What are the minimum RAM and disk requirements for installing OS X Server?
The minimum RAM and disk requirements for OS X Server are:
• 2GB of RAM (more for high-demand servers running multiple services)
• 10GB of available disk space
What tool do you use to perform an installation and initial configuration of OS X Server?
You use the Server app to perform an installation and initial configuration of OS X Server.
If you’re installing OS X Server on a Mac, what is one configuration step you should take before installing?
Configure your Mac with OS X to use a manually assigned IPv4 address.
What are two kinds of names associated with your server, and what are they used for?
You can use the Server app to configure these two names:
• Computer name—This is what appears in the Finder sidebar for other Macs if your server offers file sharing services.
• Host name—Computers and devices can access services offered by your server by using your server’s DNS host name, even if they’re not on its local network, as long as the host name corresponds with an IPv4 address that’s reachable and not blocked by firewalls.
How can you install the Server app on an administrator computer?
Use the Mac App Store to download OS X Server. If you purchased a computer with OS X Server preinstalled, copy the Server app from that server to your administrator computer.
Give two examples of services that appear with your server’s computer name.
Your server’s computer name appears in the Finder sidebar window if the File Sharing or Screen Sharing services are enabled. It may also appear in AirDrop, Apple Remote Desktop, and in Xcode preferences when adding a new server for the Xcode service.
What kind of name is new-test-server.local?
new-test-server.local is an example of a local host name.
What kind of name is server17.pretendco.com?
server17.pretendco.com is an example of a host name.
What is the purpose of DNS?
To convert host names into IP addresses and IP addresses to host names.
If no DNS server is defined when configuring OS X Server, how will the server provide DNS for itself?
A basic DNS server is configured automatically and turned on.
If you’re using an external DNS server to provide DNS for your server, what should you do prior to configuring the server?
You should check that the DNS server has the proper forward and reverse DNS information configured for your server’s host name and IPv4 address.
When is it OK to leave the automatically configured DNS server running with no modification?
When it’s a very simple network with one server, and all the computers and devices are on the same network.
When might you want to use a manually configured DNS service on your OS X Server?
When you want to have records for multiple computers and devices.
Using an administrator computer with the Server app installed, how do you use the Server app to administer a remote server?
Open the Server app, choose Manage > Connect to Server, select your remote server from the list (or select Other, and then provide its host name or address), and provide credentials for a local administrator.
What option do you need to select in order to allow another Mac to administer your server, and where is its checkbox?
Select your server in the Server app sidebar (in the Server section), click the Settings tab, and then select the option “Allow remote administration using Server.”
What tools does the Tools menu give you quick access to open?
The Tools menu gives you access to these applications: • Directory Utility • Screen Sharing • System Image Utility • Xsan Admin
Do you have to install extra software to take control of your server’s keyboard and mouse?
No, on your server computer, you open the Server app and select your server in the Server app sidebar (in the Server section). Click the Settings tab, select the checkbox “Enable screen sharing and remote management,” and then on your administrator computer use Screen Sharing to take control of your server computer’s keyboard.
If you use the Server app to choose a different service data volume to a volume mounted at /Volumes/Data, what folder will contain the service data?
In this case, your service data will be stored in /Volumes/Data/ Library/Server.
Do you need to stop all services before using the Server app to change your service data volume?
No, the Server app automatically stops the appropriate services before moving their data to the new service data volume.
Can you remotely install OS X Server on a brand new Mac computer that comes with OS X Server without first configuring OS X on that computer?
No, you need to configure OS X before installing and configuring OS X Server.
How do you display the list of advanced services in the Server app sidebar?
Hover the pointer over the word Advanced in the Server app sidebar, then click Show.
What is the difference between a root CA and an intermediate CA?
An intermediate CA’s public key certificate is signed by another CA. A root CA’s public key certificate is signed by itself. Note that there is a set of root CAs and intermediate CAs that OS X trusts.
What is the problem with just using a self-signed SSL certificate?
Computers and devices accessing services that use a self- signed SSL certificate will see a message that the SSL certificate is not trusted. It is a security risk to teach users to just trust any SSL certificate that causes a warning.
What tool do you use to create a new self-signed SSL certificate and a CSR?
Use the Server app to create a new self-signed SSL certificate and a CSR.
What tool do you use to create a secure archive of your certificate and private key?
Use Keychain Access on the server to create a secure archive of your certificate and private key. Be sure to choose “Personal Information Exchange (.p12)” in the File Format menu of the Save dialog.
Can different services use different certificates, or do all the services on your server need to use the same certificate?
Each service can use a different certificate, or you can use the same certificate for all services.
What is the purpose of alerts?
Alerts provide a system of warning of various conditions.
What are the two ways alerts can be delivered?
Email, and alerts pushed to the Server app.
If you wish to use push alerts, what is the first step you need to take?
Configure the Apple Push Notification service for the server you’re using.
If an alert details offers to update services, what is the correct action?
Understand the alert and rectify the situation before making any configuration changes, as they may be unneeded.
Which volumes are shown in the Storage tab in the Server app?
All that are visible and mounted on the server.
Why use Time Machine to back up OS X Server?
Time Machine provides a simple backup system that’s capable of backing up OS X Server and restoring its services.
What files are not backed up by Time Machine that might be important in a server to a system administrator?
/Library/Logs/.
What kind of backup targets can be used for Time Machine?
Locally connected volumes and AFP file shares
If you don’t want to drop the oldest backups, what should you do?
Don’t let the backup target volumes fill up, or the oldest backups will be dropped.
What are three ways of recovering data from a Time Machine backup?
From the Time Machine graphical interface, directly from the backup volume, and via Restore from Time Machine Backup in the Recovery volume.
Describe the difference between authentication and authorization, and give an example of each.
Authentication is the process by which the system requires you to provide information before you can access a specific account. An example is entering a name and password while connecting to the Apple Filing Protocol service. Authorization refers to the process by which permissions are used to regulate a user’s access to specific resources, such as files and shared folders, once the user has been successfully authenticated.
What is the difference between user and administrator accounts on OS X Server?
User accounts provide basic access to a computer or server, whereas administrator accounts allow a person to administer the computer. On OS X Server, an administrator account is typically used for changing settings on the server computer itself, usually through the Server app.
Which applications can you use to configure OS X Server local user and group settings?
You can use the Users & Groups preferences and the Server app to create and configure local users and groups.
What tool can you use to import and export user accounts?
You can use the Server app to import user accounts. Additionally, as you’ll see in Lesson 10, you can use the Server app to import network users after you authenticate as a directory administrator.
Which two formats of files can you use to import users with the Server app?
You can use the Server app to import a character-delimited text file with user information, but you need a header line to define the characteristics of the information contained in the file. You can also import a text file that has a header line at the beginning of the file that defines the contents of the file.
If you decide to manually manage access to services, what are some services included in the list?
Services include Calendar, Contacts, File Sharing, FTP, Mail, Messages, Profile Manager, Time Machine, and VPN.
When you select the checkbox to grant authorization for a user to access File Sharing services, what file sharing protocols does this enable for the user?
Authorization to use File Sharing includes the AFP and SMB protocols.
When you click the Manage Service Access button, does this prevent users that you create in the future from being able to access your OS X Server services?
No, even after you choose to manage service access manually, new users that you create with the Server app automatically get authorization to access services. Of course, you can edit a user and remove authorization for that user to access a service.
What is the main function of directory services?
Directory services provide a central repository for information about the computers, applications, and users in an organization.
What standard is used for data access with Open Directory? What version and level of support is provided for this standard?
Open Directory uses OpenLDAP and the Lightweight Directory Access Protocol (LDAP) standard to provide a common language for directory access. Open Directory uses LDAPv3 to provide read and write access to the directory data.
In terms of Open Directory, what four roles can OS X Server play?
OS X Server Open Directory roles include Open Directory master, standalone server, connected to a directory system, and Open Directory replica.
What criterion determines the Open Directory locale with which an OS X Open Directory client associates?
If a Mac has an IPv4 address that’s in the range of a subnet associated with an Open Directory locale, that Mac should use any of the Open Directory servers associated with that locale. Otherwise, it will use the default locale.
What log shows successful and failed attempts to authenticate against the password service?
Password Service Server Log, located at /Library/Logs/ PasswordService /ApplePasswordServer.Server.log, shows successful and failed attempts to authenticate.
What tool can you use to check the ability to obtain a Kerberos ticket?
Ticket Viewer is in /System/Library/CoreServices, and you can use it to confirm the ability to obtain a Kerberos ticket.
- How do you import local network users from a text file with a properly formatted header line?
Choose Manage > Import Accounts from the File menu, select the text file, choose Local Network Accounts in the pop-up menu, provide directory administrator credentials, and click Import.
What are some reasons that a client computer might not be able to use Kerberos authentication to access a service?
The client computer might not be bound to a directory service that provides Kerberos; the system time between the client computer and the server computer might be off by more than 5 minutes; there could be a DNS configuration issue; or the service might not be configured to use Kerberos.
In addition to authentication, what else can Kerberos provide?
Kerberos provides identification and authentication.
How can you disable a local network user account so that it cannot be used to access services or log in on a bound Mac?
In the User pane of the Server app, double-click the user to edit the user, and deselect the checkbox “Allow user to log in.”
What are some examples of global password policies that you can apply to users that apply the next time they change their password?
Some examples include that passwords must differ from account name; contain at least one letter; contain both uppercase and lowercase letters; contain at least one numeric character; contain a character that isn’t a letter or number; contain at least a given number of characters; or differ from the last given number of passwords used.
What are some examples of global password policies that you can configure to disable login after certain events occur?
Some examples include that the login will be disabled on a specific date; after using it for a given number of times; after inactive for a given number of days; or after a user makes a given number of failed attempts.
How does a user obtain a Kerberos service ticket?
Once a user has a ticket-granting ticket, OS X automatically attempts to obtain a service ticket when a user attempts to connect to a Kerberized service.
What tool is used to create profiles?
The Profile Manager web app is used to create profiles.
Why should a configuration profile be signed?
A configuration profile should be signed to validate the contents of the profile.
What is a configuration profile? An enrollment profile?
A configuration profile contains settings and preferences to manage the user experience in a controlled device. An enrollment profile allows the device that it’s installed on to be remotely controlled, performing such tasks as remote wipe and lock, and installation of other configuration profiles.
What steps are involved with turning on the Profile Manager service?
You can just click the On/Off switch in the Server app Profile Manager pane to turn on the Profile Manager service, but to enable device management (also known as Mobile Device Management), click the Configure button next to Device Management, select a valid SSL certificate, and specify a verified Apple ID to obtain an Apple Push Notification service certificate.
What steps are involved with specifying that you want to sign your configuration profiles?
In the Server app Profile Manager pane, select the “Sign configuration profiles” option, and choose a valid code signing certificate. Then when you create profiles with the Profile Manager web app, they’re automatically signed.
What three components comprise Profile Manager?
The Profile Manager includes the Profile Manager web app, the user portal, and the optional device management (Mobile Device Management) service.
At what levels can clients be managed?
Users, user groups, devices, and device groups.
Name at least three ways a profile can be delivered.
User Portal, email, web page, or manual delivery. The mobile device management capabilities of Profile Manager can also push profiles to enrolled devices.
What service does push notification rely on?
Apple Push Notification service (APNs).
How is a profile removed from an OS X computer? From an iOS device?
In OS X 10.7 Lion and later, the profiles are managed in the Profiles preferences. On an iOS device, navigate to Settings/ General/Profiles to view and remove installed profiles.
How can you view the contents of a profile?
Any text editor. The text contained in the profile is either straight XML or XML with some binary data if signed.
Name three file sharing protocols supported by the OS X Server File Sharing pane and their principal target clients.
AFP for Macs with OS X earlier than Mavericks, SMB for OS X Mavericks and Windows clients, and WebDAV for iOS devices are three file sharing protocols supported by OS X Server.
What is one concern with using the FTP service?
Normally the network traffic is not encrypted for authenticating to the FTP service with user name and password.
How does OS X Server support browsing for Windows clients?
OS X Server uses NetBIOS to advertise its presence to Windows clients; Windows users see the server in their Network Neighborhood or Network Places.
How do you enable guest access to a share point?
Edit a share point and select the “Allow guest users to access this share” checkbox.
Where can you quickly view how many AFP and SMB connections there currently are to your server?
The Connected Users tab displays the number of AFP and SMB connections; you may need to choose View > Refresh (or press Command-R) to refresh the number.
How can you configure a share point to be accessible to an app on an iOS device?
Edit a share point and select the “Share over WebDAV” checkbox.
Where would you find information about AFP service errors?
The Logs pane of the Console app displays the AFP Error log, which displays the contents of the log file: /Library/Logs/ AppleFileService/AppleFileServiceError.Log.
How can you create a new share point?
In the File Sharing list of share points, click Add (+) and either select an existing folder or create a new folder and select the new folder.
What file sharing protocols are enabled by default for a share point you just created?
AFP and SMB are enabled by default for a new share point.
Do you need to start the Websites service in order to provide WebDAV service?
No, the Websites service doesn’t need to be running in order for you to offer File Sharing services via WebDAV (of course, the File Sharing service must be running).
When does an ACE for a folder’s ACL get propagated to items in the folder?
An ACE of a folder’s ACL is propagated to a new item that’s created in that folder, or copied into that folder from another volume, if the inheritance options for the ACE apply. Also, an administrator can select a folder in the Storage pane of the Server app, choose Propagate Permissions from the Action (gear icon) pop-up menu, select the Access Control List checkbox, and click OK. Finally, if you use the File Sharing pane to modify a share point’s POSIX permissions or ACL, the ACL will be automatically propagated.
What permissions can you choose for an ACE in the File Sharing pane of the Server app?
When you edit an ACE in the File Sharing pane of the Server app, you can choose Read & Write, Read, or Write.
What permissions can you specify for an ACE in the permissions dialog of the Storage pane of the Server app?
When you edit an ACE in the Storage pane of the Server app, you can select checkboxes for 13 kinds of permissions. The categories include Administration, Read, and Write.
In the permissions dialog of the Storage pane in the Server app, what four rules for inheritance can you apply to an ACE?
Apply to this folder; Apply to child folders; Apply to child files; and Apply to all descendants.
How do you remove an inherited ACE?
In the Storage pane of the Server app, navigate to the item that has an ACL, click the Action (gear icon) pop-up menu, choose Edit Permissions, click the Action (gear icon) pop-up menu, and choose Remove Inherited Entries.
What might it mean if you see a GUID rather than a user name in an ACL?
If you see a GUID instead of a user name in an ACL, it could mean that you removed a user or a group from your server, and the ACE is displaying that user’s or group’s GUID because it cannot map the GUID to a user or a group.
What are the advantages of using NetBoot?
Because NetBoot unifies and centralizes the system software that NetBoot clients use, software configuration and maintenance are reduced to a minimum. A single change to a NetBoot image propagates to all client computers on the next startup. NetBoot also decouples the system software from the computer, decreasing potential time invested in software troubleshooting.
What are three ways to configure the network startup disk?
A client can select a network disk image via the Startup pane within System Preferences; hold down the N key at startup to use the default NetInstall image,; or use the Option key to enter the Startup Manager.
Which network protocols are used during the NetInstall startup sequence? What components are delivered over each of these protocols?
NetInstall makes use of DHCP, TFTP, NFS, and HTTP during the NetInstall client startup sequence. DHCP provides the IP address, TFTP delivers the boot ROM (“booter”) file, and NFS or HTTP is used to deliver the network disk image.
What is a NetBoot shadow file?
Because the NetBoot boot image is read-only, anything that the client computer writes to the volume is cached in the shadow file. This allows a user to make changes to the boot volume, including setting preferences and storing files; however, when the computer is restarted, all changes are erased.
What are the major differences between NetBoot, NetInstall, and NetRestore images?
NetBoot allows multiple computers to boot into the same environment. NetInstall provides a convenient way to install operating systems and packages onto multiple computers. NetRestore provides a way to clone an existing image to multiple computers.
What version of OS X is required for a Mac to use the Caching service via the Mac App Store? What version of iTunes is required for Macs and for PCs to use the Caching service? What version of iOS is required for iOS devices to use the Caching service?
For the Mac App Store, OS X version 10.8.2 or later is required; as for iTunes for Macs and for PCs, iTunes version 11.0.2 or later is required. iOS devices with iOS 7 automatically use the Caching service if available.
What additional configuration do you need to perform for eligible computers with OS X and for iOS devices to use the Caching service?
No additional configuration is required for computers with OS X version 10.8.2 or later, or for iOS 7 devices.
If your server has a public IPv4 address (as opposed to having a private IPv4 address behind NAT), and your clients have a private IPv4 address behind NAT, will your clients use your server’s Caching service?
No, your clients and your server must have private IPv4 addresses behind a NAT device that translates outgoing traffic (to the Internet) to use the same public IPv4 address.
What configuration is required if you have multiple servers with the Caching service turned on?
You don’t need to perform any additional configuration; eligible clients will use the appropriate Caching server automatically.
Can a Mac use the Software Update service and the Caching service simultaneously?
No, a Mac can use either the Software Update service or the Caching service.
If you change the volume used for the Caching service, is the cached content moved to the new volume?
Yes, if you change the volume for the Caching service, the Server app automatically moves the cached content to the new volume.
Will the Caching service fill up a volume with cached content?
No, the Caching service automatically removes the least recently downloaded item to make room for new content, after the volume has only 25GB available.
How much available space do you need on a volume in order to specify to use it for the Caching service?
The Server app requires that a volume have 50GB available before you can use it for the Caching service.
What are the advantages of using Software Update?
You can better administer updates to clients and prevent high-bandwidth usage from your clients all reaching out to the Apple update servers, keeping the traffic within your network.
What are three logs available to monitor the service?
Service, Error, and Access.
How can you configure a client to use the update service?
Use the defaults command to modify the update plist or a configuration profile.
What is the default port used?
The default port is 8088. This is important as it needs to be defined in the catalog URL even though it isn’t shown in the configuration panes of the Server app.
What level of management can Software Update be applied to in Profile Manager?
Devices and device groups.
What services must be running for Time Machine to provide a network backup target?
File Sharing and Time Machine.
If you change the volume that Time Machine is backed up to, what will happen from the client side?
An entire backup will occur, rather than just the changes from the last backup.
Why might you want to exclude certain folders from being backed up?
You might exclude certain folders to preserve space or to avoid backing up unneeded material.
Can you recover what was in the Trash?
No, the contents in the Trash aren’t backed up.
What kind of users would benefit from using the VPN service?
Users who are away from your local network can use the VPN service to securely access resources available on your local network.
What is an easy way to help your users running OS X to quickly configure their computers to use your server’s VPN service?
In the Server app sidebar, select VPN, click Save Configuration Profile, and distribute the resulting mobileconfig file to your users. When a user of a computer running OS X Lion or later opens the mobileconfig file, the Profiles preferences automatically opens and prompts the user to install the configuration profile. You can also distribute the mobileconfig file to users of iOS devices.
What two protocols does the OS X Server VPN service support?
L2TP and PPTP.
What are the differences between the two supported VPN protocols?
L2TP is more secure, but PPTP is compatible with older VPN client software.
If the shared secret becomes discovered, does this mean that anyone in the world can now use your server’s VPN service?
Not necessarily; even if the shared secret becomes published, users still need to authenticate with a username and password to establish a VPN connection.
What do you need to do if you decide to change the shared secret?
If you change the shared secret, all your VPN service users must change the shared secret in their VPN configurations. You can facilitate this change by saving a new configuration profile and distributing the new mobileconfig file to your users.
If a host computer or device is on an active network with other clients receiving DHCP addresses, why might this specific computer or device not get an IPv4 address?
If other computers and devices on a given network are able to secure DHCP addresses, it’s likely that the server has run out of DHCP leases.
How can you determine whether a host has a routable IPv4 address or a link-local address?
A link-local address must fall in the 169.254.x.x range, so checking the current IPv4 address of the client will provide the answer
What must you know before you can statically map an IPv4 address to a specific client?
You must know the MAC address of the client; if the client already has a DHCP lease, simply create a static address from that client’s entry in the Clients pane.
Where would you find log entries related only to the DHCP service?
In the Server app’s Logs pane (in the Service Log under the DHCP section).
On what software is the OS X Server Websites service based?
The Websites service is based on Apache, the open source web server software
Which permissions are necessary on a web folder to ensure that visitors to the site can access the pages?
Everyone or the “www” group must have read access to the web files.
What are access controls?
Access controls are paths to folders that can be restricted based on group.
Where is the default location for the Apache log files?
The default location for the Apache log files is /var/log/ apache2/access_log and /var/log/apache2/error_log.
What is the advantage of using SSL on a website?
SSL helps protect the traffic traveling to and from the website by encrypting the data.
What protocols can Mail service utilize?
POP, IMAP, and SMTP.
What kind of DNS record should be set up for a mail server in production use?
An MX record for the domain.
What tools are used for filtering the Mail service?
SpamAssassin filters for spam; ClamAV for virus scanning; and an external blacklist server can be set for junk mail filtering. Greylisting also helps reduce spam.
What is a wiki? What is a blog?
A wiki is designed to be read and edited by many. A blog is designed to be read by many, but created by an individual.
What tools can an administrator use to specify users that are allowed to create wikis?
Administrators can use the Wiki Creators list in the Wiki service settings of the Server app.
How does a network user specify which users and groups are allowed to edit a wiki?
When creating a wiki with a web browser, a user can specify permissions for users and groups to access and edit the wiki.
What protocol does Calendar use?
CalDAV, which is an extension of WebDAV.
How does a user specify which users are allowed to edit or view his calendar?
In the Calendar app preferences, he can designate delegates and their rights.
What is the transport protocol for the Calendar service and how can that impact the troubleshooting of the service?
CalDAV and WebDAV utilize HTTP as a transport and as a result the troubleshooting of it is similar to web services. You need to make sure DNS is correct and the proper ports are open.
What protocol is used for the Messages service?
The Messages service uses the Extensible Messaging and Presence Protocol (XMPP).
How would you limit access to the Messages service on OS X Server?
Through “Edit Access to Services” per user available in the Server app.
How would you enter the Messages name for the user Jet Dogg (short name: jet) on server17.pretendco.com?
The Messages name format for Jet Dogg is
jet@server17.pretendco.com.
On what protocols is the Contacts service based?
The OS X Server Contacts service is based on CardDAV (an extension to WebDAV), HTTP, and HTTPS, as well as vCard (a file format for contact information).
How can the information contained in a directory service be included in the Contacts searches?
Make sure the “Include directory contacts in search” option is selected in the configuration of the Contacts service.
Where is SSL for the Contacts service configured for use?

In the Settings pane of the Certificates tab of the Server app.
