Lion Server Recovery image is broken

Similar Messages

• Lion Server DNS service not working for locally created zones. Caching working fine.

  OS Lion Server DNS service not working for local zones. Was fine under Snow leopard server but Lion server upgrade has severely broken my DNS and web sites. Zones look fine under Server Admin but keep getting "query failed (SERVFAIL) for xxxx at /SourceCache/bind9/bind9-42/bind9/bin/named/query.c:3921" in the logs. BTW - Server Admin cant seem to see the log file either.
  Surely someone actually tested that DNS still worked on Lion?

  I upgraded from Snow Leopard Server to Lion Server on day 01.  I hit the same issue where, after the upgrade, my Lion Server stopped serving names for my private local domain.
  I finally took a few minutes to figure out what was wrong.  After turning on debug logging and looking through the logs, I found my particular issue, now resolved.
  The issue I had was, when the domain initially was setup when I installed Snow Leopard Server, for some reason it created a zone just for the server (in my case, something like zone "s-01.mydomain.priv"), and a separate zone for all the other machines (zone "mydomain.priv", containing all the private IPs for my local domain).  I never messed with it because it worked, but generally I would have put all of them in the same zone.
  My zone "mydomain.priv" had a nameserver and mail exchanger entry for my server, s-01.mydomain.priv.  I could see this in the Server Admin app on the DNS bubble, Zones tab, mydomain.priv selected, and the General Info panel.  This was fine in Snow Leopard.  This was failing the zone load in the updated bind for Lion Server, though.  The issue was that the "mydomain.priv" zone was referencing the s-01.mydomain.priv server, which was not defined in the "mydomain.priv" zone but rather in the "s-01.mydomain.priv" zone.
  My fix:
  1. In Server Admin, add the server to the zone "mydomain.priv".  I put an A record (Add Machine) in the "mydomain.priv" zone for my server named s-01.mydomain.priv.
  2. shut down DNS on the OS X Lion Server (hit the Stop DNS button on Server Admin).
  3. edit /etc/named.conf by hand, removing the specialized zones that contianed just the server.  In this case, it would be the section titled 'zone "s-01.mydomain.priv"' and the section titled 'zone "3.10.1.10.in-addr.arpa"'.  Your in-addr.arpa zone name will change based on whatever your server IP address was.  My internal one happened to have s-01.mydomain.priv mapped to 10.1.10.3.
  4. Once the specialized zones for just the server were removed, I started the DNS up again.  Instead of serving four zones as it had in OS X Snow Leopard Server, it now servers two zones.  And, now, it is resolving my local machines for the mydomain.priv zone.
  YMMV.  I did note that it wasn't totally necessary to do step 3, but I never really understood the need for the specialized domain, and keeping it around would have a copy of data that would just confuse things.
  Hope that helps.  That's been the only hiccup I've noticed updating to OS X Lion Server thus far.

• Snow Leopard client for NetRestore image not being recognized in Mountain Lion Server

  I target firewired a MacBook Pro running Snow Leopard and ran System Imaging Utility and the machine does not show up as an option. Does Mountain Lion Server support Snow Leopard NetRestore images or am I doing something wrong?

  I'm actually trying to figure that out as well. We have 10.5, 10.6, 10.7, and 10.8 Images we wanted to put together for our netrestore images on our server, but can only do 10.8 images currently.
  We also have the AppleCare Helpdesk diagnostic kit which includes hardware tests, we were only able to get the newer mid-2012 and late-2012 Diagnostic utilities to netboot but none of the older ones.
  So do we need a server running the older OS to get these or is there a better alternative? i mean really shouldnt be a problem considering theyre running inside of an image and dont rely heavily on the server resources other than to say "Yep, goto this file/directory".
  I'd like to know more as well....

• Lion server not netbooting Snow Leopard image

  I have a Lion server set up and I am trying to server Lion and Snow Leopard netboot images off of this singular server. I was able to create the Netboot images using SUI for both Lion and Snow Leopard. I dropped the Snow Leopard netboot image into the proper folder on the server yet it will not recognize that the Snow Leopard netboot image. Does anyone know how to get Lion server to recognize Snow Leopard image or if Snow Leopard images can be served from Lion Server?

  Apologies if this seems overly simplistic, but just to be very sure:  you say "only one Mac OS X is enabled".  Enabling is an active process, you have to do it.  I'm on vaca, so this is from memory, but I think in server admin, selecting netboot, then the far right icon which I think is settings gives you a sort of matrix of images.  On that page is a list of tabs across the top - again I think it is labeled images and is the far right, but one of them gives a page where there is a check box for enabling images.  you check that box and click save.  you are able to see the image on that page, check the enable box, click save and yet it still is not enabled?

• Can I recover my Mountain Lion Server from my Time Machine Backup if there was no Recovery HD created moving from Lion?

  Several years ago I upgraded my Mac Server from Snow Leopard the to Lion and then to Mountain Lion, where it is now. I believe I can fix a problem if I can rebuild my Mountain Lion Server from my Time Machine backup, however I just discoved that there is no Recovery HD on the drive.  Is there still a way to use my Time Machine Backup to rebuild the server drive?
  Any help will be appreciated.

  Recovery Drive – Restore Missing

• How to Create lion os x Image for netrestore in mountain lion server

  i have a problem with the create a lion os x image for netrestore in mountain lion server, i have a macbook pro with all software that i like for the customize deployment but when i connect the macbook pro to macmini server in target mode,but  the system image utility don't added to sources for create a netrestore image, this only pass with lion os x because with mountain lion os x works correctly, please help me

  System Image Utility only makes images of the system it ships with.
  In order to make Lion images, you'll need to install the Server Admin Tools for Lion onto a Lion system. You will then find the appropriate System Image Utility in /Applications/Server/.

• AFP automount sharing broken in Lion Server?

  Network rundown:
  Mac Mini running Server
  two MBPs (one upgraded to Lion, the other still running Snow Leopard)
  The Mini is the OD Master for the three Macs and runs a number of services (Mail, Web, Wiki, VPN, etc.). The important service for this thread is that it serves out three shares via AFP, configured to be automounted on the two laptops. Normally all three shares are set up (via Workgroup Manager / Directory Utility) to use the Kerberos v2 UAM; however, for testing purposes I've temporarily adjusted the UAMs as follows:
  /Groups -> afp://myserver/Groups
  /Volumes/Attic -> afp://;AUTH=No%20User%20Authent@myserver/Attic
  /Volumes/Multimedia -> afp://;AUTH=Client%20Krb%20v2@myserver/Multimedia
  When the Mini is running Snow Leopard Server (10.6.8), the automounting behavior works as expected when connecting from a laptop without a valid Kerberos ticket:
  lionmbp:~>klist -f
  klist: krb5_cc_get_principal: No credentials cache file found
  lionmbp:~>ls /Groups
  ls: Groups: Invalid argument
  lionmbp:~>ls /Volumes/Attic
  [snip - file listing]
  lionmbp:~>df -h /Volumes/Attic
  Filesystem                                Size   Used  Avail Capacity  Mounted on
  afp_000000004oMw0oYHtK4AvcMP-1.2d00010a  466Gi  277Gi  189Gi    60%    /Volumes/Attic
  lionmbp:~>ls /Volumes/Multimedia
  ls: Multimedia: Invalid argument
  and then with a valid Kerberos ticket:
  lionmbp:~>sudo umount /Volumes/Attic
  Password:
  lionmbp:~>df -h /Volumes/Attic
  Filesystem    Size   Used  Avail Capacity  Mounted on
  map -static    0Bi    0Bi    0Bi   100%    /Volumes/Attic
  lionmbp:~>klist -f
  [snip]
  Sep 19 23:27:17  Sep 21 23:27:17  FPRIA  krbtgt/DOMAIN@DOMAIN
  lionmbp:~>ls /Groups
  [snip - file listing]
  lionmbp:~>ls /Volumes/Attic
  [snip - file listing]
  lionmbp:~>ls /Volumes/Multimedia/
  [snip - file listing]
  However, after upgrading the Mini to Lion Server (10.7.1), attempting to automount the same shares does not work at all, regardless of whether a valid Kerberos ticket exists or not
  lionmbp:~>klist -f
  klist: krb5_cc_get_principal: No credentials cache file found
  lionmbp:~>ls /Groups
  ls: Groups: Authentication error
  lionmbp:~>ls /Volumes/Attic
  ls: Attic: Input/output error
  lionmbp:~>ls /Volumes/Multimedia/
  ls: : Invalid argument
  lionmbp: /usr/bin/kinit
  [snip - provide password]
  lionmbp:~>klist -f
  [snip]
  Sep 19 23:15:09  Sep 21 23:15:09  FPRIA  krbtgt/DOMAIN@DOMAIN
  lionmbp:~>date
  Mon Sep 19 23:17:03 CDT 2011
  lionmbp:~>ls /Groups
  ls: Groups: Authentication error
  lionmbp:~>ls /Volumes/Attic
  ls: Attic: Input/output error
  lionmbp:~>ls /Volumes/Multimedia/
  ls: : Invalid argument
  Anyone else encountering the same issues with AFP on Lion Server? Is AFP simply broken, or is there some poorly documented configuration/troubleshooting procedure that can resolve this issue?
  Notes:
  I only tried the automounting from the Lion MBP, I would expect that a Lion <-> Lion AFP connection would have fewer issues than Snow Leopard <-> Lion
  The issue originally presented itself several weeks ago when I atttempted to upgrade the server; this AFP problem was a showstopper so I restored SL from a backup. I have since been testing by cloning the server drive to a USB drive, booting from it, and running the upgrade there.
  In performing the Lion Server upgrade, I follow all the defaults. The server is booted off the USB drive to ensure it is in a working state before starting the upgrade. The only post-upgrade changes are to run Software Update (mainly to capture the recent security update) and then to follow the single signon instructions posted here

  Some more testing hints in the direction of the problem:
  aragorn:~>kinit -l 48h -r 48h -p -f [email protected]
  [email protected]'s Password:
  aragorn:~>klist -fCredentials cache: API:1501:10
          Principal: [email protected]
    Issued           Expires        Flags    Principal
  Oct  1 17:05:53  Oct  3 17:05:50  FPRIA  krbtgt/[email protected]
  aragorn:~>ls /Volumes/Multimedia
  ls: Multimedia: Invalid argument
  aragorn:~>mkdir /tmp/test; chmod 777 /tmp/test
  aragorn:~>sudo mount_afp "afp://;AUTH=Client Krb [email protected]/Multimedia" /tmp/test
  mount_afp: AFPMountURL returned error -50, errno is -50
  Looking in MacErrors.h reveals
  paramErr                      = -50,  /*error in user parameter list*/
  That both ways of mounting AFP seem to be complaining of argument/parameter errors indicates something isn't being passed across the network correctly or is not being parsed properly on one end or the other. At the moment my dtrace-fu isn't strong enough to delve into this more deeply.
  With 10.7.2 due out soon, I think I'll wait to see if Apple engineering caught this already. If not, I'll raise a bug ticket.

• Creating SL Images on OSX Lion Server

  I have a 2011 Mac Mini with Lion Server.
  What is the best way to create Snow Leopard netboot / netinstall images from OS X Lion?
  I tried using System Image Utility, but Lion Server will not recognize any Snow Leopard disk.
  I have tried a number of different SL grey install discs, and the 10.6.3 retail...but Lion Server will not recognize these to create a netboot / netinstall image.
  Thank you for any assis

  Hi
  Download the Server Admin Tools from here:
  http://support.apple.com/kb/DL1457
  These are not installed when installing Lion and then Server App. Once installed launch Server Admin, click on the Server's name in the side panel, click on Settings > Services and enable the DHCP Service. Once enabled it should appear in the side panel. The rest should be fairly obvious?
  HTH?
  Tony

• Mountain Lion Server cannot create NetBoot images for earlier systems

  I'm trying to create a NetBoot image for OS X Lion on my Mountain Lion Server using System Image Utility, but SIU shows the 10.8 installer as the only available disk for creating an image.
  The same 10.7 boot disk is shown as source correctly in Lion Serevr SIU.
  Does SIU limits the creation of NetBoot image only for the same OS X version or am I missing something?
  Ideas?
  Thank you!

  Yes. SIU for Mountain Lion only makes images of Mountain Lion.
  To make images for Lion, you'll need to download the Server Essentials package for 10.7.5 and install it onto a Lion system.

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• What I wish I'd Known Before My Lion Server Install

  The truth is that I am on my FIFTH Lion Server install on the same box this week. While I was working on #4, I went ahead and submitted a ticket with Apple and arranged a timeslot for this morning to work with them to help me past my struggles with Lion Server. This post is the result of that experience. Big props to Apple support techs Chuck and Don - you know who you are!
  What I Wish I'd Known Before My Lion Server Install
  1. Do NOT migrate user accounts, apps, and files, until AFTER you have the Server set up and working correctly.
  - This one tip, which is brilliantly simple, would have saved me four very long days of head bashing.
  2. Server Admin Tools are mandatory.
  - The first time around I used the Server App to configure the system (after an upgrade install, and subsequently after a clean install + migration).
  - Server Admin allows you to set up the foundation of your server - which it NEEDS!
  - DNS - configure a local, pseudo domain for your server if you're doing this at home. Something like "mynet.private" - if you don't, your SSL certificates can get all jacked up, your clients will not trust your certs. This breaks a lot of stuff.
  3. Do NOT accept the mDNS .local domain suffix for your Server
  - At each step, if something auto-fills your server name as name.local reject it, and use the fully qualified domain name that you set up above (server.mynet.private).
  - If you do not do this, anything that requires certificates could/will have big problems.
  4. Enable services one at a time. Reboot after EACH major phase past the core Lion install.
  - Base install ... Server install. REBOOT
  - DNS configuration. REBOOT
    - validate your host name - I needed to force a 'changeip' command because there was a problem with the HOSTNAME retaining the mdns .local domain name.
  - OD Master config. REBOOT
  - Set up Podcast Producer (which will also setup your Xgrid). REBOOT
  5. Take images of your hard drive as you go.
  - Once I got the core server installed, the basic services above, I rebooted and held the option key, then restarted on the Recovery HD image.
  - Use Disk Utility to take a snapshot image of your hard disk so you can get back to this wonderful place of everything working! It's cheap insurance, and adds a bit of extra time, but is well worth it. If you leave the default settings alone (the 'compressed' one in particular) it will use as little space as possible. My server at this stage of configuration created a 4GB disk image.
  6. Use the Migration Assistant After the above
  - Now you can migrate your apps
  - Migrate your users
  - etc.
  If you use the Migration option while you're installing the server, or if you upgrade on top of your Snow Leopard (or whatever), I can almost guarantee you that you are in for a world of hurt.
  I struggled through all kinds of issues with files having embedded information, scattered throughout all the various subsystems, that gummed up my installation and would case all manner of the flakey Lion Server behavior that you read about ("Error Reading Configuration").
  If you want to use Podcast Producer, or any of the Profile Manager features, the above methodology was the only way that I could get them to work. Often times I'd have everything working, then reboot and it would break. After I did the above, the system is as solid as a rock.
  Today, I love Lion Server. Yesterday I was cursing it.
  Best of luck!!

  There are 2 distinct apps in Lion Server.... Podcast (in Server app) and Podcast Producer (Server admin which is deemed legacy from SNS).  Podcast uses Podcast Publisher instead of Podcast Capture to produce, edit and submit to Podcast app.  Podcast doesn't requre Xgrid where PCP did. The two don't mix.
  It's as clear as mud in all the documentation about this.
  We're finding that Podcast Publisher has much more flexibility that Podcast Capture (edit, episodes & more), can use existing workflow from PCP, doesn't require xgrid, and podcasts can easily be managed by non-IT people via the Podcast wiki as opposed to the CLI pcast commands to edit & modify PCP feeds.
  Hope this helps.

• How to install OSX 10.6 client in Mac Mini Server 10.7 Lion Server

  I am ordering a Mac Mini Server with Lion Server 10.7, with 256GB SSD and 750GB HD.  I want to use Snow Leopard (client/workstation) instead.  Previously I have already purchased retailed version of 10.5 clients and 10.6 client upgrade.  Please advise the best approach from the followings (or more suggestions from you guys...). 
  (A) The boot disk (likely to be the SSD) will be re-formatted and re-installed by "clean" installation of 10.6 client.  But I am not sure whether all hardware drivers for the new Mac Mini (2011) are available in the 10.6 client disk.  Also, it seems to me that installation disk of 10.7 server will not be provided.  So I shall not be able to re-install server version again if I want to change this Mac to a server sometimes afterwards.  Of course I would like to keep this server software for investment protection, no matter I use it or not.  If 10.6 client can be installed, I shall use bootcamp to install Windows 7 also.  So there will be 2 partitions to be usable aparently.
  (B) The factory-installed OSX 10.7 server is kept, and one more partition is created (with Disk Utilties).  Snow Leopard workstation 10.6 will be installed at this new partition.  If 10.6 client can be installed, I shall use bootcamp to install Windows 7 also.  So there will be 4 partitions, including 10.7 server, 10.6 client, 10.7 recovery drive and bootcamp for Windows 7.  Since I want to put all OS software at the SSD (faster boot-up and better performance), the drawback is that each partition is with less space.
  Do you guys have other ideas or suggestions?
  [Background]
  In fact I want to make use of its strongest computing power (amongst available Mac Mini computers in store), quad-core CPU & dual disks,  to run music applications (DAWs).  Operating systems are put at SSD, and data is put at traditional harddisk.  As some music applications (e.g. Calkwalk Dimension) only support 10.6 currently, I need to down-grade from Lion server to Snow Leopard workstation.  Also I think applications can run faster in a hardware with  workstation OS (rather than server version). Please correct me if this belief is wrong. 
  Thanks / Howard.

  If you completely wipe the original Mac mini boot drive you will wipe the Server.app software an dlose it. You should make a backup first, perhaps by saving the entire boot drive as a Disk Image file on to another drive.
  In terms of install 10.6, the 10.6 DVD will not boot on the new Mac mini even if you connect a DVD drive. You need to put the Mac mini in to FireWire Target Disk Mode and connect it to an older Mac that will allow booting from that DVD, then install on to the Mac mini (over FireWire), you then need to upgrade it using the 10.6.8 Combo Updater this will add the drivers needed for the new Mac mini.

• Help! Can't reinstall Lion Server on Mac Mini Server

  To me, the perfect computer is a Mac Mini server (the current model) with one of the HDDs replaced with an SSD. I did this with two Mac Minis three months ago and it went perfectly.
  Well. I bought a third Mac Mini and have attempted to do the following:
  Carefully opened the case, removed the top parts and memory.
  Removed the top 500 GB HDD
  Replaced it with a OCZ Vertex 3 SATA III 2.5" SSD
  Booted from a SD Card with the recovery system on it
  Formatted both SSD and the other HDD, ensured they have the GUID boot block needed for Apple booting
  What happened was...a total let down. It would start to download Mac OS Lion Server then tell me, "Could not find instalation information for this machine. Contact Applecare." If I went and re-formatted the SSD and tried it again, often it would go past this section, actually starting the download, but then I'd get "Can't download the additional components needed to install OS X."
  I verified all connections were solid. Putting the original HDD back caused the machine to boot fine and let me set up Lion Server for use (oddly, even though I'd formatted one of the two RAID drives, but whatever). I am doing the exact same thing I did before successfully, only with an OCZ drive this time instead of Other World Computing. Either Mac Minis hate working with OCZ SSDs, or I made some mistake somehow (I'm pretty sure I didn't), or else Apple has flipped a switch forbidding software restoring of Mac Minis that have been "altered" from factory state. If so this will be a huge problem for Apple. I will make sure the major Apple blogs hear of this, if this is the case.
  Can anyone suggest what else I can try to get this to install? If I can get a spare OCZ SSD so it's exactly the same as my previous successes. Otherwise I don't know what else to try.
  (I guess cloning the system from one of the Mac Minis that works would be a possibility, though I want to solve this.)

  Found that the second hard drive is broken. I have to go to the apple store to have it replaced.
  I had to press the power button to turn the server off for several times, then the broken hard drive went disappeared. After that, I had to disable the Spotlight. Then the server went back to work normally.
  Now I made a CCC copy of the primary hard drive, and would like to have the server run on the external raid disk (connected through thunderbolt). Does anyone have previous experience with it? Any expectable drawback or issue with this setup?

• How to reinstall OS X Lion Server

  I'm newbie os x admin . I bought new Mac Mini 2010 with Lion Server. I want to do RAID 0 with my HDD. 
  I make image for Recovery Partition. Then  format partition and do RAID 0.
  I setup with Mac OS X Lion 10.7 GM build 11A511
  I success to install but .... No Lion Server.
  I try to check Mac Store but I found  I need to buy  Lion Server License ?
  These is my Question
  1.  Lion Server that pre-install with Mac Mini is not license version or not?
  2.  Should  I  restore from  recovery partition  and get Lion Server from them ?
  3.  How I make recovery DVD or anything that easy to reinstall ?
  Thank You very much.

  The 2010 Mac mini Server did not come with Lion Server, it was shipped with Snow Leopard Server. To go from Snow Leopard to Lion is a paid upgrade, not a free update. Up until Snow Leopard there was a SL client OS and a SL Server OS. Now Lion Server is an add-on purchase to the Lion client. So you must buy and install the Lion client, then the second step is to buy and install the Lion Server add-on. You purchase both Lion and Lion Server through the Mac App Store.

• Mac OS X 10.7 Lion Server - Device Management?

  Hi,
  I would like to know in details what devices does the Mac OS X Lion Server manages? And how does the server manage the devices such as iPhone and iPad etc?
  My company is currently using Apple Mac Mini Server. and would like to manage the devices.
  Many Thanks.
  Carson

  You could try booting from an external USB hard drive and using a data recovery utility like Data Rescue X.  Your mileage will vary depending on the circumstances.  I would only try recovering data files and not recover the whole system.  No sense fooling with an OS when it is trivial to reinstall and know it is working.  Make an image of a freshly configured OS to aid in recovery like this.
  Retrieve your documents & preferences if you are lucky.   The data may still be there, but file names and other meta data may not be recoverable.   If file names are not recoverable, then you will have tons of files to sort through trying to make sense of what is what.  They are sorted by type, but you will be surprised at the number of such files used by the system and in temp/cache files.  I recently had a case where someone deleted a bunch of files and then emptied the Trash.  I got the files back, but with no file names.  I was unable to find a way to retrieve the file names and even asked a forensic recovery expert for any reasonably priced software to do it.
  If this is your only Apple computer and you need to make a bootable  external drive, then make sure to install OSX on the external drive and not on the internal drive you are trying to recover.