In Lion Server what comes first, DNS, Certificates, or Open Directory

Similar Messages

• DNS, Certificates, and Active Directory - School Setup Issues

  Our school has been piloting a small iPad depolyment.  I have been struggling with getting Profile Manager to work correctly since August of last year. Here's the setup:
  1. Active Directory DNS/DHCP server (set as "school.local"--yes, I know .local is bad form, but it was set before I got here). I have changed the "Digest" to "Basic" setting
  2. Mac Mini server that has its own external IP and hostname ("mac.school.org") and is also bound to the AD server for user authentication for services (Profile Manager, WebDAV, wiki, etc.). I have a self-signed SSL certificate installed under the name "mac.school.org"
  3. About 90 iPads, and a handfull of Mac desktops
  In a perfect world, users would be able to login (with their AD credentials) to the Profile Manager self-service portal using the external hostname of the mac server ("mac.school.org/mydevices"), install the Trust Profile, and enroll the device (iPad, Mac, etc).
  However, this is not the case.  The setup seems to work for awhile; quite perfectly in fact. But then for reasons unknown to me, everything just "breaks" and Profile Manager ceases to work like it should. Here are some of issues I am seeing:
  a.) DNS service on the Mac server turns itself ON randomly.  DNS should NOT be running this server, correct? All DNS lookups internally are done by the AD server. I've used changeip and everything matches (both say "mac.school.org")
  b.) Whenever we use VPN, and at other seemingly random times, the server's hostname changes from "mac.school.org" to "mac.school.local" I would make the server external only, but it needs to have an internal IP to talk to the AD server.
  c.) AD binding breaks randomly and I have to rebind the server to AD
  d.) When enrolling devices, Profile Manager starts rejecting certificates (not a trusted source, etc.) and I have to destroy OD and PM and start all over again.
  I know this is a lot and I'm not necessarily expecting anyone to answer all of these questions. I guess I'm wondering if anyone could point me in the right direction? I've looked for help with these issues all over the place, but none of the environments I read about are quite like the one I'm in.

  Yes, I am not giving the real domain name here.
  No prob. just checking, sometimes people have weird domain names never know if they are real or they expect them to be real or they put domain names owned by someone else on their internal network eek.
  Not really needed to use mac.school.org internally, that is in local LAN. The thing to understand about DNS is the scope for which a DNS zone is relevant WRT a client machine — inside LAN or on Internet, and which DNS server is authoritative for a domain. Authoritative in the sense of 'the final word'.
  Go to Network Utility on your mac, type in your real domain name (whatever you are changing to school.org to hide it) what comes back. On my server I see the below (I have replaced my real, Internet legal domain, to 'example.com')
  In my setup I have, on the LAN, setup the Mac server to be authoritative for domain 'example.com'. On the Internet however it is another external DNS server.
  So you have set DNS forwarders on the Mac machine?
  I really don't believe that the machine's hostname is changing, it is statically configured. What I believe is happening is that DNS name resolution is telling you different things at different times because you are using different DNS servers.
  On mac machine terminal type $less /etc/resolv.conf and copy paste what it says. In server app Services | DNS right side does it say you have forwarders?
  Still it is not good to have two DNS domains in your internal LAN, there is no need to have school.org on the mac DNS unless it is going to be fully setup to be authoritative in the internal LAN for the domain school.org. You can have school.org on the Internet (Internet scope of users point 1) and school.local on internal machine (LAN scope of users).
  Lookup has started…
  Trying "example.com"
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53292
  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
  ;; QUESTION SECTION:
  ;example.com.                   IN        ANY
  ;; ANSWER SECTION:
  example.com.     10800          IN        SOA          example.com. admin.example.com. 2013010907 3600 900 1209600 86400
  example.com.     10800          IN         NS          server.example.com.
  example.com.     10800          IN         MX          10 server.example.com.
  ;; ADDITIONAL SECTION:
  server.example.com. 10800       IN          A          192.168.1.20
  Received 145 bytes from 127.0.0.1#53 in 2 ms

• Mountain lion server network accounts are not mounting network home directory, rather its creating a blank local directory

  I have set up a scratch mountain lion server with open directory.  copied over old user account directories and added my users that match the directory ids.  Currently if a networked user logs into a networked computer, instead of mounting the network home directory, its creating a local home directory.  suggestions?
  thanks,
  Dave

  Additional info: it appears that certificates are not working either: setting up ical: "the certificate for this server was signed by an unknown certifying authority."...

• File server for school LAN--unable to get Open Directory working right

  I've been following the tutorials on wazmac.com for configuring an OSX 10.6 server for local network file sharing.
  Server IP address is 192.168.1.99.
  FQDN is oltserver.ourladyoftepeyac
  AFP, DNS, and Open Directory are configured, supposedly correctly.
  What works:
  Resolving the domain name to the server's IP address and vice-versa on Network Utility Lookup while on the server.
  On client computers, under Accounts, I can bind to the IP address and I can bind to "oltserver.local".
  After binding and restarting, I get a logon screen that shows the available users I have created in Workgroup Manager.
  What doesn't work:
  Cannot resolve the domain name to the server's IP address and vice-versa on Network Utility Lookup while on client machines.
  On client computers, under Accounts, I cannot bind to the FQDN, oltserver.ourladyoftepeyac. Error: Could not resolve the address (2200).
  When trying to log on to a network account from a client, it fails. "Cannot log in because an error occurred."
  There must be a problem with the settings for my DNS service. But unfortunately the wazmac guide doesn't give a lot of troubleshooting advice.
  Any help would be appreciated. Here are bunches of settings screenshots.

  That's terrific! I am almost there.
  What I did:
  I followed your advice on the domain name and renamed it ourladyoftepeyac.lan. Screenshot.
  Then (what probably made a big difference), I went into the network settings for the client Macs and removed their incorrect manual settings for DNS servers. This gave them the correct DNS servers! Screenshot.
  This allowed the Network Utility on client machines to correctly resolve the server's IP address with the domain name! Screenshot.
  Aaaaand it solved the problem with previously being unable to bind the client mac to the Open Directory server. Screenshot.
  But:
  After all of that, the clients still aren't logging in. So disappointing. It's unbelievable how unhelpful the error message is, too. "Logging in to the account failed because an error occurred."
  I can't understand why this is. AFP is active and set to allow guests to log in. Unfortunately, with all the help you've given, I don't have any clues left as to why the clients aren't logging on.

• Open Directory: After enabling of SSL encryption the Open Directory server is not reachable anymore! What's wrong?

  After enabling of SSL encrypton on LDAP I can't connect anymore to the LDAB. I think the Lions Server supports now the SSL encrypton for Open Directory.

  .....

• 10.6 Client and 10.7 Server Open Directory

  I´ve got an Mac Mini running Lion Server. It´s configured as an Open Directory Server.
  And I´ve got some 10.6 Clients running on the same local network.
  All Clients have the Mini Server as DNS Server.
  And now I want to use NetworkAccounts form the 10.7 Server on the 10.6 Clients.
  I´ve connected the 10.6 Clients to the Server (without SSL) and all Clients say "Network Accounts available".
  But if I try to log in on the Client it just shakes the login window. I´ve tried it on all my Clients with different Accounts but nothing worked.
  It just won´t work! But why? Can you please help me?
  What I´m doing wrong? Or is the combination of 10.6 Clients and 10.7 Server not Supported by OpenDirectory on 10.7 Server ?
  Thank you !

  Check your authentication against the server from one of the clients using the following command:
  dscl /LDAPv3/<server name or IP> authonly <shortname of an account that cannot login>
       The server name should be the same name or IP you used when binding your 10.6 client to a 10.7 server.
  If you get the response "Failed to authenticate user <shortname> (tDirStatus: -14103)" you are having the same issue I was having. I found an answer to this, but you are not going to like it.
  Apparently Workgroup manager and Server.app deal with accounts differently. If you are using Workgroup Manager to import a long list of accounts, don't. Server.app needs to write an addition setting that is not part of Workgroup manager or in Passenger I doesn't work correctly with accounts that have home folders that are not local. Here are the steps I used to resolve the issue:
  Export all your accounts and groups
  Using Server Admin, demote your OD to a standalone directory
  Once the demotion is complete, use Server.app to promote your server to an OD Master
  Update: I've not found it to make a difference if you use server.app or Server Admin to configure your Open Directory Master.
  Once the server is again an Open Directory Master, import the users that you exported using Server.app instead of Workgroup Manager.
  If you are importing groups, set the Home Directory by editing the account in Server.app before importing groups to avoid overwriting your group settings. Thankfully, you can select multiple accounts at a time.
  Import your groups using Server.app
  Verify group membership and test the loginsIf you test the login using the dscl command from above, you should get no error after entering the password, but as long as you have a bound client, you should be able to login at this point.
  Hope this reaches you in time to help.

• Lion Server DNS service not working for locally created zones. Caching working fine.

  OS Lion Server DNS service not working for local zones. Was fine under Snow leopard server but Lion server upgrade has severely broken my DNS and web sites. Zones look fine under Server Admin but keep getting "query failed (SERVFAIL) for xxxx at /SourceCache/bind9/bind9-42/bind9/bin/named/query.c:3921" in the logs. BTW - Server Admin cant seem to see the log file either.
  Surely someone actually tested that DNS still worked on Lion?

  I upgraded from Snow Leopard Server to Lion Server on day 01.  I hit the same issue where, after the upgrade, my Lion Server stopped serving names for my private local domain.
  I finally took a few minutes to figure out what was wrong.  After turning on debug logging and looking through the logs, I found my particular issue, now resolved.
  The issue I had was, when the domain initially was setup when I installed Snow Leopard Server, for some reason it created a zone just for the server (in my case, something like zone "s-01.mydomain.priv"), and a separate zone for all the other machines (zone "mydomain.priv", containing all the private IPs for my local domain).  I never messed with it because it worked, but generally I would have put all of them in the same zone.
  My zone "mydomain.priv" had a nameserver and mail exchanger entry for my server, s-01.mydomain.priv.  I could see this in the Server Admin app on the DNS bubble, Zones tab, mydomain.priv selected, and the General Info panel.  This was fine in Snow Leopard.  This was failing the zone load in the updated bind for Lion Server, though.  The issue was that the "mydomain.priv" zone was referencing the s-01.mydomain.priv server, which was not defined in the "mydomain.priv" zone but rather in the "s-01.mydomain.priv" zone.
  My fix:
  1. In Server Admin, add the server to the zone "mydomain.priv".  I put an A record (Add Machine) in the "mydomain.priv" zone for my server named s-01.mydomain.priv.
  2. shut down DNS on the OS X Lion Server (hit the Stop DNS button on Server Admin).
  3. edit /etc/named.conf by hand, removing the specialized zones that contianed just the server.  In this case, it would be the section titled 'zone "s-01.mydomain.priv"' and the section titled 'zone "3.10.1.10.in-addr.arpa"'.  Your in-addr.arpa zone name will change based on whatever your server IP address was.  My internal one happened to have s-01.mydomain.priv mapped to 10.1.10.3.
  4. Once the specialized zones for just the server were removed, I started the DNS up again.  Instead of serving four zones as it had in OS X Snow Leopard Server, it now servers two zones.  And, now, it is resolving my local machines for the mydomain.priv zone.
  YMMV.  I did note that it wasn't totally necessary to do step 3, but I never really understood the need for the specialized domain, and keeping it around would have a copy of data that would just confuse things.
  Hope that helps.  That's been the only hiccup I've noticed updating to OS X Lion Server thus far.

• Complications migrating from Snow Leopard Server to Mountain Lion Server.

  I'm migrating from Snow Leopard Server to Mountain Lion Server. The article "OS X Server: Upgrade and migration" (http://support.apple.com/kb/HT5381) says
  "Make sure that any DNS or DHCP servers on which your server depends remain running during the upgrade"
  This advice is reinforced by the details of the article "OS X Server: Steps to take before upgrading or migrating the Open Directory database" (http://support.apple.com/kb/HT5300).
  As the server I'm migrating from provides these services it will need to be running during the migration process. This would seem to limit my options to doing the migration from a Time Machine backup (or, making a seperate clone of the server's drive and connecting it externally to the new box)
  My main concern is the seemingly inevitable clash that is going to occur on the network as the new server takes on the roles of the old one - while it is still running.
  What are my options here ?
  This is my second attempt as on my first try I did the migration from the TM backup with the network down - and none of my local network users or their home directories were migrated, although the settings for the mount points were, but there were no actual directories where they pointed to!
  Clear directions on how to procede would be VERY MUCH appreciated
  Thank you.

  Moving from Snow Leopard to Mountain Lion means first installing the client (non-Server) version of Mountain Lion and then install Server.app this means that for at least part of the process you will not be running DNS, DHCP or Open Directory.
  If you are going to end up using the same DNS name and IP address after the change then an approach you could follow would be as follows.
  Destroy any Open Directory replicas
  Archive your Open Directory Master (to make a backup)
  Note down your DNS records in case they get messed up
  Export via Workgroup Manager your users, and groups (you might not need this but better safe than sorry), make sure you do not include the diradmin account
  Keep a full back of the server (you should always have backups)
  Note down your DHCP server settings in case they get messed up
  Note down any other service settings
  Install Mountain Lion
  Install Server.app
  Install Workgroup Manager (extra free download)
  Run Server.app
  Make sure settings for services are as much as possible the same as before
  If your lucky that may be all you need to do, otherwise...
  Restore Open Directory archive, if your lucky that will be all you need to do, otherwise...
  Make new Open Directory Master
  Run Workgroup Manager
  Import users and groups you previously exported
  You will then have to set passwords for each user as these are not preserved via Workgroup Manager export
  When I did this, I was also being forced to change all my IP addresses so I had no choice but to use Workgroup Manager to export and import accounts.

• Migrating from Snow Leopard to Mountain Lion Server

  Hi all.  I kinda drop in and out of this forum, mostly when I've got a puzzler that I can't figure out.  My journey from Snow Leopard to Mountain Lion was a little slow.  I tried to make the transition from Snow Leopard to Lion and failed, but this time I made it and I thought I'd share a little scratchpad post I wrote to document what I did.  Mostly this is about adding back a few things that I really need.  Here's the list of stuff that I added back:
  Firewall management (IceFloor)
  MySQL
  Webmail, email filtering rules and email aliases (RoundCube)
  "Group" emails (short, multi-recipient email exploders)
  Mailing lists (Mailman)
  I also dramatically improved reliability by adding a lot of memory, and doing nightly-restarts of the machine.
  Here's a link to the post
       http://www.haven2.com/index.php/archives/migrating-from-snow-leopard-server-to-o sx-server-mountain-lion
  I'm happy to report that the new server has been running for a month or so and all seems fine.  Whew.  A long journey.  Thanks to all of you who posted things that helped me along the way.  Hopefully this will return the favor.

  Moving from Snow Leopard to Mountain Lion means first installing the client (non-Server) version of Mountain Lion and then install Server.app this means that for at least part of the process you will not be running DNS, DHCP or Open Directory.
  If you are going to end up using the same DNS name and IP address after the change then an approach you could follow would be as follows.
  Destroy any Open Directory replicas
  Archive your Open Directory Master (to make a backup)
  Note down your DNS records in case they get messed up
  Export via Workgroup Manager your users, and groups (you might not need this but better safe than sorry), make sure you do not include the diradmin account
  Keep a full back of the server (you should always have backups)
  Note down your DHCP server settings in case they get messed up
  Note down any other service settings
  Install Mountain Lion
  Install Server.app
  Install Workgroup Manager (extra free download)
  Run Server.app
  Make sure settings for services are as much as possible the same as before
  If your lucky that may be all you need to do, otherwise...
  Restore Open Directory archive, if your lucky that will be all you need to do, otherwise...
  Make new Open Directory Master
  Run Workgroup Manager
  Import users and groups you previously exported
  You will then have to set passwords for each user as these are not preserved via Workgroup Manager export
  When I did this, I was also being forced to change all my IP addresses so I had no choice but to use Workgroup Manager to export and import accounts.

• Using Lion Server Radius for authenticating "other" clients

  Hi I've been trying to get the Radius service in Lion Server to authenticate users of my SQUID web proxy. I have followed the squid wiki's instructions to configure the squid server as a radius client and pass authentication requests to the Lion Server Radius (I hope). However I'm trying to configure and test the Lion Server Radius. As Lions Server Admin GUI for radius only lets to add Airport Basestations, I've been trying to dig around for what underlying config files to edit.  I have tried 2 methods of adding the client details to radius:
  1. By editing the /etc/raddb/client.conf, and adding/changing (for example):
  client localhost {
       secret     = mysecretpassphrase
  client 192.168.0.0/24 {
       secret              = mysecretpassphrase
       shortname       = local-lan-clients
  and restarting squid. Nothing seems to get mentioned in the radius log file! So I'm not completely convinced that the Lion Radius took any notice of this!
  2. Instead of above, added the same client info using radiusconfig:
  $ sudo radiusconfig -addclient 192.168.0.0/24 local-lan-clients other <return>
  - then it prompts for the secret. With this command I notice the entry/event is recognised in the radius log file, and also looks like some SQL activity. If I dont specify "other" for the nas-type, it defaults to "Aiport Base Station" or similar.
  OK, so forgetting about SQUID for a minute, I can't even get that far as I'm just trying to test the config using the "radclient" utility from the Lion Server and the squid server:
  $ sudo radclient localhost auth mysecretpassphrase <return>
  and... no response, just hangs, nothing in radius log either.
  The Lion Firewall allows TCP and UDP requests into the Radius authentication port.
  Any ideas what else I need to do? Scratching my head, I'm wondering if it is anything to do with SSL? e.g. do I need to make the authentication using the self-signed certificate that Open Directory has? I presume any Airport Base Stations added to radius will use this certificate to establish a secure connection for authentication.

  The RADIUS server in OS X Server is a standard FreeRADIUS implementation with Apple's own custom GUI frontend for configuring it and which only allows adding AirPort base-stations. In Mountain Lion Server it is even limited to a specific configuration for the AirPort base-station.
  However if you follow the normal command-line instructions and steps for configuring FreeRADIUS then it will be possible to add any type of RADIUS client.
  While as far as I can see by manually configuring the FreeRADIUS server in OS X Server should enable you to do what you want, most people chose to configure Squid to use either a PAM or the LDAP modules for Squid to in this case authenticate directly to Open Directory (which is of course based on LDAP).
  I myself have used a PAM in the past with Squid to successfully configure Squid to authenticate users via Open Directory. I was even able to specific an Open Directory group and only allow members of that group access via the Squid Proxy Server. I then went a bit OTT and set up another open-source tool (which was discontinued and I had to fix to get working) to process the Squid logs and store them in MySQL, and then setup FileMaker Pro to connect to the MySQL database via ODBC to allow producing reports.
  Unfortunately the AFP458 website had a major redesign a while ago and many previous technical articles on it are now hard to find. I had used two articles on that site to guide me through setting up Squid and the PAM on a Mac server. I believe the two articles I used are the ones listed below.
  http://afp548.com/2004/09/08/using-os-x-open-directory-to-authenticate-squid-pro xy-server/
  http://afp548.com/2004/12/13/squid-server-using-ldap-authentication/

• Server 3 / SSL Certificate / Open Directory - Problem!

  We've updated from Server 2 to Server 3 / OS X 10.9.
  We have an SSL certificate for server from Comodo.
  Under Server 2, all worked just fine, with the SSL certificate being used to secure all services (configure via Server app).
  Under Server 3, all works just fine, but Open Directory will not accept certificate - so Certificates / Settings in Server 3 app shows "Custom Configuration" for Settings - and on inspecting this it is because Open Directory set to be not secured but everything else is using SSL.
  I've tried setting the Open Directory to use the SSL, but when ever I do it simply bounces back to being unsecured.
  Does this matter?  Presumably it should be possible (as the standard setting appears to try and set Open Directory to use the SSL certificate), but not sure whether trying to fix is simply a fools errand.
  Anyone got any clues as to whether to fix or not, and if to fix, how?
  Thanks in advance.

  Have you check to see that the certificate is indeed "Trusted" by your server?
  Above, you stated that they're in the etc/certificates folder, but that doesn't mean that the server likes them.  You can create a "Self Signed" Certificate and still have certificates in there.  That doesn't mean that anyone else on the planet has to trust them.
  Open Keychain Access in your utilities folder.  Depending on how you have it configured, you may have to look around to find the certificate in question.  It may be under login, or System. 
  When you select your Certificate, if it's there, does it show as trusted?
  Another thing you can check...  Often times Certificate authories, use Intermdeiate certificates.  Since anyone can sell a certificate, in order to have it trusted, you need to have it signed by someone else.  A good example is Godaddy.  They sell both SSL and Code signing certificates of all flavours.  In order to get them to be trusted, the "Intermediate Certificate" needs to also be installed in the keychain.  My Godaddy cert looks to be trusted by Verisign via an intermediate.
  Have a look here...  https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid =1182
  Not sure if it's directly relevant, but there it is.
  The point is, I think you need to verify that your certificate is trusted by your server.  OD won't use an untrusted certificate. 
  --an afterthought--  Anything in the logs?
  Open up your server window where you try to select the certificate for OD.  Also, in another window open up the terminal.  In terminal, type:
  tail -f /var/log/system.log
  In the server window try to select the certificate and click done.  See what the output in terminal says.

• Can't get Mountain Lion Server Server to upgrade properly - Configuring services

  Hi All,
  First of all thanks for any answers or suggestions you might have. We are a small business with about 25 employees. We have been running Lion Server for email and collaboration without much issue. Today we decided to upgrade to Mountain Lion Server, which was a big mistake apparently. We downloaded and installed Mountain Lion which went fine. We then downloaded and installed the new Server app and that's where things got hairy.
  The Server app got to the part where it says Configuring Services and just sat there spinning. After about an hour I figured something was up and noticed in the console that there were a bunch of errors trying to update certain things. Needless to say we had to force quit the Server app after a long while and nothing got updated/migrated. We were left with a non functional server. Luckily we had set up the Lion Server to clone to another drive and we were able to boot to that to get back to work.
  None of us have much experience with command line, part of the reason we got Lion Server in the first place was it's ease of use and GUI. So has anyone else had similar issues? We are kind of at a loss as to where to go next. Thanks!

  It is indeed an option to wait, although I did manage to upgrade four servers that all have working forward and reverse DNS from Lion Server to Mountain Lion 10.8.
  After installing OS X Server on top of that server specific items like mailboxes returned

• Lion server - is it right for me?

  We are currently using a Mac Mini in our small office for file serviing. It is running 10.6 (NOT server). I have some software running on it that allows me to set up "mount points" for different user groups. I run the mini headless, and am able to "screen share" via the local network or through my MobileMe account using "back to my mac."
  The setup works fairly well, but can be difficult to administrate.
  I am considering the jump to Lion server. Looking past the marketing department descriptions I want to make sure it is the right choice for me. Here are some of the things I am doing and would like to do:
  - I would like to continue sharing files. We have about 5 users. I would like to be able to set varying levels of access for each person. I can do this on an individual basis but would also like "workgroup" permissions/access.
  - Right now we only have local access (except for my admin login). Ideally I would like to have the same file access (with restrictions and permissions) extended to sharing files via internet. Even better if I could limit which files or folders are available over the net for all except me.
  -Looking beyond file sharing, I am interested in the WebDAV features discussed on the promo page. The short description of these features seems like I can basically run an iDisk on my mini. I can then let workers upload and download pages/keynote/number documents. We can also use this to coordinate calendars locally and across the internet. Plus it will sync with our iPads and iPhones. Am I understanding this correctly?
  -Along the same lines, there is also iCal Server 3. The way I understand it, this can basically act as a replacement for the old MobileMe calendar, right? I see how calendars can be shared and understand how that works. But can these calendars also be administered, with permissions, from the server? In other words, can I (as admin) create calendars for Bob, Tom and Doris - let's say a personal and business calendar for each. Then set it up so that Doris can see Tom's business and personal calendars but only Bob's business calendar?
  -Web server: I have played with the Apache server on previous non-server OS X versions. Can Lion server be easily set up to run as an INTERNAL web server? (Web pages viewable on the local network). If we wanted to make those web pages viewable outside the local network, is the process very difficult? We have a company to host our regular web and email services. I am only looking for some simple "company news" type information and maybe a small Filemaker database for a handful of employees.
  We don't currently have a static IP, which I guess would be necessary for making some of these features accessible from outside the office. Do I need to get a static IP from my ISP, are there features in Lion Server that eliminate the need for that (e.g. back to my mac) or are there other options that provide a workaround for this?
  Based on the above, is Lion Server what I need? Is there another product/application better suited for the above tasks?
  Thanks in advance for any ideas, help or suggestions.

  Do you think the monitor on the new Imac is good?
  Yes, I use mine for both digital photography and working with video. The extra screen real estate is extremely handy.
  If you need portability, I would keep the iBook also.

• Files cannot be unlocked on AFP Share on Lion Server

  I have an environement with a Mac Pro Server (10.7.4) running as an Open Directory Master, DNS, with AFP file sharing enabled. All clients are running 10.7.4, none are bound to the domain and all home folders are local on the users machine. The users simply have an account in OD that they use to access a file share. The file share is "Public" in that the permissions are fully liberalized so that all users in the domain have read/write access. Whenever a user edits a Pages, Keynote, Numbers, Text Edit (anything that supports versions) and then saves the file, the next user to access the document finds that the document is locked. They cannot unlock it and must create a duplicate. Only the original user that opened the document can reopen it without facing the lock and having to duplicate it. Anyone have any ideas as to what might be causing this? Thank you.

  How about setting ACL's for the share?

• Need to buy Lion Server when buying Mac Mini Server?

  Hi there,
  Last week I bought a Mac Mini Server. Do I need to pay for the Lion Server part in the App store separate?
  Cheers.

  That is correct. I did not find the Lion Server App at first. Now I found it. No need to buy.
  Thanks!