Ready to watch this entire course?
Become a member and get unlimited access to the entire skills library of over 4,900 courses, including more Business and personalized recommendations.Start Your Free Trial Now
- View Offline
- Deploying, troubleshooting, and understanding OS X 10.6 DNS server
- Understanding and configuring OS X and OS X Server-based firewalls
- Fixing server- and client-side firewalls
- Configuring and troubleshooting DHCP
- Setting up and troubleshooting a VPN server
Skill Level Intermediate
With DNS especially, there is an order in which you have to do things. Otherwise, you'll be chasing your tail for hours trying to get everything working. First, and this should happen well in advance of your deployment, decide on and obtain a domain name. When I think about it, this is also important to the installation of your server, because you have to know the fully qualified domain name of your server during initial setup. You get a domain name either from your network administrator. If you are setting up at a large organization where there is already a domain name, or a domain registrar, if the server will do things like route mail to other computers on the Internet, and you don't have one already.
If you've watched our other server titles here at lynda.com, you'll remember that we've covered how to purchase a domain name from a registrar in the movie "Registering a Domain Name," which is in Chapter 4 of Snow Leopard Server Essential Training. Once you have your domain name, you have to set up zones. To do that, we're going to go into Server Admin. Once we're in Server Admin, it should automatically connect up to your server. If it doesn't, you can add your server by name, or IP address. You'll see here that if you've already got your server set up and you went through the automatic setup process and you didn't have DNS on your network already, it set up DNS for you.
That's why it's down here in the list, and it's already got the green light next to it to say that it's running. If you look at zones, it's going to give you a warning that says "don't mess with this. You're going to change something that's going to really screw up your server." You're going to say OK, and then we're going to change it anyway. We're going to do this for a very specific reason. We need more than just server.groundswellgear.com. We need to create additional records. We want to modify what this is doing. So, we're going to add a different zone here, one that gives us a little more flexibility. For example, server.groundswellgear.com is going to be authoritative and this zone will respond authoritatively when someone asks this DNS server for anything within server.groundswellgear.com.
That would include if I had another hostname before the word server. So, first.server.groundswellgear.com could be dealt with by this zone, but if I want to set up another machine record or a CNAME like for example mail.groundswellgear.com or www.groundswellgear .com, this zone isn't going to cut it for me. I can't do that here. So, I need to set up a different one. But I don't want to just delete this yet. I want to set up the other zone first, and then we'll come back and delete this afterwards. So, the first thing we do to add a zone, click the Add Zone button, and then add a primary zone here, and we're going to just add the words groundswellgear.com right here where it says Primary Zone Name.
We add an e-mail and the e-mail address here is going to appear in our DNS records. This way if someone has got a problem with something we've listed in DNS, they can contact us and tell us that there's something wrong, or they need something added or removed or whatever. We're also going to add this server as Nameserver, so we'll click the Plus button and we'll save that. For the zone groundswellgear.com, the nameserver is going to be server.groundswellgear.com. All of that is fairly straightforward. The only other box we have down here is for Mail Exchangers and we'll just click the Plus button and put in the name server and a priority.
The priority here is weighted downward. So, if you put in 90, that will be a lower priority than if you put in 10. On the Internet these days, whenever you're setting up MX records, you'll see a lot of registrars giving you the number 0 by default. I like using 10. Once you've got those all in place, click Save and you see here that underneath Hostname, the Mail Exchanger will autocomplete the rest of the domain name and you get your fully qualified server.groundswellgear.com. The tricky part with setting up your zones is you have to set them up locally and on the Internet if you expect your names to work in both places.
This is called split DNS and it's a pretty common way to handle a domain in a SOHO network. Next, we're going to have to add DNS records to the zone. In a Split DNS setup, you'll have to do that both on the Internet and locally. If you're in education, your district IT department probably has solid control over their DNS, so you can just ask them to add your server machine record to their DNS zone, just be sure to request both an A record and a PTR record for your OS X Server. If you have your server sitting on the Internet with its own public IP address, you could get away with just setting up your zones on the DNS system where you purchase the domain.
How you do that will vary depending on your choice of vendors. Some do it with a phone call; others will provide a web management tool. But either way, you'll have to manage DNS on that public system. At a minimum, you'll have to do this for a machine record and an MX record for Internet routing of e-mail. The MX record that we just set up, tells the world, "hey! When you send mail to groundswellgear.com, transfer the message to server.groundswellgear.com, so that computer can handle the routing and delivery of the message." So, what we need to do now-- underneath groundswellgear.com is we'll flip this triangle down-- we'll just select that name and click Add Record.
We're going to add a machine record. As soon as we do, this pops up right below our primary domain name and we have the opportunity to put in a machine name. I'm just going to put in the name server, and then I'm going to put in its IP address. If I want, I can put in software information, hardware information or comments, and all of these things will be returned when someone requests information through either nslookup or through the Network Utility. We'll show you how that looks later on. For right now, I'm just going to put this is on a Mac Pro, but the software is running 10.6.x. That way it'll be correct for as long and as many versions as I upgrade through.
Under Comments, I'm just going to put that this server was set up by Sean Colins. I'll click Save. Now, because it wasn't fully qualified, what we end up with here is server maps to 192.168.12.2, and that's useful for a couple of different reasons. First of all, if somebody looks up the name server in the zone groundswellgear.com, the completion of that is assumed. If we wanted, we could have typed the entire fully qualified domain name in the box down here under Machine Name and clicked Fully Qualified and that would have been fine.
But by putting in server, we limit the amount of data we have to put in. If we're putting a lot of records in, this is a perfectly acceptable way to enter your machine record. Now, I want more than one name to resolve to server.groundswellgear.com, so I'm going to add what are called CNAME records. CNAME records are just basically aliases. They are very, very easy ways for people to enter a name that makes sense to them or that they've been given that will redirect to this machine. So, for example, a very common one is www, and if we say www is always going to go to server.groundswellgear.com, give it the fully qualified name, and click Save, what we end up with is www will always redirect to server.groudswellgear.com, and because we have our A record saying server points to 192.168.12.2, that www will always go to 12.2. Another name I'd like to use as a redirect.
I'm going to go add alias. I'm going to say mail. Mail is going to also go to server. groundswellgear.com. Click Save. So now we know that www and mail will both redirect to the same machine address. So, that's what we've done. Now importantly, even though this isn't about DNS, this is about SSL, whenever you're buying an SSL certificate, be sure that you're buying the certificate for whatever name the end user will use to access the server.
So, if you're buying your SSL cert specifically for mail services on your server and you're using an alias redirect of mail, you want to make sure that you buy it with mail.groundswellgear .com as the name of your SSL cert. This can get a little complicated. If you set up the SSL cert for server. groundswellgear.com and then you tell your users to use mail. groundswellgear.com as the DNS name of the server, the SSL won't match up. There will be a name mismatch and SSL will still throw up an error message for those users whenever they try to access that server using that name.
So, just be aware that that's a potential hiccup there. All right, now that we've got our names and we've got a couple of aliases pointing to that machine. Let's get out of here and let's go over to our settings. Under settings, we have a couple of different things we can configure. We can configure our log level, which during initial setup is usually a good idea here at the debug level. We have the recursive queries area here where we can tell the system who it should respond to whenever they're requesting information. So, if somebody on our local networks or the localhost itself makes a request of the DNS server, those responses will be going out to those networks.
A nifty thing about this area here is that you could add various different network ranges or specific IP addresses that can be allowed to request information from our DNS server. Anything that's not in this box will not receive a response to a request. But what I wanted to show you down here is the Forwarder IP Address area. Now this is where you would put in the IP address for your local ISP. This is best if it's next highest DNS server as you head out towards the Internet. So, your Internet service provider is a really good number to use here.
For example, a commonly used number for a well-known ISP in our area. So, these numbers are used by a local ISP in our area. So, those are going to be really good numbers for us to use, because they are very close to us, so responses are going to be very quick. They're very large networks, so they're likely to have a lot of information in their local cache, which will also speed up our DNS responses. Anything that they don't have, they'll be able to refer out to the root servers, which will then be able to traverse the DNS hierarchy in order to give us our answers.
If you don't put anything into the Forwarder IP Addresses area, you'll still be able to resolve traffic, because Apple has put a database or a list of bunch of the root server IP addresses right in to every machine that they ship out. But those will be much slower responses. This is useful because it's much, much quicker. Once that's in, you click Save. Once you've configured your new DNS zone and your settings, you'll need to delete the preconfigured zone that the server created for you initially. To do that, we go back to Zones, come down here to server.groundswellgear.com, and click Remove.
We also want to delete the PTR zone for that specific IP address. You see how it in reverse is 192.168.12.2. The one up here is 192.168.12. This one was the one that was created automatically at startup. We want to delete that one. Once we've reviewed our settings, and we know that this is all good, we've got our Forward record, we've got our PTR pointing back to that forward, and we've got our two aliases pointing to that machine record right there. Click Save and we're done.
Next, we want to configure our client to use the DNS we just set up. So, what I'm going to do now is I'm going to get out of the screen sharing that we've been using in order to control the server remotely. Here we are on our client machine. We're going to go to our Apple, pulldown to System Preferences, go to Networking. In networks, I had already configured our DNS server to point to the server that we've just set up. If yours wasn't already set up to look there, you would want to do that now.
So, on your client machine, make sure that you're pointed to the IP address of your Mac OS X Server on which we just set up DNS services. When adding your DNS information here, remember that you can use the Search Domain field right here to tell the client machine what your local zone name is. This will allow your client computer to find resources in the local DNS zone by only looking up the hostname without having to type in the fully qualified domain name. I'll show you how that works now. If we type that in and hit Apply, I'll just pull this down over here so it's out of the way.
Then we're going to go to the Go menu. Pull down to Utilities. In Utilities, we're going to open up the Network Utility. Now here in the Network Utility, we should be able to do a lookup without typing groundswellgear.com. Just by typing the name server. There's our lookup, server. groundswellgear.com and an A record, 192.168.12.2. That's the function that the search domain performs for you.
If I remove that, click Apply and try a search on server again, we get a different response. You can see that it doesn't have an answer for us, because it doesn't know. So, your choice. It's completely up to you, but that can save your users an awful lot of time, and all they have to do is know the actual hostname of the server, without knowing the fully qualified domain name or without needing to type it. When you set up DNS for the first time, lots of things can go wrong.
In the next movie, we'll look at how to test our connection and to troubleshoot when things do go wrong.