Lion Server Backup Guidance

Similar Messages

• How to reinstall on client from Lion Server Time Machine backup?

  I have a Mac Mini running Lion Server and a black MacBook running Lion. I recently needed to to perform a format and reinstall of the MacBook, so I used the MacBook's Recovery HD partition and reinstalled Lion.  I then went back to Recovery HD to reinstall apps from my Time Machine backup' which is managed by the Lion Server Mac Mini. On first attempt, I saw the right files, but in the process it hung. I recently tried to do it again, and now it claims that there are no backups found.
  My suspicion is that as this is a Lion Server managed backup, it bundles the server backup and the MacBook backup in the same bundle. Revovery HD looks for the latest compete bundle, then finds the matching backup for the MacBook. However, if the Mini is continuing backups of its own, the more recent bundle backups only have mini info, not the MackBook, hence they "disappeared".
  I can see older backups when I look at the backup drive, so I suspect that my MacBook files are still there. 
  Any suggestions on how to recover and get my MacBook files reinstalled? I'm new to this home server thing, so any help would be greatly appreciated!
  Jason

  One partition 2.5TB will be my new Time Machine Backups and the other 2.5TB for iTunes Library so I never have to worry about this again.
  Your worry now is what will you do when the single hard drive containing both your library and its backup makes a screeching sound one day and is toast, or get stolen?
  from a YouTube video
  Uh-oh, those unspecific and sometimes incorrect YouTube videos.  I dislike those things. I watched one once and some kid droned on in a barely audible monotone for about 5 minutes to show how to do something to which I could have typed instructions in two sentences.
  Downloading (using iOS or computer) past purchases from the App Store, iBookstore, and iTunes Store - http://support.apple.com/kb/ht2519

• Lion Server complete backup to time machine

  I need a complete backup of my lion server ! is this possible to with time machine to time capsule and if so in order to do so do I have to be logged in with a specific user type (local or network, rights given). also is it possible to do a restore from this backup for just the wiki server or mail server only afterwards.
  thanks for any help
  Joe

  See if anyone knows in the Lion Server Forum?
  Regards,
  Colin R.

• Best Setup for Lion Server Time Machine Backup with Drobo?

  I've been thinking about this a lot, yet I don't feel I have a good solution for this, so I'm going to throw it out to the community.
  I have a home server setup using a Mac Mini running Lion Server 10.7.2 with a Firewire 800 Drobo attached.  The Drobo is used for both Time Machine backups and files.  I also have a Powerbook G4 running Leopard and a MacBook 2.4 GHz Intel Core 2 Duo with Lion 10.7.2 which connect to the Server and the Drobo wirelessly thorugh an Airport Extreme.
  I want to use Time Machine to have all of my computers back up to the server & Drobo, but realize there are several ways to go, each with their pluses and minuses:
  Server Time Machine Backup:
  + Centralizes backup process, rules, and other elements
  + Currently Mac Mini is backing up to the Drobo correctly using this process
  + Have setup size limit on Server backup so that it does not eat up file space
  - Would combine laptop backups with server backup into one sparse image: this would lead to the computer with the largest backup needs taking up too much space
  Client-Driven Time Machine Backup:
  + Allows for customization of backup processes by computer
  + Can setup specific space requirements for each computer
  + Backups are separate from each other
  - Wireless backup from laptops to Drobo is not functioning currently
  Any thoughts or experiences on how best to set this up?  I tend to do most of my work on the MacBook, hence I am concerned about it having it's backup space eaten up by the server, but that may be more of a theoretical issue than a real one.
  Thanks in advance for your help!

  Well I'm not sure if I am following you but I will explain how I set mine up. When I got the Drobo I inserted 2 drives and selected the highest available volume I could (16TB). My drives are 4 TB each and I knew I would soon add 2 more. Then Drobo did its thing and prepared these drives. The Drobo shows up on my mini desktop as an external drive. When I log into my server from my other computer I can see the mini server volume and the Drobo volume. I can access each no problem. They act as regular volumes. Soon after I added the second two drives and everything stayed the same meaning I could still see and access the Drobo on the desktop of my mini. So it sounds like you used the Drobo dashboard to partition yours for two volumes? Are they both showing on the desktop? 
  "Maybe the Drobo needs to be mounted on the desktop to be considered AFP feature enabled." I could be wrong and hopefully someone will correct me but I think the Drobo (or volumes) have to be mounted on the desktop to work with AFP.

• Lion Server: how best to backup user mail?

  What's the best way to backup user Mail on Lion Server?
  Currently I do a nightly rsync of the /Library/Server/Mail directory to another off-site machine, but it strikes me that I'm not entirely sure (a) if this is capturing all necessary info, and (b) even if it is, how precisely woudl I go about restoring user mail if, for example, the server blew up and I had to reinstall a new machine?
  Thanks for any advice,

  Another method would be to do regular copies / clones of your mail directory using Carbon Copy Cloner - I actually do this with the server boot volume regularly.
  -Doug

• Can I recover my Mountain Lion Server from my Time Machine Backup if there was no Recovery HD created moving from Lion?

  Several years ago I upgraded my Mac Server from Snow Leopard the to Lion and then to Mountain Lion, where it is now. I believe I can fix a problem if I can rebuild my Mountain Lion Server from my Time Machine backup, however I just discoved that there is no Recovery HD on the drive.  Is there still a way to use my Time Machine Backup to rebuild the server drive?
  Any help will be appreciated.

  Recovery Drive – Restore Missing

• Restore Lion OS from Lion Server Time Machine Backup?

  I am running a Intel Imac 2008 clean install SL then Lion upgrade, followed by Lion Server install.  I have multiple home macs, and intnded the server as a way to monitor and restrict kids internet use.  In short, it has changes/screwed up multiple programs, and complicated home sharing issues considerably.  Mail on the server machine has permission problems (cannot send mail, unable to sign), Spotlight in mail is non-functioning, finder spotlight searches are inconsistent, etc.  I want to revert to plain old Lion.
  I have done disk utility/verify disk and verified/repaired permissions, and have 'fiddled' (i'm not an expert) in the keychain/certificates areas, but I think the best solution is a clean install of Lion.  QUESTION:  When I backup to TIme Machine, is there a way to pull a 'Lion' version of my disk image back, and just not upgrade to Server?  I understand I can disable Server and turn off applications in Server, but it doesn't fix my buggy machine.  My options are to back up my 250GB of music, 100GB of photos, 100GB of movies, etc on to external drives, and clean install and then reimport everything, but even that will probably mean I cant reinstall my single user licesnse of MS office, VMware fusion, etc that I didn't buy on the App store.  I'd really love to be able to do this with Time machine.  Any chance?  or do I need to do the dark deed of 2 days of backup? 

  Sorry, I don't mean to be stupid, but I want to be sure.  My impresion of Time machine disk images (I'm not a computer genius, but I'm , lets say, an expert novice) is that disk images (my term for the 'total view' of a computers main disk), differ depending on the OS.  I assume that applications and preferences referenced under SL could not be seamlessly imported into a Lion environment.  I'm assumng that the upgrade to Lion server has irrevocaby altered my startup/main volume into a "Lion Server" volume, and that if I try to pull my applications/data/preferences/mailboxes back onto a fresh Lion interface, it won't work.  Are you saying I'm wrong, and that I can simply erase my disc, clean install Lion via an internet connection, and re-import my "lion Server- altered' stuff back from aLion-server Time Machine disk image, seamlessly, into a Lion OS environment?  Sorry to be so concrete, but my wife will kill me if I %$@ the bed on this.  I appreciatre your help.

• How to find backup on Lion Server time machine backup?

  I have a MacBook laptop running Lion that has gotten automated Time Machine network backups by my Mac Mini running Lion Server. Had to do a reformat of the laptop and when I used Recovery HD from the laptop to find the laptop backup files on the server, I can't find them.  I can find the server backup file, and the network version of time machine may bundle the laptop backup and mini backup in that file, but Recovery HD claims there are no valid backups.
  Am I doing this the wrong way?  Any help?

  Just found it here:
  https://discussions.apple.com/message/19152432#19152432
  And it worked.
  zeke

• Update to Mountain Lion Server kills Time Machine Backups

  Okay, here's the scenario:
  Client: 
  MacBook Pro running Mountain Lion
  Server: 
  Mac Mini running Mountain Lion Server using an SSD boot and Promise Pegasus Thunderbolt RAID
  Prior to updating the Mac Mini to Mountain Lion Server (previously just using regular Mountain Lion) I was happily backing up using Time Machine over AFP.  Since the update to Server I get the Time Machine message:
  "The network backup disk does not support the required AFP features."
  The network drive is also no longer available for selection within Time Machine (once it's been deselected).
  Any easy ideas on a fix?

  Time Machine won't back up to Mountain...: Apple Support Communities

• I have a lion server set up to host storage for time machine backups. Is there a limit to how many different computers can back up to the single server to back up. I am only backing up the users folders . The backup drive is an external Drobo with 6 TB.

  I have a lion server set up to host storage for time machine backups. Is there a limit to how many different computers can back up to the single server to back up. I am only backing up the users folders . The backup drive is an external Drobo with 6 TB. Right now it seems to back up my users all day long. I set their time machine interval to every 5 hours but it still runs all day long and is very slow. Server is on a new Mac Server mini.

  AFAIK, there is no user limit.. it is simply a question of the network load. AFP is a fairly clean protocol.. but TM is not.. it does a lot of testing of the backup.. infact your setting of 5hour gap could well make it worse.
  I would sort out the clients that are doing 100GB backups to a different backup location.. no matter how fast your network.. 100GB takes time to backup.. and over wireless forever.. it will never end.
  I guess some of these clients are on wireless?? I would separate the TM of wireless to those that are wired. No more than 4 or 5 wireless clients to a target device. Otherwise you are saturating your network with backup data. And use 5ghz.. so close by.. it is much faster than 2.4ghz and you will get much better transfer rates.

• Just bought a Mac Mini lion server how do i make a lion backup?

  Just bought a Mac Mini lion server how do i make a backup disk for lion?

  I believe you will need a USB drive and can download and  install something called Lion Recovery Disk Assistant from below. 
  http://support.apple.com/kb/dl1433
  Also read the article from below which I believe will encourage your desire to do the backup.
  http://www.macworld.com/article/161664/2011/08/hands_on_with_lion_recovery_disk_ assistant.html

• How to use each machines's HD as a backup with Lion Server accounts?

  Hi,
  I am the administrator of a network for a small business.
  We have 6 machines (iMac running OSX Lion) and one Mac Mini running OSX Lion Server.
  Every user is logging on their machines with their network account, which means that they (by default) save all their documents on the Mac Mini server.
  The good side of this is that:
  a) Any user can log in from any machine
  b) Every document that the user has is backed-up at regular time intervals thanks to Time Machine.
  Although the networks access tends to slow down the machine (especially with big Excel spreadsheets), and each iMac has massive hard drives that are all 95% empty.
  Is there a way to easily setup an appropriate policy so that I can leverage the big size of each machine's hard drive, and reduce network access?
  (i.e. each user loads all the configuration from the network at login, then works on his/her local drive until he/she logs out, and a full back-up from the local drive to the distant folder is made once a day / once a week???)
  Thanks,

  Hello & welcome to the foruns!
  Maybe I can help with one facet...
  Just a quick note for people who use Elgato’s EyeTV on their Macs in New Zealand. I’ve got an Automator script here that will fetch a TV schedule and load it into EyeTV. It takes care of deleting the file it downloads but you might need to open it (use the Automator program) to change where it downloads to.
  EyeTV nz epg downloader
  http://craig.stanton.net.nz/2010/05/04/eyetv-epg-for-nz-tv/

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• I'm trying to use Mountain Lion Server so my family can have separate logins via Screen Share to their iTunes.

  Using Mountain Lion Server so my family can have separate logins and connect via Screen Share.
  Works great, each has their own home directory and permissions are perfect.
  Now setting up iTunes for each with their own Library (not shared), thus keeping multiple Libraries.
  I get this;
  This Computer is already associated with an Apple ID.
  If you download past purchases with your Apple ID, you
  cannot auto-download past purchases with a different
  Apple ID for 90 days.
  What!
  So what it is on the same computer, they are completely separate Libraries never to be mixed.
  If this works, I only need to keep one computer up and running, instead of three.
  Each can do their syncing/backup and connect to the various Airplay/AppleTVs I have around the house.
  How do I fix this.
  Thanks

  Bottom line is you can't - easily.
  You need to make sure that you log out of the server each time otherwise the ID is running. To explain, if you had a laptop with different people using it, your solution works fine. Each time someone logs in, the iTunes ID is different so it works as you can only have one person using the laptop at any one time.
  Now, turning your problem inside-out, you want people to be able to log into iTunes concurrently to use their own version of the program with their own library. This does not seem to work and you get the conflicted ID error message. Even though iTunes is running under their own login ident, I have never been able to get this working reliably and was told that iTunes is NOT a network-aware application as it is designed to be single user.
  The way I got around this was to login as XYZ and to make sure that the ID was changed in iTunes accordingly. However, it did not always work so I gave up with the whole thing.

• Address Book and iCal Server backups

  I'm working to implement a company-wide Address Book, iCal, and iChat server via Lion Server where I work, and I've gotten most of the setup figured out (I think), and am approaching the point where I can roll it out to a few users for further testing.  However, before I'm allowed to move forward any further w/ it I have to have two means of backing up in place and ready to be rolled out at the same time as the server—so I'm planning on using Time Machine as one so it does the entirety of the server and its data/settings, but they also want me to do one of the Address Book Server and iCal Server databases individually, like back up the folder the data is, so we can, if ever necessary, import the backup databases to another computer, so we at least have the content, if not the full server functionality.  And, for obvious reasons, it can't be backed up locally. 
  So I'm looking for a means of doing this and would love any input anyone has.  Ease of use/setup is pretty important as this is my first time setting Server up and I've no programming knowledge.  I'm fairly sure I'll be able to find (or write my own, though that's unlikely) or modify and AppleScript that simply copies/duplicates a Finder item, and I know I can have iCal automatically run a script (so I'd just have it run every night at midnight or something), but I have yet to figure out how to get the script to copy the folder to a specified location on a different server (or, for that matter, if it's even possible, though I'm sure it is...right?).  But that's not what I'm trying to ask here...though I certainly wouldn't mind if someone had thoughts on it and wanted to share them !  I just really would like to know which folders to back up, since it's not simply making an archive of the local Address Book.app database.
  And, since I'm already here writing a post, I'll ask one other question that's been nagging at me: in Server Admin.app, with the server (not the services) selected in the sidebar on the left, the Access pane selected in the primary Server Admin window, and Services selected, and trying to dictate which users/groups can access which services, the user can click the "+" in the lower-left corner of the window where added users would appear, and another window pops up next to the Server Admin window that shows a list of the users (and groups if you click the appropriate button).  My question is, why does it show me _krb_anonymous, _krb_changepw, and a total of 81 other items?  I understand more or less what they are (in a very general sense), but why are they shown as users?  More importantly, do they have to be listed there?  Technically I'm probably the only one that's going to be the administrator, and I'll know not to add them or modify them, but I don't want anything related to those items appearing in a directory search in Address Book when I get it set up (as they are showing up now; for instance, one user I created is Sandy, and I have it set to include directory contacts in searches, so on a client machine that is correctly communicating w/ the server (add a user, it appears in a minute on another client machine, and vice versa) if I go to search for that name as soon as I type "s" Sandy, the actual user shows up, but so do five or six other things, all of which are items from the aforementioned list in Server Admin (pretty much anything that has an "s" in it, which of course makes sense)—and that's what I don't want, I don't want the users to search for someone, see something like _krb_anonymous pop up, then think something is screwed up and call me and demand I come fix their computer!).
  Any thoughts, suggestions, and such are more than welcome and much appreciated!
  Thank you to all...

  See the following:
  Folders You Can Move to Your new Mac
  From the Home folder copy the contents of Documents, Movies, Music, Pictures, and Sites.
  In your /Home/Library/ folder:
  /Home/Library/Application Support/AddressBook (copy the whole folder)
  /Home/Library/Application Support/iCal (copy the whole folder)
  Also in /Home/Library/Application Support (copy whatever else you need including folders for any third-party applications)
  /Home/Library/Keychains (copy the whole folder)
  /Home/Library/Mail (copy the whole folder)
  /Home/Library/Preferences/ (copy the whole folder)
  /Home /Library/iTunes (copy the whole folder)
  /Home /Library/Safari (copy the whole folder)
  /Home /Library/Calendars (copy the whole folder)
  If you want cookies:
  /Home/Library/Cookies/Cookies.plist
  /Home/Library/Application Support/WebFoundation/HTTPCookies.plist
  For Entourage users:
  Entourage is in /Home/Documents/Microsoft User Data
  Also in /Home/Library/Preferences/Microsoft
  For FireFox:
  /Home/Library/Applications Support/FireFox
  /Home/Library/Preferences/org.mozilla.firefox.plist
  Credit goes Macjack for this information.