Everything's green, which is good. For server processes, we're using Server Admin to monitor the processes and to go ahead and configure them. And finally, Workgroup Manager for looking at and configuring users and share points and for other items such as manage client.
So what have you got? Well, this is the server installation circa, what, 1996, 1997, somewhere around there. We've got a 4.0 box, PDC on it, network drives exchange. And what we're going to do is we're going to place the NT. will be replaced by Samba. Exchange will be replaced by our own mail product. There are other good mail products out there also. And finally, IIS will be banished forever by Apache. That will be a good thing. I'm happy about it too, believe me.
So what have we got on this migration path? Well, we have some Windows machines and for our migration here we're going to represent this with our three Windows boxes. And down here we've got our 3x serves and our
[Transcript missing]
So let's take a look. First, we have to prepare the PDC, right? So we're going to talk about this. What is a PDC versus a BDC? Now, for the Windows guys in there, this is probably review. The Apple folks, maybe, maybe not. PDC is the primary domain controller. You have one per domain. If you have a small enough company, that's one per network.
Contains all your login and password information, amongst other information. It's read/write, and generally, you try to make this thing as big and as hunking as a box as you can get, and you hope it doesn't break down. For that, you have BDCs, which are the backup domain controllers, really just replicas of that primary. You have as many as you want. And it contains a copy of the login and password. And those two really talk to each other, right? There's a trust relationship between those two, and the BDC grabs copies from the PDC, and it has all the information it needs.
So on the Tiger side, what we do is-- same thing here-- Windows under Server Admin. What you do is you have a pop-up there, and it's set currently for primary domain controller, or the PDC. And if we wanted to have it act as a BDC, we could flip that.
Now, the important thing to know here is that if you are setting up a Tiger Server as a PDC, you need to make sure that your open directory is set to being a master. If you're setting up a BDC, you need to make sure you have open directory replica. If there's one thing you take from this presentation today, please remember that. So the next step, migrating the users.
So this is where we are, right? We've got a Windows box there logging in to the PDC or the BDC, just depending. And so on boot up, as it says, it's going to find that PDC. It's going to attempt to log in. PDC is going to say, oh, okay, no problem. Let's find a home directory. Finds a home directory and everything's in.
And really what we want to do is we just want to drop in and replace to the point where the client doesn't notice anything. It's the same steps. I mean, look, it's just doing the exact same steps. We can do that. It's not an issue. As you can see, we've got an LDAP cloud above those XSERVs, and that's where all that information is going to be stored.
How we do that is with the NT migration tool. This is new with Tiger. It's in user S bin directory. It's a shell script that executes a number of server admin, command line server admin commands, and Samba-based commands. And what's good here is that it integrates with Open Directory right out of the box. We've done a very good job with this one. And again, that's Apple taking open source out the wazoo and doing something very good with it.
Actually, I want to add a little bit to that. About six months ago, I was actually researching this, and I was reading a lot of the online documentation that was outside of Apple's, and I was reading the steps that folks were going through in order to integrate this, and it was tough.
It raised the hairs on the back of my head just reading the documentation. And so, I really appreciate the fact that engineering got together and said, "How can we make this easier for folks?" So, Inti Migration Tool, how do we use it? What do we do? Well, here's the syntax up here.
What we do is we'll just type in the shell script followed by the Inti domain name, the server name of the PDC, the domain admin, and then finally the LDAP admin on your 10 server. It will take all that information and it will also insert in some of its own information and store these things into varsible Samba temporarily.
including the passwords for these accounts. It will then go into lookupd, flush the cache, so that way we know we're dealing with real, live, honest-to-goodness data, which is always very important. And then finally, it will execute the heart of it, which is the net vampire command. Now, what this does is it emulates being a BDC. It fools the PDC into thinking it's a BDC.
It copies all that information because the PDC thinks, great, this is it. This is my honest-to-goodness BDC. I'm just going to copy all the information. Nothing gets unencrypted. Nothing happens to the data. It's just the data as it was on the PDC. And then that's it. And then we're done.
So finally we're going to move, or not finally, but next we're going to move to Home Directory. So there's two ways of doing this, right? Or there's actually more than two ways. There's several ways of doing this, but there are two primary ways that I see of doing this.
My favorite way personally is just to mount the NT server, do a recursive ditto, and just be done with it. Go in, make sure that the permissions are kosher afterwards. If everything's good to go, everyone's happy. And this works 99% of the time. The other way that a lot of folks like to do is do the external hard drive and sneak or net it to the new server. It's really up to you.
Once you have those users in there, we can modify a lot of the home directory information within Workgroup Manager. So, you know, we can set the home directory drive letter. We can set the user profile paths, the login script. All that stuff is settable within the Windows panel. Excuse me. Oh, yes, within the Windows panel, Workgroup Manager.
Next step is turn on the Windows service. So at this point, we have prepared the server. We've set it up as an open directory master. We've migrated the user authentication data. We've moved the home directories, and now we're going to go ahead and turn on that Windows service and turn this machine, make it into a PDC, a full-fledged PDC.
So what we do is, again, server admin, Windows panel, flip this over to PDC, and hit start. Make sure that the domain name is correct. Important. Seeing customers who did not set the domain name correctly and bad things result. And that's it. You're done. The one thing that you need to do is be sure to turn off the Windows box. So we gray out the old Windows box there, and now we have our XServe online.
The next thing that we're going to talk about is mail migration. And mail isn't as clean of a solution. And I think most of us know this. Mail is tough, right? There is no good way of doing it, in my opinion. But the best way that I've seen is the IMAP to IMAP copy. So on Exchange, turn on your IMAP compatibility mode. It's there in Exchange 5.5 and further on. Not there in versions before 5.5.
And what you do is you log in to the server as one of your users. You go ahead and you create the entries within, let's say, mail.app for both the IMAP servers, both the Exchange server and now your new XServe server. And you just copy all that mail from one server to the other.
It's not as clean of a solution as I would like at this point, but it is a good solution and it does work, and we have other things that we're going to talk about later on. So that's mail. On to printing. Printing is easy, right? If you still have printers hooked up to Windows queues, this is really easy. We turn on SMB and you're done.
That's it. You set up the queues, you turn on SMB and that's it. Now, what we get out of this and what I think is more important is for free, you get the Internet Printing Protocol, Apple Talk and LPR all for free, just right out of the box, just for using our product. And that's just a great value add for the server. So another Windows box put into storage. It's gone. Another XServe online. And finally, the web service.
This is also pretty darned easy. What you need to do is just copy your files into library web server documents. And for the three of you that are still using the index.htm instead of HTML reference, no problem. You can add that index.htm to the default index files. It will take care of that. You don't need to go in and recursively change each one of your web pages and worry about those things. It's just taken care of for you.
We have built-in certificates. In previous versions in Panther, for instance, doing the certificates was a little gnarly. Not so here now. We actually ship a self-signed certificate with the server. works very well. You need to just go ahead and go into certificate and select default. For new certificates, it's just as easy as adding in or clicking and getting custom configuration, and the pop-up panel comes in and then filling out all the standard information that you receive from your CA.
Another Windows machine is gone into the closet and truly a world that has been rid of three Windows boxes. But that's not it. Remote management. For those of you who would have one Mac, two Macs, or maybe zero Macs, and this is just a server, a lot of you don't want to have to haul down to the server room in order to make any changes, right? Many of us don't want to have just a dedicated Mac. I would like that. That would be great. But, you know, a dedicated Mac just to manage a server seems a little bit wasteful. You can SSH in, of course, use the command line server admin command.
They've really done a good job with this. So, for instance, in this example, I went ahead and I just wanted to see what the status of Samba was. In this case, it stopped. Simple enough. Wanted to get a full status of it, and so it dumped out a large amount of data amongst it that it stopped still, but also some of the configuration data that it is aware of.
Then also wanted to see what else I could do. So I went ahead and said, well, let's start the process. Why not? Just shoots right back that it's running. All in command line, no problems whatsoever. Stopped it again. Not an issue. I wanted to change some of the settings, for instance. I wanted to change where the Samba log was being placed onto. And I wanted to place it onto the RAID, so use the command line.
All this stuff is in there. It's within server admin. If you just say server admin settings SMB, it will dump out every setting that it knows about. You can just as easily change it on the command line. If I want to change the server string or if I just want to see what the server string was, not an issue. It's there.
[Transcript missing]
The solution is also the server admin command. What I've done here is I went ahead and just simply said server admin command, XSERV command equals status, and it drops out a large amount of data. There's a lot of -- not a lot, but there's a couple of scripts out there that can take this and translate this into something human readable.
But I just wanted to go ahead and take a quick look and see what we had. So I went ahead and did this. You can see what the temperature behind the CPU1 ambient was. And as you can see, it spewed out 1,900,544. An engineer told me that the way to decode this into something more English readable was to divide by 65,536, and you get your answer in Celsius.
I almost, on the slide, almost then did the conversion into Fahrenheit, but I figured I'd leave well enough alone and maybe actually learn the metric system. supporters of metric system. Good. So also we can find out what version of the operating system it's running. As you can see, it just says it's running 10.4, even the OS build number.
So that's, what is that? That's 8A428, which for some reason I have memorized as being 10.4. And finally, also the serial number. There's a lot of customers who come to me and they ask me, they say, hey, how can I find out the serial number of this box without actually having to visit it and locate it? I want to do this scriptably. This is the answer.
Also, if you want to do graphic management, well, you've got your Windows box and you want to graphically administer your XServe or your Mac. It's not an issue. We ship within ARD a VNC server, go into System Preferences, Sharing, Apple Remote Desktop. And you turn it on. And using a client like RealVNC or FreeVNC, you go ahead and you can control your Mac server and it's not an issue whatsoever.
And you turn it on. And using a client like RealVNC or FreeVNC, you go ahead and you can control your Mac server and it's not an issue whatsoever. You still can't figure out how to tell it that. So it pops up this thing every single time I turn it on. It drives me insane.
But that's not all. As we all know, DNS, we can do it. DHCP, Jabber Server, which is the instant messaging server that there was a great presentation a little while ago about. NAT services, Firewall, FTP, VPN. Truly, it can be the Swiss Army knife of your network. It can do it all.
Now, back to that mail drop and replacement. There's also a couple other things I haven't mentioned. Groupware, calendaring. There's some great third-party products out there. Cario and Communicate do an excellent, excellent job of mail service, and MeetingMaker does a great job on the calendaring side. And I strongly recommend that if you're not getting what you need from us, take a look at these folks. They do a great job. Great job. I highly recommend them.
So for other resources, just go to the WWDC website. There are related sessions to this one. There was, of course, the overview that happened and the Active Directory integration. These are excellent sessions. More. The ARD and management practices. And there's the upcoming extending and securing mail services using Mac OS X. If anyone's interested in mail securing, this is it. I got a sneak peek at some of the slides. I wasn't supposed to, but I sort of peeked at a couple of them and I was actually blown away by how good this is going to be.