Lessons Learned

Even though Mac OS X supports connecting to Windows-based servers via SMB, there are a number of reasons why you may want to connect to the server via AppleTalk or Apple File Protocol (AFP) instead:

• You have Macs running System 9 or earlier on the network.
  
• Accessing files via SMB shares does not let Macs see the resource fork on files on the share.
  
• Your security policy prevents you from disabling SMB signing on your server.

With the release of OS X, people running Macintoshes in a Windows environment can now connect to Windows servers using SMB shares instead of AppleTalk shares. There are trade-offs, of course, but this additional method of connection increases the Macintosh ability to integrate into a Microsoft network.
Read the rest of this entry »

Downlevel clients, Macintosh clients running Mac OS 10.X attempting to connect to SMB shares, and some third party devices, such as multi-function printers/scanners, are unable to connect to the server due to SMB signing. Since not all devices are capable of working with signed SMB packets, SMB signing can be disabled on the server to allow access to these clients.

Please note that SMB signing is a security feature and that by disabling it you open the door to certain security risks. This action should be taken only when absolutely necessary.
Read the rest of this entry »

When Apple implemented Rendezvous in OS X, they chose to use a non-public domain naming scheme to keep Rendezvous traffic local. Unfortunately,”.local” is exactly the naming scheme they chose, which happens to be the very domain structure Microsoft recommends for naming internal networks. No problem, right? Except that Rendezvous uses a multicast DNS lookup, and Microsoft DNS servers don’t know how to respond to multicast requests. Hence, if you have a Windows “.local” domain with Macs, the Macs cannot use DNS to look up internal DNS resources.

In Mac OS X 10.4, Apple changed Rendezvous to Bonjour, and while it still uses the .local namespace, it is smarter about DNS lookups than Rendezvous. Chances are that if you’re running OS 10.4 and getting your IP configuration from the DHCP server of the SBS box (or other Active Directory DNS server that’s properly configured), you won’t need the steps in this document.

There are a number of ways to work around this, but the best solution, short of renaming your Windows internal domain to somethin other than “.local”, is to disable multicast DNS for the .local domain on the Mac. Here’s how.
Read the rest of this entry »

There is one really important aspect of modifying Group Policy that probably needs to go in the GPO 101 post, but it’s important enough that I’ll post about it here.

Never, EVER modify the Default policy objects. There’s a reason they’re called Default, and they should stay that way.
Read the rest of this entry »

Group Policy Obects in Active Directory are a fabulously beneficial feature that can sometimes be ferociously frustrating as well. With great power comes great responsibility (someone please slap me for that) so before you plunge headlong into working with GPOs, you shoudl probably have a basic understanding of how GPOs work. The remainder of this entry is adapted from material I contributed to MCSE Exam 70-294 Study Guide and DVD Training System: Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure in Chapter 9, Working with Group Policy in an Active Directory Environment.
Read the rest of this entry »

One of my pet peeves about Dell’s OEM setup on SBS servers is the (admittedly nice-looking) background image that comes up when you boot the server or connect via terminal services. When the server is connected over a slow DSL connection (which a lot of SBS installs are), connecting remotely can be a painful experience as you wait for this image to draw on your screen.

Finally, I found the way to remove this. Or, alternately, to add a custom boot image of your own.
Read the rest of this entry »

One of the problems with supporting business customers is that you’re invariably asked to do hardware repairs or upgrades at some point. Some computer manufacturers, Dell for example, are very particular about what you can do on their systems without voiding the warranty. I have always assumed that Apple was the same way. (I did have one incident where I was having trouble getting an add-on card installed, called Apple Tech Support, and was told up-front that I had voided the warranty as soon as I mentioned that I had opened the case.)

However, I ran across this link from Apple ( http://www.info.apple.com/usen/cip/) which details the components on each Macintosh model that are user serviceable. So the memory upgrade I just did on an iMac I picked up a couple of weeks ago for $90 is blessed by Apple.

Server-based anti-virus software is great, but it can’t think for itself. Every major A/V software package is based on scanning files on the server, and there are just some files that should not be scanned on Windows server, especially SBS servers. And it’s up to the system administrator to tell the A/V software not to look certain places.
Read the rest of this entry »

I really haven’t kept up with hardware over the last 7 or so years like I used to. So the big move to Serial ATA (SATA) went past without my noticing. Honestly, I really don’t know much about SATA other than it’s supposed to be a cross between SCSI and IDE - more robust and RAID-able like SCSI but lower cost like IDE. Really, it’s probably a pretty cool technology, and I should look into it and become more knowledgable about it. Could have some interesting home applications.
Read the rest of this entry »