If you need to update the IP address or host name on an OS X server you need to do a changeip command:
First do sudo changeip –checkhostname to see what the true host name is.
You can then change the IP and the host name in one fell swoop:
Sudo changeip - [old IP] [new IP] [old host name] [new host name]
ex: sudo changeip - 100.192.46.10 100.192.46.12 oldserver.mynetwork.com newserver.mynetwork.com
If you just want to change the IP then leave out the host name part. If you want to change only the host name you still must put the IP addresses- even if they are the same.
On the sever open a Terminal window and type “man changeip” for a good rundown of the command syntax and parameters.
Here is a link to the man page.
Wednesday, December 30, 2009
Friday, December 18, 2009
Snow Leopard: Kerberos ticket not renewing coming out of Screen Saver
We had another case opened with Apple about Kerberos ticket not renewing after typing in password coming out of screen saver in Snow Leopard. They send me this instruction on modifying a file in /etc and it looks like it is resolving the problem. If you guys have Snow Leopard machine bound to AD. Please try it out too so we can confirm it does work.
Please edit the "“system.login.screensaver” entry in the /etc/authorization file to read like this:
system.login.screensaver
class
rule
comment
(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.
rule
authenticate-session-owner-or-admin
Note that the string:
The owner or any administrator can unlock the screensaver
is changed to:
(Use SecurityAgent.) The owner or any administrator can unlock the screensaver
Please edit the "“system.login.screensaver” entry in the /etc/authorization file to read like this:
Note that the string:
The owner or any administrator can unlock the screensaver
is changed to:
(Use SecurityAgent.) The owner or any administrator can unlock the screensaver
Monday, November 16, 2009
To cache secondary mailboxes in Outlook
One of the problems in Outlook is that if a user wants to send/receive mail using multiple accounts it is a pain to set up. Not only that but once you've attached the second account in Outlook it is ON-LINE and not cached. This results in very slow performance.
MS has a registry fix for this (if you are using Exchange 2007):
http://support.microsoft.com/kb/955572
MS has a registry fix for this (if you are using Exchange 2007):
http://support.microsoft.com/kb/955572
Monday, October 19, 2009
Snow Leopard: first impressions
Binding
Logged in as “administrator” binding from the “Join” button in Accounts failed with an error “unable to add server eServerSendError -14740.”
When binding through Directory Utility I received a notice that the computer account already existed. I checked the entire directory and the account was not there.
In Terminal I typed “dsconfigad- show” and found that the computer name was different than the name I had specified for the computer. I searched the AD and found the computer account listed by the “show” command and deleted it.
I also deleted all the PRT records for my subnet and reconfigured DHCP so that our DNS service account owned the DNS records. This is our new standard DHCP/DNS setup for all subnets.
I attempted to bind again with the [binding service account] and the bind failed with “insufficient privileges.” Using my domain admin account, I was able to bind the computer.
The edu.mit.kerberos file generated by the binding process was incorrect (lacking realm and server information) so I replaced with a file containing the correct information.
LDAP lookups were handled properly after the bind.
dsconfigad- show displayed the correct computer name.
Restarted the computer and logged in with my AD account. I was given a warning that my password would expire in 29 days (I had just changed my password) and it prompted me to set up a mobile account. On subsequent logins I was not given the password expiration warning.
Restarting the computer was very quick- it only took about 40 seconds. Directory Services was slow to start: 30-45 seconds after the login window appeared.
File handling and transfers
It has been reported that connecting to an SMB volume produces a beach ball lockup. I was able to connect to SMB shares (using SSO) but it took about 2 minutes. AFP connections were virtually instantiations.
3GB transfers to/from a SMB share on a Windows 2003 server across a 100mb network took 3 minutes.
3GB transfers to/from an AFP share on a Mac Mini running 10.5.8 server across a 100mb network took 6 minutes.
If I enabled Secure Empty Trash I was unable to delete the 3GB file. It would hang about halfway through the process and I was forced to restart the Finder. Turning off Secure Empty Trash allowed me to empty the trash without a problem.
Deleting an item from an AFP or SMB server volume closed the window.
There is now a “put back” function in Trash just like in XP.
Mac Mail
Auto setup asked twice to trust the certificate from IPG mail server.
There was no need to configure LDAP to do a GAL lookup.
Mail cannot access Public Folders.
There is now an archive mail function.
Meeting invites from Outlook and Entourage functioned perfectly regardless of whether or not they had attachments.
Meeting invites to Outlook and Entourage functioned perfectly.
It took a long time for mail to download and display in the Inbox window. Both my Blackberry and Entourage received mail much faster.
Notes are now synced properly with Blackberries.
Removing signatures locks up Mail.
There is no way to remove attachments! You must delete the entire mail.
Calendar
Delegates are limited to Calendar viewing only: you cannot configure shared mailboxes from the Mail client.
Free/Busy status in Calendar worked very well and it is nice that you can search for the next available time your invitees are available.
When viewing another person’s calendar their events are merged into your calendar and displayed as a different colour. People will either love this or hate it.
Once you’ve started to create a meeting request there is no “Cancel” button. You have to finish the request and then delete it.
Tasks entered into Mail say they will be put into a Tasks calendar but they are not.
There doesn’t seem to be a way to change the colour of calendar events.
Invites sent from a different time zone display the correct local time in the message header. The body text shows time for the sender, accepting the invite puts it into Calendar at the correct time. Entourage still has the problem where meeting invites sent from different time zones display the incorrect time when you double click on the event in your calendar.
There is a handy button that changes the time zone for all events in your calendar. Changing them back works too!
Address Book seems to be pretty much unchanged.
Thursday, October 15, 2009
Tuesday, August 18, 2009
Accents in display names causing problems in Entourage
We have seen problems in Entourage where an e-mail will arrive and have the sender's name split in two parts. One part will contain the valid e-mail address and the other will simply have a question mark before it. Attempting to reply to messages like this results in the message bouncing with a failure notice similar to "invalid e-mail address."
We have found that users who have accents in their display names cause this problem. Removing the accent in the user's AD display name resolves the issue.
This is only a problem in Entourage 2008- Entourage Web Services Edition and Outlook do not display this behavior.
We have found that users who have accents in their display names cause this problem. Removing the accent in the user's AD display name resolves the issue.
This is only a problem in Entourage 2008- Entourage Web Services Edition and Outlook do not display this behavior.
Thursday, August 6, 2009
Mac: Kerberos time-outs and locked screen saver
This is an interesting little glitch.
On AD bound Macs if a user has their screen-saver set to require a password to deactivate and the user leaves their computer on for more than 10 hours, they will not be able to unlock the screen-saver. Apple has confirmed that this is a problem and advises that the user should enter their user name and password and then wait for one minute before they press “OK.”
This affects all versions of OS X through 10.5.7. The latest 10.5.8 patch is supposed to fix the issue.
The default time-out for a Kerberos ticket is 10 hours but with the screen-saver password lock enabled the Mac doesn’t auto renew the ticket properly. Normally every time you unlock your screen-saver it refreshes the Kerberos ticket back to 10 hours but this simply doesn’t happen if they machine has been sitting on and idle for over 10 hours.
On AD bound Macs if a user has their screen-saver set to require a password to deactivate and the user leaves their computer on for more than 10 hours, they will not be able to unlock the screen-saver. Apple has confirmed that this is a problem and advises that the user should enter their user name and password and then wait for one minute before they press “OK.”
This affects all versions of OS X through 10.5.7. The latest 10.5.8 patch is supposed to fix the issue.
The default time-out for a Kerberos ticket is 10 hours but with the screen-saver password lock enabled the Mac doesn’t auto renew the ticket properly. Normally every time you unlock your screen-saver it refreshes the Kerberos ticket back to 10 hours but this simply doesn’t happen if they machine has been sitting on and idle for over 10 hours.
Creating a mobile account after the fact: Mac
If you need to enable a mobile account after you have already set up a user's network account (and didn't create the mobile account at first log in) do the following:
On the client, log in as the local Administrator, and in Terminal
issue the command:
sudo /System/Library/CoreServices/ManagedClient.app/Contents/
Resources/createmobileaccount -vsn myusername /my/homedirectory
The variables "myusername" and "/my/homedirectory" are specific to
the account you are working with.
If you don't want syncing enabled, the argument is -vSn
On the client, log in as the local Administrator, and in Terminal
issue the command:
sudo /System/Library/CoreServices/ManagedClient.app/Contents/
Resources/createmobileaccount -vsn myusername /my/homedirectory
The variables "myusername" and "/my/homedirectory" are specific to
the account you are working with.
If you don't want syncing enabled, the argument is -vSn
Thursday, July 30, 2009
Shaky login on Mac
Normally shaky logins are caused by missing or corrupt edu.mit.kerberos files so always check that first but you might also want to look at the user's e-mail address in AD too.
We had a user who couldn’t log into any bound Mac using his AD account however he could log into a PC. On the Macs, he would get a shaky login box and a cryptic error saying “you can’t log in at this time”.
Checking his AD account I noticed that he didn’t have a secondary SMTP of @corp.ipgnetwork.com. I added the SMTP, waited for replication and then he was able to log in.
We had a user who couldn’t log into any bound Mac using his AD account however he could log into a PC. On the Macs, he would get a shaky login box and a cryptic error saying “you can’t log in at this time”.
Checking his AD account I noticed that he didn’t have a secondary SMTP of @corp.ipgnetwork.com. I added the SMTP, waited for replication and then he was able to log in.
Thursday, July 9, 2009
Outlook 2007 command line tools
Great set of Outlook 2007 command line tools:
http://office.microsoft.com/en-gb/outlook/HP012185891033.aspx
http://office.microsoft.com/en-gb/outlook/HP012185891033.aspx
Wednesday, June 3, 2009
Garbled Text in Entourage
Problem: Entourage displays garbled text in all fields- header, folder names and message body.
Fix: Go to /Users/[user name]/Library/Caches and delete the com.microsoft.browserfont.cache file.
Relaunch Entourage and the text should be back to normal.
Fix: Go to /Users/[user name]/Library/Caches and delete the com.microsoft.browserfont.cache file.
Relaunch Entourage and the text should be back to normal.
Friday, May 29, 2009
Entourage not sending mail MSS and MTU packet size problem
We have had a problem in one of our Warsaw offices where their Entourage 2008 clients (connected to Exchange 2007 via OWA) were not able to send mail.
After much trial and error we found that the MSS packet size was set incorrectly. Allowing larger packets resolved the problem.
We set the MSS packet size to 1300 and the internal and external MTU size to 1500
Doing a tcpdump and searching for "MSS" found that the packet size was 1460. However it looks like the tcp packet length to the OWA server is 1400.
After much trial and error we found that the MSS packet size was set incorrectly. Allowing larger packets resolved the problem.
We set the MSS packet size to 1300 and the internal and external MTU size to 1500
Doing a tcpdump and searching for "MSS" found that the packet size was 1460. However it looks like the tcp packet length to the OWA server is 1400.
Wednesday, April 29, 2009
Macs not logging in: duplicate AD names
Problem: A user in EMEA can't log into their AD bound Mac. After investigation it is found that a duplicate name exists in another forest (North America). We have been working around this by renaming one of the accounts.
Possible solution (being tested now): from a command line on the user's machine type disconfigad –namespace domain name and then log in with domain\shortname
See this link for more details: http://archive.netbsd.se/?ml=macos-x-server&a=2008-09&t=8621106
Possible solution (being tested now): from a command line on the user's machine type disconfigad –namespace domain name and then log in with domain\shortname
See this link for more details: http://archive.netbsd.se/?ml=macos-x-server&a=2008-09&t=8621106
Incorrect host names on Mac clients
As many of you are no doubt aware the Mac hostname displayed on the client and in the DNS Name field of ARD are more than likely incorrect. For example, your Mac might be named ldntam-DMX1234 but you get a hostname of OSLggk-DXP5678 or some other random name. This is a problem for applications such as LANDesk which need accurate DNS names associated to IPs.
After much research and many discussions with Apple we have finally received this definitive reply:
“Mac OS X 10.5 clients do not update PTR (reverse) records. The 10.5 Mac
clients will register an A record and the DHCP server must register
the Mac's PTR record. If a PTR record already exists with the IP
address that a Mac has, the Mac will be given the hostname of the
previous PTR record. That is why scavenging and choosing the option
to discard A and PTR records when the lease is deleted is necessary.”
DHCP servers can be configured to either update A and PTR records only if requested by clients or to always update DNS A and PRT records. The problem with the later method is that the server, rather than the client, will own the record and the client’s ACL is not included in the DNS object’s security list. This can cause problems if the client goes to another location, if the DHCP server is changed or if the A and PTR records are not released properly (which happens a lot).
It is also highly recommended that DHCP servers NOT reside on domain controllers. In such a configuration (DHCP and DNS on the same server) MS recommends using an account with DNS credentials to update the DNS records to ensure the integrity of Dynamic DNS updates.
According to Apple, Snow Leopard should have the ability to dynamically update PTR records.
After much research and many discussions with Apple we have finally received this definitive reply:
“Mac OS X 10.5 clients do not update PTR (reverse) records. The 10.5 Mac
clients will register an A record and the DHCP server must register
the Mac's PTR record. If a PTR record already exists with the IP
address that a Mac has, the Mac will be given the hostname of the
previous PTR record. That is why scavenging and choosing the option
to discard A and PTR records when the lease is deleted is necessary.”
DHCP servers can be configured to either update A and PTR records only if requested by clients or to always update DNS A and PRT records. The problem with the later method is that the server, rather than the client, will own the record and the client’s ACL is not included in the DNS object’s security list. This can cause problems if the client goes to another location, if the DHCP server is changed or if the A and PTR records are not released properly (which happens a lot).
It is also highly recommended that DHCP servers NOT reside on domain controllers. In such a configuration (DHCP and DNS on the same server) MS recommends using an account with DNS credentials to update the DNS records to ensure the integrity of Dynamic DNS updates.
According to Apple, Snow Leopard should have the ability to dynamically update PTR records.
Saturday, March 7, 2009
BEUTILITY (BackupExec Utility)
To migrate the BackupExec databases after the server has been migrated to a new domain:
Make sure you change all the BackupExc services so that they launch using a local service account not a domain or local admin account. DO THIS FIRST and then run the beutility.exe app.
The beutility.exe file is located in the in the same folder as the main BE application.
Launch beutility.exe. The option is not so easy to find.. You click on the List of servers, right click on the server name and select "update configuration to reflect new media server name", then fill in the new domain and server name and the old domain and server name.
Make sure you change all the BackupExc services so that they launch using a local service account not a domain or local admin account. DO THIS FIRST and then run the beutility.exe app.
The beutility.exe file is located in the in the same folder as the main BE application.
Launch beutility.exe. The option is not so easy to find.. You click on the List of servers, right click on the server name and select "update configuration to reflect new media server name", then fill in the new domain and server name and the old domain and server name.
Friday, February 27, 2009
Enable random signature in Entourage
- Setup your signatures in tools/signatures
- In the signature put a tick in "Include in random list"
- Close the signatures and go to tools/accounts/
- Double click on your mail account and go to the Options tab
- In the "Default signature" pull-down select "Random"
- Click "OK"
Thursday, February 19, 2009
OS X Server: Speeding up directory searches
One of the major complaints about OSX Server is that once they are bound, searching for users/groups from the AD can take a long time (and sometimes times out before completion).
The problem, according to Apple, is that AD doesn’t index any attributes for a substring search and therefore all records have to be searched. The Workgroup Manager plug-in times out after 60 seconds and even an ldapsearch from the command line will only search for 120 seconds and then give up.
Apple has two suggestions to speed up searches:
I have tested both of the above work-arounds and found that they work very well. The Real Name search is particularly fast.
The problem, according to Apple, is that AD doesn’t index any attributes for a substring search and therefore all records have to be searched. The Workgroup Manager plug-in times out after 60 seconds and even an ldapsearch from the command line will only search for 120 seconds and then give up.
Apple has two suggestions to speed up searches:
- In Workgroup Manager, click on the little magnifying glass in the search window and select "Name is" and enter the last, first of the user you are searching for
- In Workgroup Manager, click on the little magnifying glass in the search window, go to “advanced” and search for “Real Name” This will search the cn attribute and is much faster than a normal search- this works for groups too
I have tested both of the above work-arounds and found that they work very well. The Real Name search is particularly fast.
Subscribe to:
Posts (Atom)