Apples just work?

Apple’s claim: “It just works…” but when it doesn’t the support is HORRIBLE!

Last week we decided to re-format a PowerPC G5 to replaced the current OS (10.3) with the the new Image we created and integrate this G5 into AD. 

When we tried to boot the G5 from the NetInstall service the big globe comes up, then the smaller globe, but then it goes to a window that reads: “You need to restart your computer. Hold down the Power button for several seconds or press the restart button. After the restart the same error displayed.  I checked the image server and all the services appeared to be working correctly so I contacted AppleCare Tech support. 

I have learned how to get thru to enterprise support on the AppleCare voice prompts by saying “OS X Server”.  After waiting on hold for about 15 minutes I was greeted by the technician and gave the appropriate information and then told him about my problem.  The tech instructed me to try booting from the CD to try installing the OS from the CD, which I did and the install prompts displayed.  So I asked the tech, so how do we fix the issue with the NetInstall Image not working, and following conversation was worth noting:

Todd: You need to install from the CD since there was an issue with the NetInstall. 

Me: I have used the NetInstall before and it worked well, what can we do to trouble shoot the NetInstall/NetBoot service so we can use our PowerPC image with applications and drivers already configured?

Todd: It isn’t an issue with Apple Server, but your image you created. Are you sure this is an image of a PowerPC?

ME: Yes its a PPC image. The image has worked on several other PPC installs, what is causing it to fail now?

Todd:  I don’t know, but since the installer works from the CD, it is an issue with your Image.

Me: I know its an issue with the Image, but what can we do to fix the problem.

Todd: Install from the CD.

Me: (Getting annoyed) But the Image has all the configuration for our machines, and the CD install doesn’t I really would like to have you help me get the Netboot Service working, can you not help troubleshoot the image service since…. well its is part of OSX server.

Todd: The Install from the CD works so you should use that, I don’t know what else to tell you what to try.

Me:  Is there anyone else that can assist me?

Todd: No, but here is my email address if you find any additional information that will help us solve the problem you can email me.

Me: That is ridiculous, and you aren’t able to assist me?

Todd: That is all I can help you with, thank you for calling apple care, I hope we can assist you in the future.

I got off the phone and began ‘googling’ the error message and found this discussion on the apple web site: http://discussions.apple.com/thread.jspa?messageID=7698665. After copying the images to another location, deleting the Share Point, copying the images back and restarting and reconfiguring the service all was well.

Then the best part is getting the support evaluation request from apple… Are you serious?  I was tempted to ask if they were using the Abbot and Costello”Who’s on First” sketch as a training tool.

Shame on you Apple Support….Yeah Apple Community forums!

Mac and Microsoft RDP

With our recent push to better serve our mac users, I have used the Mac on my desk a little more…. I wish I could report that I use it a lot more but that’s just not true. 

I have been using Microsoft’s RDP client for the Mac and it has been working well.  RDP allows me to connect to a windows server while I am also remotely connected to our OSX Leopard server.  The one issue with Mac RDP was not being able to connect to the Windows Server Console… but alas you can.  If you enter the server name /console in the address bar it connects you to the console session of that Windows server.

Just chalk it up to another fact that may be totally useless.

Rolling out a Monster Rig

As part of our OSX and AD Integration we are rolling out a new video production rig to our media dept.  This project has definitely been more than just purchasing hardware and dropping it on a desk and walking away, but learning how to serve our Mac users in the process (allowing those users to start to become equal citizens on the network) has been a good adventure.

This new mac is a Quad Core and so far the beast works really well.
The Hardware: Quad Core 3 ghz Mac Pro with 10gb of memory, Dual 24 inch Dell Displays, Dual SuperDrives, a 250gb primary volume and 1TB scratch disk and 250GB TimeMachine Disk, 12×6 Intuos Tablet. 
The Software: Final Cut Pro, and Adobe Production  Premium.  Beware FCP takes about 6 hours to fully install. (We went with Adobe’s Production Suite even though we don’t use Adobe Premier since it was MUCH cheaper than purchasing Design Premium and then adding After Effects… Thanks to Nancy at CCB for that little nugget.)

Dave our Media director has been VERY eagerly anticipating the arrival of his new ‘baby’, and we delivered the hardware to his NEW office on Friday… I wish he would show some excitement Thanks to our campus services team Dave has a mondo huge keyboard tray that even holds his tablet and keyboard… 

Stop grinning Dave and start cranking out some more cool videos!

Cloning the Macs

Don’t think that I am a proponent of making the Macs on our network multiply, but rather making those on our network look the same… One of the keys to our AD and Mac integration was reducing the time it takes to deploy a mac on our network.  Earlier this year when I had to reinstall a mac book pro it took over 6 hours to install the base software and drivers (items that every user gets) in addition to installing the components that each specific user needs.  Knowing this was taking way too long I was on a quest to make this less painful.

Enter Apple Server’s System Image Utility… The Image utility allows for you to create a base system, prepare it for deployment over the network and distribute it to similar clients (Intel or PPC).  There are several options for creating the image 1. Pull the image from DVD or 2. Clone an existing machine.  The benefits of creating the image from DVD are a clean from factory default installation that can deploy fairly quickly over the network… We however we elected to clone an existing machine.  The clone allows us to add all the base software and drivers and then push that image with the base software already installed to another machine.

How its done.

• Install from DVD on to a machine that is the same vintage of processor as the machines that you plan to deploy the image to.
• In our case we have both PPC and Intel so we started making an image of each on two separate machines. 
• After the OSX installer is complete update the OS from Apple Updates add the software you want included and the preferences you would like configured. 
• In our case our base install includes: Mac Office 2008, Canon PS and UFR II Drivers, Disabling the onboard Bluetooth, Disabling the .DS_Store for network volumes, Disable Guest Account Access. (DO NOT INSTALL SYMANTEC BEFORE YOU IMAGE THE MACHINE… for some reason this causes the image to fail)
• After the base software and drivers are configured, go to Disk Utility and run permissions repair.
• Capturing the image can only be done on a secondary volume from where you are installing the OS.
• If the install is on a primary volume, you will have to boot the device in target mode from the Startup Disk System Preferences.
• If it is installed on a secondary volume you can boot to the primary volume to capture the image.
  
• On a machine with the OS X 10.5.3 Server Admin Tools installed (downloaded from  http://www.apple.com/support/downloads/serveradmintools1053.html or off the OS 10.5.3 Server Disk) Start the System Image Utility and it should find the volume you just created and updated.
  
• Select the Volume you want to image and choose netinstall and select customize.
• Add Enable Automated Installation and Create Image to your workflow then configure where you want to save the output files, select an index for each image you will create and choose RUN.
• After an hour or so the location you selected will have a folder/file ending in .nbi

How to Deploy the image: (Our configuration)

• Enable the NetBoot service in the Server Admin Console
• Next Configure the NetBoot Service by going to the settings
• On the General Tab Enable which device you want Netboot to run on (Ethernet)
• On the General Tab Select where you want to store the Images (Volume 2 for both Images and Client Data)
  
• Copy the .nbi to the location where you told the Netboot service to save the data.  /NetbootServiceLocation/Library/NetBoot/NetBootSP0
• Next Configure the Images on the Server Admin>Netboot>Settings> Images Tab
• Enable the Image you would like to NetInstall from.
• Select the Architecture that you would like to use this volume.
• Restart the NetBoot Service
  

How to boot the Machine and install the image:

• While booting the device press the ‘n’ key or select the network Network Volume in System Preferences>Startup Disk
  
• When the device boots a little world will display and then the machine will indicate that it is recovering a system image.

After the Image is restored, the machine will rename itself and add a digit to the end, so you can install this on as many machines at the same time and not worry about the issues you might have without running Sysprep on a Windows machine.  Simply rename the machine in System Preferences> Sharing and change the name and the local hostname.

Symantec AV for Macintosh

Brining online our Mac Server continues….We know that there are very few viruses that are going to harm the OSX machines, but we have still decided install Symantec for Mac on all our OSX machines.  The primary reason is because of the popularity of OSX there is a higher potential for viruses for OSX but also potential for the Macs to be the onramp for harmful files to our network to cause harm to the Windows devices.We downloaded the latest version of Symantec for Mac and the Symantec Admin Console for Mac, which is version 10.2.  The installation process was less than smooth, but that wasn’t to the fault of Apple.  Symantec’s Administration installation guild has a lot to be desired.  Here are some notes from the install.We used the Symantec AntiVirus™ 10 for Macintosh® Installation Guide and the downloaded content from the licensing.Symantec.com web site.The installs for both the Client and Server portions of the software package are fairly straight forward except the guide is not correct or omits valuable information in several areas (noted with “omitted in guide”), your mileage may very but here is the process we used.

• Download the .dmg from licensing.Symantec.com
• Extract the .dmg to the local drive.
• Install MySQL
  • When installing the Console on a Leopard 10.5.3 Server the instructions state that MySQL should be running by default, it isn’t and from what I have read this was a change from 10.4 to 10.5.  The crazy thing is when MySQL isn’t running the installer proceeds and says completed successfully even when it hasn’t.

To enable and configure MySQL to to Server Admin and add the MySQL service.  Next you will need to assign the root login a password.  The default is blank, yet Symantec will not work with a blank password.  To change the password go to terminal and run the following command mysqladmin -u root -h localhost password “newpassword” (replacing newpassword with your selection).

• Enable php on the local web server
  • You next need to check that php is enabled.  The guide makes no mention of needing to use php but after the console install is complete it takes you to a php page, and well by default the OSX 10.5.3 web server does not have the php module enabled.  You will first need to start the Web Service and then enable php5_module.

To enable this go to Server Admin>Servers>OSX Server>Web. Choose the Settings button and the Modules Tab and scroll down to php5_module and check the ‘enable’ check box.

• Assign a static IP address to your OSX server if you haven’t already.
• Run the Symantec Administration Console Installer
  • enter  your admin credentials
  • Name the MySQL database - the default SACM works great
  • Enter the MySQL username: root and the password you set with the command line above.
  • Specify the MySQL database user name the default symadmin works well.
  • enter the credentials you want to use to login to the SAV Console for Mac
  • Choose the Setup Style for the Console, basic works well.
  • enter the host IP address of the OSX server.
  • Enter the Console address and path.  The defaults work well, except the use SSL.  On the first install accessing the Console on port 443 didn’t work but worked on port 80.  It isn’t a major issue in my mind to have this console using SSL so we elected to not use SSL.
  • Enter the Multicast address, the default settings worked well.
  • Create the Key Pairs.
    • Note the Key Pairs will be used to authenticate any command you send from the Console to the clients so choose something here that you will remember and is easy to type.
  • Save the Summary if you would like to document the setup and click Finish.
  • A terminal window will open and the commands will run.
  • Once this is complete you may choose “Open Console” and the console should open if MySQL AND php are running correctly.
• Next you can proceed to install the Client application on those machines you plan to manage with this Console.
• The Installation guide says all you have to do is install the .pkg file found /Library/Application Support/Symantec/SMac/Symantec Administration Client.pkg  this isn’t the whole story. Doing so installs the configuration from your server but doesn’t install the client.  If you are familiar with the windows version of SAV when you push out the client you are doing that pushing out the client configured to check into the server.  This isn’t the case, you must install the client .pkg AND the client application.  Once both are installed and you reboot the machine it should show up in your console.
• After the client and the configuration .pkg are installed you next need to configure the scanning schedule, live updates etc., but you need to know if you are going to do a local LiveUpdate server  to have all your mac clients check into to get the updates rather than having all your machines checking in with Symantec every time they need updates.

(after having done this for as few clients as we have it might not be worth the effort, but its done so i’ll document it.)

• To configure the LiveUpdate server follow these steps (if not using a local update server proceed to the next step in the list)
• View the KB article: How to download and install the LiveUpdate Administration Utility for Macintosh and download the Live Update Admin Install Utility.
  • I wasn’t able to extract the .zip utility on a Mac so i downloaded it to a PC and extracted the .zip and copied it to our server.
• When you install LiveUpdate Administration tool it creates a directory in /applications/liveupdateadminutility.  In this location is the configuration tool and two other directories: Retrieved Updates Retrieved Updates Archives.  These are the default locations for the updates to be stored.
• Since we didn’t want to store the updates on the root volume we created a directory on a second volume called “LiveUpdates” and copied the two directories: Retrieved Updates Retrieved Updates Archives to the new location.
  • Just for others knowledge i created a symbolic link from the original location to the new location just incase someone were to follow the documentation and not know where i saved the updates.
• Next view the KB article: How to configure a Mac OS X Server as an internal LiveUpdate server using HTTP (Web)
  • This KB is really out of order, you first need to decide where you are going to store the updates and note that location.
  • Next go to the directory /library/webserver/documents/  and create a Symbolic Link named LiveUpdate (or what ever subdir path you want to use) pointing to the volume and location where you are saving the updates.
    • Note what you name this Symbolic Link you should know the name of this Symbolic Link is case sensitive in the url for your web server.
    • Brian H @ Symantec suggested a ‘better option’ is to save the updates in the /library/webserver/documents/liveupdate directory but that was on the root volume and we wanted the updates saved on the Storage Volume.
  • In step 4 setting the preferences, when prompted for the location of where you are saving the updates and the expired updates respectively to populate the paths.
    • This can be done by dragging the folders that you created on the Storage volume to the terminal window when prompted for the paths.
• Next View the KB article: How to configure the LiveUpdate Administration Utility for Macintosh
• Using the default settings for each of these properties works well, except for the time of day that you want the LiveUpdate server to download new updates.
• Brian H @ Symantec said that SAV for Mac updates are released only each Friday, but we still choose to check daily at an hour that is in the middle of the night.

• Next you will need to configure the clients to update from the LiveUpdate Server.
• Note that the Host name doesn’t include Http:// and the path is case sensitive.
• After you create the command go to the Send Commands tab and choose send Package.

• Finally you need to tell the clients in what interval to run a scan and live update.  Use the KB Article: How to remotely schedule LiveUpdate and virus scans on Symantec AntiVirus for Macintosh 10.0 clients.
• use the Symsched version commands 4.0.1f1 where “-w 1 23:00 /Users” is 1 the day of the week and 23:00 is the time of day. To set the Scan Interval:
• #!/bin/sh
  #Type your script here
  “/Applications/Symantec Solutions/Symantec Scheduler.app/Contents/Resources/symsched” VirusScan “Weekly Virus Scan” 1 1 -w 1 23:00 /Usersexit 0
• use the Symsched version commands 4.0.1f1 where “-w 4 19:00″ 4 is the day of the week and 19:00 is the time
• #!/bin/sh
  #Type your script here.
  “/Applications/Symantec Solutions/Symantec Scheduler.app/Contents/Resources/symsched” LiveUpdate “Weekly VDefs Update” 1 1 -w 4 19:00 “Virus Definitions” -quietexit 0
• When we ran the scripts we changed the times to be after Friday Night since the tech support told us that most Mac AV updates are released on Fridays of each week.

After these steps are complete your Macs are Running Symantec AV.

Setup of Apple Software Updates

One of our reasons or rather benefits of brining an OSX Open Directory server into the mix was the ability to have a local Mac Update Server.  Granted it hasn’t been a major issue lately since we added a bunch of bandwidth, but we would prefer to have the ability to hold updates until they are tested (at least minimally) before we push them to our client machines.The configuration of Software Update is very simple, a good resource is the apple KB on Software Update Service Overview.A couple “Got Ya’s”

• I started the service and started downloading the updates, but then realized that our test environment didn’t include the two additional volumes our production machine would include.  The two external FireWire drives are for Storage and for TimeMachine.  I stopped the service and created another folder on the root drive then followed the instructions to store Software Update packages on another hard disk or partition. When I re-enabled the service the downloads continued… to the original location.  I stopped the service and deleted the location as mentioned in the KB article and the Update Service didn’t care much for that it just re-created the folders and continued downloading.So before you start the service, run the command to relocate the downloads.In the production installation I installed the service, but before I started the service I followed the instructions to locate the updates on the Storage volume.To configure our location from a terminal window I ran: sudo ln -s /Volumes/Storage/SoftwareUpdates /usr/share/swupd/html

Note in the Administrators guide on page 85 (Chapter 8 Setting Up Software Update Service) the instructions to delete and/or move the updates and create the symbolic link are not correct.

- the guide displays the first command which is correct: 

   sudo rm -rf /usr/share/swupd/html

- the guide displays the second command to move the files: 

mv /usr/share/swupd/html /new_storage_location 

but the command should be 

sudo mv /usr/share/swupd/html /new_storage_location

- the last command in the guide is: 

ln -s /new_storage_location /usr/share/swupd/html

but the command should be: 

 sudo ln -s /new_storage_location /user/share/swupd/html

• To start the download of updates you click the Update List button.  After that it appears that nothing is happening.  Really the list of updates is downloading… and if you enable Automatically copy __ updates from Apple like I did the updates are downloading too.The icon for each update will be gray, once the update is downloaded it turns blue.  Although none of the buttons are grayed out, clicking on them does nothing since well…. its downloading the updates like you said you wanted it to do.  It would be nice though if the buttons were grayed out or there was a status indicator while it was downloading.I let the download go overnight and by morning it was ready to go.To enable individual software updates, select the checkbox in the Enable column of the update.
• We elected to push the settings out to the client OSX machines by Policy in WorkGroup Manager.  One big Got Ya’ when you choose the preference it says to enter the address including /index.suscatalog when you include that the clients error out.  If you simply use http://servername.domain.org:8088 all works well.

Windows AD and Mac OD Test

Our order of new Mac hardware arrived last week, so that meant we had enough gear to bring to live a small sandbox to test the roll out of what Mac calls the Magic Triangle.  This magical setup includes Windows’ Active Directory, Mac’s Open Directory and our Mac Client machines.

We started our OSX and Windows domain integration project in a test environment, with the expectations that we would mess something up and want to start over.  Since we are learning to be OD admins (and yes the concept is the same but the presentation and logic is very different from working with AD), we elected to do our first run in an environment that we can completely bomb and not cause harm to the core network.

The test network consisted of:

- A Sonicwall SOHO Router

- Dell 755 workstation running VMWare Server (Functioning as our PDC)

- A Power PC Mac Mini as our Open Directory Server

- A Intel Mac Mini as our Client Machine.

Jeremie performed a P2V of our Domain controller using Vmware’s converter and copied this to a new Dell 755 that had not yet been deployed.  Since our PDC (or in w2k3 terms DC1) is also our DHCP server and DNS server we quickly had a total replication of our production domain online in just under an hour and a half.

For the Mac side of this sandbox we have a PPC Mac Mini and two Intel Mac Minis.  The PPC will eventually become our production OD Server and the Intel minis will go into production as client machines.

We used a hybrid of two guides to perform the installation:

http://www.bombich.com/mactips/activedir.html (Courtesy of Hezekiah Barns)
http://www.afp548.com/filemgmt/visit.php?lid=69 (Courtesy of Chris Green)

Both documents required some customization since they are assuming you are working in a new environment, but this was easy to understand.  The process in the documentation is fairly straight forward.

Both Documents recommend creating a Binder Account for AD, we elected not to delegate this from an Administrator login and it worked fine.  From everything we can gather the account used to Bind to AD is simply used for just Binding and isn’t used any in the future.  If this isn’t the case, please correct me.

A few things we learned in the binding process, Bind to AD first then to OD.  This lists the Directories in the appropriate Search Policy Directory Services.  You can bind to OD first, but you will just have to change the order later.

After installing OSX Server we had issues with the accessing Server via the Server Admin console since it was not appearing in our Windows DNS.  This can be resolved by going to Preferences>Sharing>Edit> and Checking the Global DNS box and entering the domain.org as the host.  In our case no user credentials were required. Correction 6/10/2008: In our case credentials were required to authenticate to the DNS server.  We used an account we have configured for continued upkeep of the network.

New Category & New Project

I am breaking the recent silence with this announcement…

I am officially adding a new category to the blog, OSX Domain Integration.  Ok, now that you have fallen out of your chair in shock please pick up your jaw and continue reading.

Over the past few months I have been reading and learning about how to better serve those in our user community who don’t just prefer the Fruity OS, but are required to use OSX machines because of their role.  Over the past two years we have continued to say we need to learn to serve and support this segment of our users better.  Well we have finally had/made the time to put those dreams into play.

Well, that’s the why on the new category.  This project has been extremely time consuming but I am planning to post my notes in the next few days on what we are learning as we integrate OSX into our Windows Domain.