Configure player

Close

WWDC Index does not host video files

If you have access to video files, you can configure a URL pattern to be used in a video player.

URL pattern

preview

Use any of these variables in your URL pattern, the pattern is stored in your browsers' local storage.

$id
ID of session: wwdc2005-620
$eventId
ID of event: wwdc2005
$eventContentId
ID of session without event part: 620
$eventShortId
Shortened ID of event: wwdc05
$year
Year of session: 2005
$extension
Extension of original filename: mov
$filenameAlmostEvery
Filename from "(Almost) Every..." gist: ...

WWDC05 • Session 620

Upgrading to Tiger Server

Enterprise IT • 59:44

Tiger Server introduces hundreds of new features every system administrator will want. Learn techniques for ensuring your migration from Panther Server is as smooth as possible, and discover how to take advantage of new Tiger Server functionality in your environment.

Speakers: Schoun Regan, Josh Wisenbaker

Unlisted on Apple Developer site

Transcript

This transcript was generated using Whisper, it has known transcription errors. We are working on an improved version.

I manage one of the developer technical support teams here in Developer Relations. We are responsible for the show that you are attending. I've got great pleasure today in bringing up two people to the stage to talk about moving from Panther to Tiger Server. How many of you right now are running Panther Server? Excellent! That's what I wanted to see. So after this session, you'll see the things you need to know in order to migrate smoothly up to Tiger. A couple of gotchas that you might not be aware of. We do have some fantastic resources also, so we'll be pointing you to some of those.

So I'd like to bring on to the stage right now, Schoun Regan. He runs the itinstructure.com site. He actually does a lot of training and consulting for Apple. And Josh Wisenbakker, who runs afp548.com, which I'm sure many of you have used if you are a Macintosh Systems Administrator.

Thank you. Thank you, Jason. So, I didn't get to see it. How many people have Tiger Server installed already and you're running it? Why are you here? I'm being facetious because the session is about upgrading and some of the issues that you're going to find in upgrading. We've planned this session out carefully and sort of narrowed it down to some of the areas that are most important when people are upgrading. So let's go ahead and get started.

So preparing for an upgrade, what do you need to do? Well, focus on, and what we want to do is focus on critical aspects of this. We want to focus on service configuration, on the password server and the KDC, and we want to focus on users and groups. Also, how many people have read the migration guide? It's free, it's out there, right? Okay.

So if you didn't know about it, there's a link at the end of the session. It's on Apple's server site under documentation. You have a PDF guide, you can download it. download that and it talks about some of the stuff that we're going to talk about in this session.

So, what are we going to learn? We're going to talk about planning the upgrade, we're going to talk a little bit about backup, some rules of engagement. We have to have some rules here before we upgrade to Tiger Server, so we want to talk about some of these rules. We're going to talk about service updates, and we're going to spend a bulk of the time towards the end talking about the LDAP database password server and the KDC. That's really what we want to hit here.

So upgrade methods. What can we do? How can we upgrade? Well, you can do a clean install. 30 users, don't really have a lot, back up the users, data, blow it away, install Tiger Server, and you're done. You re-enter the users, re-enter the passwords. Kind of straightforward, you may have done that before.

Upgrade in place. On upgrade in place, you have a Panther Server. It's already running. How many people have done an upgrade in place already? Okay. So those of you that have done an upgrade in place, how many have had problems after the upgrade? Okay. How many have had problems with the LDAP KDC or password server? Okay.

Just a few, right? So some of the issues that we have that we can face, we're going to talk about as we go further on, and hopefully we can learn from this. And so when you plan your upgrade, you don't have to worry about this. We also want to keep an eye towards remote upgrading. Okay.

Next up is the record and configuration migration. This is where we migrate our user records, we migrate our computer records, we migrate our KDC information, and our password server database information. Back them up. Wipe it, reinstall it, and pull the information back in. When you do this, or to assist you in doing some of this, there are migration tools. They are binaries, and they're included. You can see the URL right there.

So, think about your deployment. Which one of these makes the most sense to you? You need to decide. And what tools are necessary to accomplish each one of these? So, backup procedure. Few slides, can't do without it. Always have a backup in place ready to go. What I want to demonstrate in the next couple of slides is just a quick and dirty XServe backup solution.

This is called pleasing your ISP. Because if you have an XServe at an ISP or remote location, do you really want to be going there while you're trying to do the backup? Can you do it remotely? Are there things that you can do? So you can try this at home.

What we've done is said, well, let's go ahead and take a standard G5 XServe, mirror the two drives, user data is on an XServe rate, and we have a third drive, and we're going to use that for something else. You have Mac OS X Server installed on the Mirrod drives. Take the third drive and install Mac OS X Client. You may need an additional license. Don't install Server, install Client. Use the same administrator name and password. Turn on SSH, ARD, and then copy over.

The configuration file, the preferences.plist from your server to the client. When you do that, and you boot from the third disk, if you're remote, what happens? Do you have to change your passwords in R or D? No. Does it have the exact same IP configuration? Yes. Is SSH turned on? Yes. If you're using SSH keys, you may need to migrate the keys over. Once you've done this, you can use HDI util, whatever you want, create a disk image, make it read-writable.

Use any tool that you want to take your server image and clone it to the disk image. Create a small script that maybe once a week mounts the disk image and does a synchronization between your server mirrored drives and the disk image and then unmounts the disk image.

You can also have small shell scripts that sit there and say if Watchdog or something else reboots the machine within three times within five minutes, change the startup disk to the client disk. Obviously something's going on, you may not be able to get into it, so you put a dead man switch so it'll change over, boots from the client disk, and then you can actually restore in place, recover data, do what you need to do. So you ship the Tiger CD out to your ISP, you have them put it in the drive bay, and you leave it go.

I want to turn it over to Josh. We want to talk about what to look for or a quick and dirty demo of just what we talked about. Josh? Okay. Demo number one, please. And I will say that I'm not the only person at AFP548. Joel Renick is the instigator of our little endeavor there as well. And we have a lot of talented writers, and thank you for your support on that.

So taking a look here very quickly at some of these files that Schoun was talking about, you can see we've got our drives here. If you look at the orange ones, this is our imaginary XServe down here. We've got our pre-in-place OS drive that we haven't updated yet. We've got our backups drive over here, and we've got our client OS drive.

So the client drive we have 10.4 client installed on. And now we want to move these files that Schoun was talking about over there, and we just want to make sure that it is set up the same way this XServe is. So if it reboots off his script and then comes up, it is ready to go off of that machine. So what we're going to check is just host config.

This is just standard old Etsy host config. ARD is in here, and this is how you can turn ARD agent on and off outside of using Kickstart. This is what ensures it gets it going up at the beginning. So just verify ARD agent equals yes. Okay. ARD will start up. Now, something that's not in there is SHH isn't in there anymore because LookupD is now the owner of our SSH processes. So we do need to check our SSH.

P List and that's in System Library Launch Daemons, SSH P List. And the easy way to tell if it's enabled or not is if it's enabled, it doesn't say it's disabled. On a machine that's disabled at the top, you'll have a disabled is true key. When you enable SSH in the system preferences of the sharing panel, what it does is it just takes out that key.

A lot of the Launch Daemons and a lot of LaunchD functions in this way. It doesn't usually set disabled to false. It usually just removes the key through the system preferences that Apple has. So now that we've verified that SSH is going to start up, and you can see it's on volumes client system so we know where it is, we need to copy over our SSH preferences file, and this is the file that controls our Ethernet and our IP interfacing. So we're just going to copy it from the OS X server to the same place in the client.

Okay, so it's copied over, but we need to make sure of a couple things. When we're running our OS X server here, we are running our own DNS server, and it's looking at ourselves for DNS. And we boot off of the client, it's not going to do that. So you need to make sure you come in and edit that plist file. And yes, I know, Pico. If you want to come in and edit this file, and it's pretty easy to do, you're just going to remove the search domain and the DNS server.

And then we just save out our changes. And then we're all ready to go there with our config files. The next thing we need to do is boot up off the client and make an image of this, which we're not going to do all the booting and imaging because it would take so long. You can use HDI Util if you like to use HDI Util, which is very nice. And you can also just use Disk Utility. When you make this image, you just file a new image from folder, which moved.

and I would probably actually use HDI Util to do this so I can make it directly to a sparse, and then that way it always can grow to expand to fit the size of what we need to do. And I never have to go in later and resize the image, which is just kind of a pain.

In doing this, it allows you to literally have remote control over that XServe. You literally don't need to go to that machine unless you have a hardware failure. You've set it up, there are a couple other scripts, and we actually are going to post some of the scripts. They'll be on AFP 548 in the coming weeks.

So where are we? We decided on an installation method. Do we just want to do a nuke and install and just type in everything again? That's fine. Do we want to do a migration in place? What do we want to do? Did we back up our current server? Yep, we backed it up. Before we go any further, there are some rules.

I've seen the lists. It's explained over and over and over, but somehow some people slip through the cracks. Never update a production server. So, we'll get serious. Back up, number one. Number two, get all your service configuration files that you've touched. If you've tweaked the AFP property list, the plist file, go grab it out of library preferences. If you've tweaked the SSHD config list, go get it in Etsy. If you've tweaked the SMB configuration file, go grab it. Go grab the configuration file for the daemons and the services that you're running. Back them up.

In fact, if you want to be good about it, just tar it private. Take private, tar it up, zip it off, you've got most of what you need, and you can go back and get it later. I would also grab, and it's not up here on the slide, I would also grab library preferences for the AFP list and a few others.

Use File Merge, Apple's great developer tool, or Diff. After you've done an upgrade and certain things aren't working, why? Why aren't they working? Use File Merge to compare the files. Oh, here's my SMB config file beforehand, here's my SMB config file after the upgrade. What happened? Okay? So, some homegrown config files may have been fixed by the upgrade.

By that we mean sometimes if you put some lines in there, DNS, and you do the upgrade, those lines may have been altered a little bit or taken out. So file merge is a great way to say here's the way it was before, here's the way it's going to be now. Let's go ahead and take a look at this and see what lines we need to put back in. And as a prelude to that, poor DNS hygiene will be dealt with harshly in Tiger. Gotta have DNS ready.

More roles. System admin tools. Put them on the client. Do it right ahead of time. And understand the role of LaunchD. LaunchD changes things significantly for certain services. So you need to understand what LaunchD is going to do and how it's going to affect some of the configuration files and some of the custom configurations that you've done. And you're going to need to go in there.

Hey, I've got an SSH plist now, just like Josh showed you earlier. Before it was in the SSHD config file. Oh my gosh. Not a problem. The Launch Services plists are named accordingly, according to service. Go in there, take a look at what you've got, take a look at Apple's upgrade documentation, and make sure your services are migrated properly.

Configuration files in Panther, some of them are binary. You can still use Property List Editor to edit these files. However, if you feel more comfortable, you might want to use PLUtil. You can use the line we have right here. How many of you have already used PLUtil? Okay, so it's not a bad tool to use.

You can still use Property List Editor if you choose to do so. However, I would recommend that you use PLUtil, migrate the file to another location, open it up in Property List Editor, and then you can use PLUtil to edit these files. So, if you want to use Property List Editor, do a diff, use file merge, do whatever you want, make your changes, send it back.

So the installation itself. Clean installs follow a set path. An in-place upgrade follows a much shorter path than a clean install. Clean install, we just walked through the screens. An in-place upgrade allows you to do certain things and other things it takes for granted. We want to talk about some of those. An in-place upgrade, it requires the walkthrough of just a few screens. Obviously you do need to have a new serial number.

Keyboard layout, serial number, administrator name. Probably not a good idea to change the administrator name at this point. The computer names you can change inside the preferences.plist. Networking information you can change if you so desire. Directory usage, we'll look at that in just a minute. Any of the services that you want to turn on or turn off.

When you upgrade and find the time, right? And then you get a restart. So if you're doing this, save a copy of the plist file. If you already have an existing LDAP server, it's best to save that copy back to an existing LDAP server. And we're going to talk about that just a little bit in the demo here, because what we're talking about is, if you already have a Mac OS X server, especially an LDAP server in place, When you go to install another server, as long as you're bound to that initial LDAP server, you can save all your configuration files on the LDAP server.

You don't need to save them on a USB disk or a FireWire drive or an iPod shuffle. You can do that, but you can also save them back to the LDAP server, which, in the case of many, many servers, is actually a pretty good idea. Okay, so I'm going to turn it over to Josh for a demo, and we're going on machine number two. And we're still on one. So go back to number one, please.

So we now have booted up off of our Tiger Server CD or DVD, which Apple mercifully thought to send both of them to you in your maintenance kits, in case you didn't have an XR with a DVD drive. So congratulations to Apple on doing that. I think that was a very good decision. So we've booted up, and we've come up to our server installer screen now. And we're just going to kind of step through the boxes here.

And it's pretty basic. It's pretty much the same as you've seen before. 10.4 has some nice utilities menu here now. They've added a lot more utilities that you can run right off of the installer CD. Before, remember, we had nothing, and then we had startup disk, and if you were on a server, you had terminal, and now there's all kinds of stuff you can get to from here. These are important utilities generally to aid you in doing an upgrade. So, but we're just going to go through the boxes and get it going. Of course, we will read the entire license agreement.

accept it, because yes, I read the whole thing. We will go where we're going to install it. Under options, we've got upgrade and erase and install. There is no archive install on OS X server, and it's mainly because there's preference files everywhere, and you would never catch all of them. So we don't have that option here. So it's either upgrade or erase and install. In this case, we're doing an upgrade.

And then at that point we could customize if we needed to. Notice that we can't deselect languages if they're already installed, because they're installed and it's just gonna go right ahead and upgrade this stuff. We can go through and trim down some of that 1.2 gigabytes of printer drivers, if we don't need all 1.2 gigabytes of printer drivers. And X11, which you can then install. I like to have X on my machines. So, at this point we do need to switch over to number two, because just like Julia Childs, it's ready to come out of the oven.

So I should say, we have the service that we have up here have 15,000 users. They all have open directory passwords. About 3,000 of them have home folders. Doing an in-place upgrade like this will take about 25 minutes. Now that's to install the software. What Josh has done, we have installed the software on demo machine number two, the machine is rebooted, and we're now up to the welcome screen. So I wanted to give you a little bit of idea of how many users we have on these machines.

Josh Wisenbak: Yeah, these machines we do have a fair amount of stuff to migrate on. So it's rebooted, it's installed and copied all the files. And OS X server, of course, stops at the secondary screen after it's done copying files so that we can go and set it up.

Excuse me. Choose our language, and then immediately check our serial number, which now we have the option of site licensing on the servers as well, which is very nice to have, especially if you start doing things like putting config records in LDAP. So if I can type this whole number in here. Okay. I'll talk while he's typing. Don't worry about writing it down. It's from the developer site. You're developers. It will expire. You can go get it yourself if you like.

And then we can click through here and go through all of our stuff. Go ahead and put the password back in. You can go ahead and explain that if you want. Right. And it's probably a good idea not to change the password simply because the KDC principle for the user has probably already been created if you've created a master.

And the password server is already set up. So it's probably not a good idea to change the password at this point. And I would leave all your network settings and such like this alone because we're updating in place. So we want to maintain the same configuration we had before. We're not going to change anything.

Turn off Firewire. Yeah, that's what I'm going to go do. Here we go. Set DirectUSI to no change and look, it's grayed out. There's not even an option. Apple File Services is the only thing enabled. I typically, on a new install, would not check these boxes because it starts up unsecured services on your machine, and I don't like doing that. Our time zone. Network time. Date and time. Now, go ahead and hit Save As.

If we were connected to another LDAP server and we were bound to that LDAP server under a directory node, we would actually see that LDAP server offered. We could save the configuration record in the config records of that parent LDAP server, so we wouldn't have to retrieve it at a later date. If this machine is rebooted and a clean, fresh, unconfigured install goes to this machine, it will automatically find that record, reconfigure itself, and reboot.

Apple put this in, and this is sort of a sleeping giant. It's an incredibly efficient way if you have several machines and you need to reboot them quickly with clean versions of the OS to be able to do that. So it's very, very useful. We're just going to go ahead and save it as a configuration file. It'll show up with the MAC address as the file. So go ahead and click configuration file. We're not going to put it encrypted, and if we do that, we can save it anywhere we'd like to. And it's just a standard plist file? Yep.

When we're done, we just click Apply, and it starts going along. So, one of the things when you do an in-place upgrade that you'll see that's a little scary, and I don't know if we'll get to it here, is your LDAP records. And anytime you see the word LDAP on the screen and you're not really in control of your server, you might get a little queasy, right? So not really to worry. It's actually taking and upgrading your server. Everything's being taken care of. So let's go ahead and while this is working, we're going to go back to the slides.

And we want to talk about some of the service updates. Are there any major service updates in this upgrade that are going to affect some of my services? So, directory services, security, file sharing, web and mail, and we need to talk about these. So directory services. So if I do an upgrade in place, what changes are going to be shown in NetInfo? What changes to LDAP? And what about binding? What takes place? NetInfo is still around in both Tiger Client and Tiger Server. NFS mounts, you still go ahead and throw them in there.

There are just some mild local user changes if you're used to rooting around in NetInfo or using DSCL. And you want to go in and check your config records, because the DHCP information is in there. We're going to talk about that a little bit later. And also some basic lookup de-information has been thrown into NetInfo. LDAP. As of 10.3.9, we have some additional schema.

Of course, that's going to be there when we upgrade to the server as well. And binding. If the server is bound to another directory service, it's probably a good idea to unbind to that directory service before you do the upgrade. Okay? All right. Josh? Okay. So now if we can switch over to machine number three.

So now we've finished our upgrade in place. Everything went perfectly smooth, and we've now got a machine booted up into Tiger Server. So there are a couple things that I can just take a look around here and show you, and one is that we still do use local net info database for some things. And in here we can take a look mainly at DHCP configuration records, if we had any subnets defined, make sure those came over properly. Take a look at the lookupd records, make sure that these are still what they should be.

A new feature that everyone just really is happy about, me included, is the new info tab for user information in our LDAP databases. You'll see 99 in there on all your users. That's just that default placeholder that we used to put in there. Anyone ever point address book at their open directory server before, hoping they'd get all this information about users, and everyone had the last name of 99? Well, there it is, and now you can go take it out and put in the correct user information. So you can go through there and configure all your users and fill in this information, and then address book on Macs will just automatically pick that info out.

The other thing we'd have to do is if we were bound to Active Directory, other directory services, you probably want to unbind from those services before you perform an upgrade. And in that case, you would want to come into Directory Access and make sure... Make sure that you come back and set up any custom directory services that you had in there. With 10.3, we really didn't want to hook in a master into an AD domain, but with 10.4 now, Eric is saying that that's good to go. We'll take Eric's word for it. Yeah. So, back to you, Schoun.

So, don't want you to miss that, security. So, when we upgrade in place, OpenSSL, what did Apple do here? What about the KDC? Did they make any significant GUI changes that we need to talk about? Again, we've got Open Directory with respect to security. What about the firewall? And what about VPN? So, what information do we have here? SSL, we can use the certificate manager, actually. In the server admin, you can also use the self-signed certificates and some of the other certificates inside the keychain. You can find those in there. You can still import older certificates if you have them laying around.

The KDC. Kerberos, the GUI for Kerberos is nice and shiny and metal and new and clean, and there's a nice little option in there to allow you to use the GUI to edit the edu.mit.kerberos file. And we're going to do a demo of it in here in just a little bit, but it's really, really useful. It's one of those sleeper things that's kind of hidden. So you can use that to edit your realms in place. Very, very useful.

and that, by the way, works on both server and client. Open Directory, you have secure binding. You can turn off certain authentication methods. Previously, this was only available with Nest, using Nest to get the protocols and set the protocols and turn these off. So you have the ability to do that now as well.

And the firewall. The firewall, still IPFW. There are still two files inside of ETSI IP Filter. One of them, ipfw.conf.apple, that's maintained by the GUI. The other one, ipfw.conf, that can contain additional rules. For those of you that like to hand crank that file, that's fine. Just make sure the GUI doesn't inadvertently override or conflict with some of the rules that you have.

Pick one, pick the other, do them both if you want to. Just make sure that your firewall rules are set and clear in both files, and know that both files exist. You can still do ipfw from the command line if you want. Reboot's going to wipe that out unless you put up a startup item in there. And if you're upgrading in place and you have older firewall rules, those firewall rules will now migrate over. And you will actually see them listed as another set of firewall rules. rules.

And finally, VPN. It's now Kerberos for your enjoyment. That's great. Love that. Okay. And you can now use Raccoon. They've enabled it. You can use the SSL cert. So whether or not you want to use Kerberos certificate, it's up to you. VPN has been upgraded as well. We just want to show you some of these services.

Okay. So back on three again, and we're going to take a look at some of the things we just saw there. And the first one is the new cert manager that's in server admin. Apple really didn't have a good way to access this stuff before. And when you upgrade to a master, it's going to go ahead and generate a default cert.

It's not the greatest cert in the world, but if you're just looking for SSL internally on your network, it does actually work. You can use this cert for mail and web and iChat server and such like that. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. So also new here is Open Directory has gained a lot of policies that we can put on things.

So we've got a few more policies in here as far as just general password policies go for rotation and complexity. Under binding, we now have a new thing in OS X for server that you'll have to think about. And this is just like, you know, has anyone bound a Mac to an Active Directory domain or PC Active Directory domain? And it does this, checks with it, and it binds and creates a computer record and all that stuff.

Well, all that's about two-way trusted binding. The server authenticates the client, the client authenticates the server, everybody is happy, everyone has proved they are who they are. And we can do that now in OS X. So by default, it's checked to enable it but not require it. You can require it. You also have some other things you can check.

You can disable clear text passwords. You can sign or encrypt all your data protocol, your LDAT packets using Kerberos or S3. You can block man in the middle packets where it tags each packet and then checks to make sure that when you get it on the other end, it's actually who it's from.

Is everyone excited about having NTM v2 in OS X Server and OS X now? Now we've got a nice little box here so we can turn things on and off. If you don't need APOP and you don't need WebDAV, turn them off because as it says, it's recoverable. So if there's an issue where you need to have these different protocols, you can turn them on, but it's nice to not have to go hit nest just to turn off the hashes that you don't want to keep on your system.

If we look at Kerberos now, this is the same basic little panel they always had, but they've now got this nice thing under edit, and you can actually edit your realms. Here you can see our default OS X realm that was set up. We can see the servers that are in it because we haven't set up any services on this machine yet.

We can see our different DNS domains. We can configure additional realms automatically using the DNS records that we get out of our service records. There isn't a duplicate button, so if you wanted to make a new one, you just make a new one and then kind of copy the other settings you had to get it set up correctly.

Let's go back to the slides. There we go. All right. File sharing, somewhat short and sweet up to this point. Link aggregation is there for the update. Obviously, you must have hardware to support that. You do have the AFP config or the com.apple.applefileserver.plist file that you've made a backup of before. So if you tweak that file a little bit, and you've made some changes, again, you just may want to check the Kerberos auth key inside that file. file.

Fun new authentication methods: Kerberos, NTLMv2, which Josh already talked about. As previously noted in other sessions, it can become a primary domain controller, and this version can also become a backup domain controller. However, as was also stated, it can only be a backup domain controller of itself, or of another Samba primary domain controller. SMB SharePoints will still write to the NetInfo database, and this is an important thing that a lot of people get tripped up on. It's not so much in the upgrade, but it's still there, and so you still want to look for that.

If you hand edit the SMB configuration file, please be aware that inside the config record of NetInfo, it also stores some SharePoint configuration information for both AFP and SMB. In certain circumstances, the NetInfo will be stored in the configuration file. In other words, the NetInfo will be stored in the configuration file. The NetInfo database may overwrite the SMB config file.

So it's very, very important that you take a look at both your SMB config file and the NetInfo database inside the config records inside the SharePoints to make sure that what you're seeing is exactly what you need to do. There is a command line tool that allows you to set up the SharePoints called Sharing. You can still get in there and do that. Doing it in the GUI writes to both places, so just double check your work.

FTP is not handled by ZynetD. Some changes there. And if you want a Kerberos connection, the URL is here. You can actually go and download the Kerberos extras from the MIT site. Use Fetch. New version just came out, I think, earlier this week or late last week. Web and Mail. Apache, you get some new modules after you update. Obviously, there are some updated modules, and you get some of the newer modules.

If you've customized not so much your websites, but the HTTPD configuration file itself, you should do a diff, or you should use file merge to take a look at the file before and after. Right? Certificates, reimport the certs. If you have any other customized changes, make sure you take a look at them. Of course, we have the web log there.

And you do have the migration tool after you've done an in-place upgrade. Inside of Server Setup Migration Extras, you have a migration tool that Apple has provided to help you in your migration from Panther to Tiger with Apache. Mail, same thing. Make sure you back up your main.cf and your master.cf files. If you've tarred up private, you've pretty much covered yourself. Make sure the mail database is sort of backed up, as with any platform, not just Apple. And again, the command line can be found inside the migration guide.

to upgrade the database. You might have a newer version of Clam AV or Spam Assassin, or you may have some other configuration or customization of the mail server. Now that Apple provides this, you have to make a decision, do I want to continue using the GUI, or do I want to continue doing it from the command line and doing my own custom configuration? Custom configuration is fine, that's what Unix is here, that's what OS X is all about.

However, again, sometimes you get in the GUI and it may overwrite some of what you've done, so you need to be a little careful. For those of you still running 10.1 and 10.2 mail servers, migration steps are included as well, and I should mention that we now have a GUI button for Reconstruct.

DNS. If you've done manual configuration of your DNS files, chances are everything will go great. It depends on the lines that you're using for bind. If you've done CLI edits, you should probably use the server admin command line to start and stop DNS if you need to. And if you're using DNS for the first time, you get reverse records that are automatically created. So in your entire setup, if you forgot that little checkbox, it's now done for you. So the DNS interface has been changed a little bit, and that's a good thing.

Right? Next up, DHCP. No more Googling for what you need to do to map MAC addresses to IP addresses. often shows up, "Hey, how do I..." Blurt, blurt, blurt. Well, you know what? Take that, pop it in Safari, Google for it, I bet you might find it. So, You don't have to do that anymore. Apple put the GUI in. Now you have MAC address mapping, so you can map IP addresses to MAC addresses. You got to give it up for Apple for this.

The information is stored in the local NetInfo database, so if you really want to hand edit these files, you could do that. And as an aside, you could do this in a limited fashion with Panther. Did anyone know this? In the GUI. You could turn on the NetBoot filtering.

And when you turned on the Netboot filtering, you could say only allow Netboot over these addresses or deny Netboot over these addresses. It actually wrote the DHCP config record. You just didn't turn on the Netboot service. So you could do it in Panther, but they've made it a lot easier in Tiger. So that's a really, really good thing.

And then we have the Gateway Setup Assistant. If you're setting up Mac OS X Server, you have an XServe, you have both Ethernet Jaxx Active, one live, one internal. And you need a quick and dirty setup. You've got to get these things running. DHCP NAT, VPN, firewall, you're set to go.

We have some additional services, obviously, that weren't available in Panther. We're not going to speak to those here. Those are obviously spoken to in other sessions, but the Xgrid controller and Jabber. So we want to talk about some of these, do a little demo, a little run through.

Okay. Back on three again, please. And I will come to Apple's defense a little bit on the KB, which I do every now and then. They do have a fairly nice KB article on how to do MAC address mapping with DHCP through NetInfoManager, although it's now so much easier to browse for the machine and pick it and click, I want this machine to be called this. So it is a nice improvement.

So what we're going to look at here very briefly is the Gateway Setup Assistant. And the Gateway Setup Assistant has probably the least often used. It's the most used icon in the OS X's family, and that's the little tuxedo guy here. There's a dry cleaner in Raleigh North Carolina that has that on their sign out front, actually. So we can come through here and we can configure our server. Let me log in.

and it's going to go through and it takes a look at everything. And this is a nice way to quickly set up, like Schoun said, that gateway Mac into there. We tell it which one is connected to the internet. We then pick how we're going to want to share. We can share on one or multiples.

Obviously, you're not going to have airport in an XServe, but this is a PowerBook, so it does. G5 desktop machines could have airport. FireWire is always there as an option for doing your networking as well. VPN settings. You can set up a VPN server. We'll give it an easy secret. All right. I'll hand that out to my users.

And then we can click Apply and it will go and set everything up. Don't run this if you've already set up your server, because it goes through and rewrites all your configuration files for whatever you've just told it to do. So you can look at it, you can click the More Info button and things like that, but I wouldn't turn it on. It also automatically configures the firewall.

and just allows all traffic on the internal network, but it blocks most incoming stuff from the outside. So remember, if you're going to then turn on a mail server or something like that, or need to direct ports inside your network, you'll need to go and set that up after you're done with that as well. Back to Schoun.

So where are we? Well, regardless of where you did your upgrade path, regardless of what went on, We talked about customized configuration files, and we need those customized configuration files, and we had to take care of that. We have more corporized services, so we have more corporized principles that we need to deal with inside the KDC principle database. You handled each service and you tested it and you made sure it worked.

And you may have gained some GUI help along the way, like the setup assistant, or you may have done it via the command line and hand cranked them out. Now, all we have left is user data. No problem. Let's talk about our upgrade in place scenarios. What do we need to do? What scenarios do we have? We have Jaguar to Tiger Local. We have Panther Local to Tiger Local. We have Panther Master to Tiger Master.

If we have a Jaguar local, we have a local net info database, we may have shadow hash passwords, we may have crypt passwords. We're going on one scenario. Upon the upgrade, you may want to change the password. Reset it. A Jaguar parent. If password server has been used, it's a good idea to force the password change for all the users.

Panther Local to Tiger Local. In Panther Local to Tiger Local, all users have a password server password. Password server is there at the get-go in Panther, whether it's a local or a master. And you need to remind yourself, did I use Nest to turn off certain protocols? Maybe I turned off WebDAV, maybe I turned off APOP. What did I turn off? And I probably, after the upgrade, should go back into the nice GUI that we have inside Server Admin and Open Directory and just double check that some of these protocols are again turned off.

Panther Local to Tiger Local. It is important to understand after the upgrade if you're running a local Tiger Server, new users that you create will not have a password server password. They will have a shadow hash password. Okay? Now, it might be best if you want everything uniform to change everything to the same password type. Okay? Is this a bad thing? Absolutely not.

Password policies now apply to the ShadowHash passwords. This is an excellent way because Tiger Server really doesn't need to run password server in a local method. So now the password server CPU overhead, you have another additional service that you really don't need running at that point. So you have these ShadowHash passwords and you can certainly use them. You can certainly apply the policies to them. So what about a Panther Master to a Tiger Master? During the upgrade in place, it's really not a good idea to change the password.

Remember, Josh showed you that, you really can't change the directory usage. And the migration of the LDAP data takes place during the initial configuration. It's done for you. If you have your own customized schema changes, those may be remapped. A lot of people went out and did customized schema changes that mirror what Apple did automatically in Tiger.

So it's a good idea if you already did some of what they did in Tiger, you should probably go back and take a look after the upgrade. If you've done any sort of root DN changes, those may have been changed as well. It depends on how customized you made your configuration. And again, when you upgrade, if you had an edu.mit.kubros file that you made manual changes to, that file may have been overwritten. So if you're doing any sort of cross-ramp authentication or anything else, you may want to go back and check that file.

You do want to take advantage of all the new features when you do an upgrade. If you have legacy groups, there is a legacy group GUI upgrade path that you can follow. Use Workgroup Manager to perform this process. And if you had a Panther Master that was not a KDC for some reason, you can use slap config with a Kerberize flag to actually hand crank the KDC.

So an upgrade in place master synopsis. The passwords are still in the password server database. The KDC principal database still retains all the user principles, everything else you need. Real world, what did you do? You did SlapCat or LDAP search to suck out your configuration records into a file, if you didn't already have a full backup somewhere else. You do another LDAP search to extract the records, or SlapCat to extract the records after.

Use File Merge, use Diff to see if any of your customized configuration changes were ever written, what took place. Don't be afraid to extract these records and take a look at what's in there. This is probably the best way to ensure a smooth, in-place upgrade. But how do we do that? Well, what if I don't want to do an upgrade in place? I don't want to.

What if I want to do a clean install, and I want to pull the stuff back in? Huh? What if I want to do it that way? Now what do I do? What sort of combinations should we be aware of when we're doing this? Well, Jaguar Server Local, if you've made edits to the NetInfo database. Jaguar Server Parent, you have a parent NetInfo database, right? You did have the option to use the password server, but there was no KDC. So you had to extract the users out of the NetInfo database. You use NI Dump for this.

Migration with user databases and password server. Password server, you had a local net info database with password server. Zip up the password server, copy it, do whatever you want. You can use, we actually use the command line here in just a little bit with mkpassdb, that's fine. And with a master, what do you need to migrate? The KDC records, you need to migrate the password server records, you need to migrate the LDAP database.

Okay? So, what should we do with regard to the user records in the user database? How do we extract these records? How do we pull them back in? What about the password server passwords? What about the user principles? How do we get this done? Well, one option is to use Slapcat. We have LDF up here. Or LDF search, sorry. And we do a clean install and then we re-import the user records.

If you have groups where you have changed the default group ID, and we've seen this actually in a couple upgrades, the group membership shows up as unknown in certain cases. So if you have cases where the group ID has been customized, you may want to go back in and do a Schoun recursive and re-associate the group memberships. Exporting passwords, MKPassDB. Suck them out.

Okay? Kerberos database, Kera B5 util. Suck 'em out. If it's a local, it doesn't have a KDC. You don't have to worry about that stuff. When you do this, depending on how customized your schema was, you may not get all the new stuff if you suck stuff out and you want to pull it back in.

What about importing it? Now we've got it out, now we've tarted it up, now what do we do? Well, when we set up the new Tiger Server, it's a good idea to use the same administrator name, same long name, same short name, same password. It's social engineering. That way you don't have to deal with anything new. Use LDAP add to suck the database back in. Password server use MKPassDB with merge.

And you can use load. Load is up here for the care B5 util. However, You might want to take a look at that database along with your brand new Tiger database because you really don't want to pull in service principles that now exist inside the Tiger Server database. So you want to do a load after you've taken a look at both databases and merged both databases. It's actually pretty important. So go ahead and reboot. So Josh is going to show you in this demo.

How to suck the information out. Go back to machine number one, please. So we're going to suck out this information, and I should point out that you need to keep this information secure. Don't leave it on a machine. Don't copy it with FTP. Don't email it to yourself.

Keep this really secure, because this is all your user records and all your database and everything else. It's something that you're going to want to stick out on a thumb drive, unplug it from that computer, carry it to the other computer, suck it in on the other machine or after you've wiped and reinstalled, and then either make sure that you destroy the data or you make sure you archive it safely.

10.4 does this automatic backup feature, which is so nifty, you almost fall down when you see it, and where it actually archives, it generates a history on encrypted disk images of all of this same stuff automatically, and you can go back to any point in time with your OD system.

So what we're going to look at here is just the three commands that Sean had on his slides and how to get this information out of there. We've got our backup volume mounted, so we can pretend this is a thumb drive and we're going to yank it out. And the first one is just using LDAP search. We tell it the host name. We tell it our search base, what class we want to take out, and where we want to put it.

We've got a lot of users on this machine, so it should take just a second to run, and it will generate a fairly large LDF file, although not gigantic. So when it's done, we're going to go ahead and run it. And then when it's done, I'll show you where the file is, which looks like an address book file.

An address book would love to open it, but if an address book opens a file of this size, it'll just fall down and roll underneath the couch. So probably wouldn't want to do that. So that's finished now, and if we take a look where we said, there it is. And let's see, it's 20 megs, so not too bad.

The next thing we want to do is we want to dump out our password server. And we do this using the makepassdb command, and this will allow us to dump this out. And it takes out all of our authorization records. Now, this one's a little bit different in that it doesn't go to a single file. It actually exports three different files. So we need to tell it a directory instead of just a file to output to. This one does require sudo to run.

And it's going to run. You can just see that it's just copying out information. And in a minute, it'll get finished up. There we go. And then we can take a look over on our backups volume and in our folder. And there we have our authentication records have been backed up as well.

10.2 and 10.3 have really nice Kerberos support in them, so we want to make sure we back up all these principles as well. We don't want to have to go and try to remake all this by hand. So we can use the KDB 5.0 util to dump this information out.

Again, this is all very critical, sensitive information that you want to keep backed up. Again, it's sudo. I'm still with my Windows, so I don't have to authenticate again. And now I can see that I've successfully dumped out my KDC records as well. And this is all my service and user principles have been backed up. Back to you, Schoun.

So what about replicas? Toast them. They're replicas. Get rid of them, take them out of the record of your Tiger or your upgrade, and move them over. What about home directories? Zip 'em up, copy 'em over. If you're copying 'em over and you're not doing an upgrade in place, unzip 'em and don't worry about it. As long as the UIDs match, you should be okay. It's when you get into the customized UIDs, it might be a little different. So where are we? NetInfo.

We know that NetInfo contains some additional user records. If we're going from Jaguar or doing something else kind of funky like that, that's fine, but we can use NI Dump to actually extract the records. What about LDAP? What do we need to worry about? We need to extract those user records. We didn't talk about computer records, but it's the same thing. We just do an LDAP search with a different OU to pick up what we need. The password server database is as simple as copying it and backing it up.

The KDC, back it up, and the home directories move over. What are your challenges? What are you going to face? During the Q&A, what are we going to hear? "My SSH service died, and I couldn't log in." Or SMB was doing something really, really strange afterwards, and I couldn't get to it. Things aren't working right. Things aren't resolving right. DNS might be slightly misconfigured. I had to open a book a little bit and learn about LDAP. Don't worry, that's good for you.

As we wrap up, upgrading is and has always been no matter what platform, it is not an error-free process. Planning and testing are the best defense you have. If you can do so, the upgrade in place is great. Apple has made some great tools to allow the upgrade in place to occur. It works really, really well.

If you've taken your server and you've customized those configuration files and you've tweaked the schema, you just need to check along the way, did it overwrite? Did it change? The related sessions that we have, so you can look at them a little bit later, the Mac OS X server overview, the feedback forum, which was excellent today, leveraging the power of ACLs, managing clients in the enterprise. Integrating Mac OS X into a heterogeneous environment. Monitoring your system with ARD and open source tools. Enterprise messaging solutions, network authentication, real-world desktop management practices, and building automator actions.

For more information, obviously, the documentation, the sample code, everything else, developer.apple.com/wwdc2005. Here are some URLs. I would highly recommend that you do the first one. The migration guide, download it, read it. Tiger Server documentation PDFs. Best thing in the world, suck them all in, use one of the free resource tools to combine them together, change ownership back to preview or spotlight, and now you have a nice searchable database.

It's about 22 meg, you can leave it on your drive. It's a great way to do it. AFP548.com goes without saying. Apple has certification classes in Directory Services and other classes that are available. The Mac OS X Server listserv and discussions, the discussion groups at Apple. Who to contact? You can contact these people for more information. And I think Jason?