Bring on the Big Cat!
5 November 2003
Introduction
This one is a biggie.
Apple thoroughly overhauled a large portion of its server operating system in this release. This is the most significant change to the Mac OS since Apple moved from Mac OS 9 to Mac OS X.
This fact alone should be evidenced by the over 1,000 pages of documentation that Apple now ships with the system. All of these manuals are available online, so take a look in there for more information on any of things I cover here.
Having said that, you’ll be surprised at how much has stayed the same. The mail server, for example, was overhauled entirely; but yet the interface remains very similar to what it used to be. Also, as with other versions of Mac OS X it may be a few weeks, if not months, before you find all of the hidden gems that are contained in the operating system.
So, without further ado, I’d like to walk through my initial impressions of having used both Mac OS X version 10.3 Server and client. I’ve been using Panther since WWDC in June and tried to throw as many different scenarios as possible against it at the AFP548.com “testing labs."
Installation
The first thing that you’ll notice about Server is that it comes on two install CDs and then a third for the admin tools. The second CD is not optional. This would seem to kill remote installs, unless you have really long arms to swap CDs. However, I expect that we’ll ultimately see Apple releasing Panther Server on an install DVD to get around this issue.
Also, keep in mind that the new Disk Utility can restore a disk from another volume or disk image, either local or on the network. Since Disk Utility is available when booted from the install CD you can easily re-clone a drive or image it off of a disk image on a Web server. This feature is not specific to Server, so remember this for Client installs, too.
If you tell the installer to erase the drive before installing, it will default to HFS+ journaled, which is a good thing: the speed hit is very minimal but the efficiencies that journaling brings can be a lifesaver. There is a new optional HFS+ format that is case sensitive for organizations that desire that, like those working with UNIX applications that expect this behavior.
Those of you with a number of servers to install and configure will appreciate Panther’s new auto-configuration options. You can now walk through a configuration session and save the results to a file. This file can be put on a removable FireWire drive—think iPod—or tucked away on an LDAP server. When a newly installed server comes online it will look in both places for config information and auto-configure itself. Apple has even gone so far as to password protect the LDAP config info by default.
The only real change in the setup assistant application that runs before you log in for the first time is the option of being a Standalone server, an Open Directory (OD) Master or a client of another server. A Standalone server only uses a local NetInfo database to hold directory information. An OD Master is analogous to hosting a network NetInfo domain in 10.2, although with a real LDAP domain instead of a NetInfo one. The client setup will allow you to bind to a parent NetInfo or LDAP server on another Mac OS X server that you have already setup. Either way, all three of these options will set up an Open Directory authentication server. That’s the 10.3 name for the improved version of the 10.2 password server.
Overall, the install process is fairly quick. During testing I installed it on a number of machines including laptops and desktops with no issues. I also upgraded a 10.2 server to 10.3 with no real issues. Everything was migrated over quite easily.
Still missing, however, are access control lists (ACLs), on the file system. Being limited to only one user, one group and then everyone for files and folders is something that should be behind us by now. Especially since FreeBSD, Windows and other operating systems have support for this.
I understand that this most likely will require serious modifications to the file system itself, but it’s also probably the biggest factor preventing organizations from migrating Windows servers to Mac OS X servers. Sure, most of this is psychological. For the large part you are able to micro-manage folder permissions to get what you want, but ACLs would be much easier.
Admin Applications
After installation you’ll want to go straight to the new GUI configuration tools. Just to keep you on your toes, Apple has reduced the number of configuration applications by combining Server Status and Server Settings into one application called Server Admin. It looks a lot like the Server Settings of old and provides a rather intuitive interface to a lot of information. As in prior versions, these tools are used for both remote and local administration and can be run from any 10.3 machine.
As in 10.2 all administration information is encrypted using SSL using the same ports as before. Apple has opened up the main server administration tool, Server Admin, to third parties by creating an SDK for writing plug-ins. Since the application primarily communicates with the server using HTTP CGIs, creating a plug-in should be relatively easy and provide a vast array of opportunities. I have a list of about a half dozen on my personal to do list right now, so check back with us in the future.
Workgroup Manager and Server Admin now have little icons in the bottom right corner of the screens that allow you to “tear off” the configuration information and save them into flat files. These are pretty much saved presets that you can now drag back onto the applications to reburn that configuration onto the server, or servers, that you have selected in the application.
Also both applications can be set to auto-lock after a specified period of inactivity. You have to enter in your password after this time before any changes can be made. This is really nice. You can now leave the admin applications up and running, to allow you to monitor your server farm, but not have to worry about cats running across the keyboard or bored co-workers.
Server Admin has a number of improvements over its predecessors, You can now run Software Update for the server through it, in addition setting the time zone and seeing how much space is left on the server’s drives. There is also a summary view that shows all your servers at one time, much like Hardware Monitor does with Xserves, so administering multiple machines has become much easier.
Workgroup Manager is mostly the same. There is improved support for writing to non-Apple LDAP servers. The biggest difference is the inclusion of a new “inspector” which allows you to directly edit the data on a directory server. This is way cool since it pretty much eliminates having to use NetInfo Manager, any of the NetInfo command line utilities and any LDAP administration tools. This all works over an encrypted connection to boot!
Do take some time to check out the preferences and menu options in these admin applications. Apple has added some really nice features like being able to easily monitor the status of numerous servers in Server Admin by laying them out horizontally.
By far one of my favorite new features of Panther is the inspector in Workgroup Manager. I love being able to see and directly manipulate the actual data store. The newer revisions of the tools don’t seem to crash like the older versions had a tendency to do, especially when confronted with complex setups of user and machine preferences.
Command Line Utilities
Included with the rest of the documentation is over 100 pages of a command line reference. Most of this is stuff that you may already know; however, buried in here are some real gems. For instance you can use “mounthm” to mount a remote home folder onto a machine that you have ssh’d into. Also dscl, the directory services command line utility, does everything that niutil did for NetInfo but for both NetInfo and LDAP directory services. That alone is worth its weight in gold since using the LDAP command line utilities can easily fry a few brain cells.
Also Apple has given us the serveradmin command, which allows you to replicate the functionality of the GUI admin applications from the command line. So have your cake and eat it too!
Directory Services
Where to start? So much here has changed.
Open Directory has been upgraded to version 2. NetInfo has been relegated to local directory services only, although you can create a network NetInfo domain manually if you like. Instead a full OpenLDAP server, with a bdb, the Berkeley Database, backend, now takes NetInfo’s place when you create a shared directory domain. Admins can administer it like any other OpenLDAP system which includes detailed ACLs for controlling who can see and and who can edit the information stored in the database.
As mentioned before, a Panther server will attempt to setup and use an OD server for authentication if left to its own devices. All GUI and CLI ways of accessing and changing passwords have been updated to include support for this. Apple has taken great pains to get PAM, plug-able authentication modules, working well with this in addition to the standard Mac OS X APIs.
However, if you insist on a “basic” password for local user accounts the system now uses a shadow password. These, like all shadow passwords, are stored in a flat file outside of the directory services database and are only accessible by root. Also these passwords are no longer subject to the eight character limitation of the basic passwords in 10.2. Support for the old-school crypt passwords is still there since migrated servers may still have crypt entries. However, run, don’t walk, to migrate that information to a better system.
There is still support for Authentication Manager passwords, which was the 10.1 way of providing authentication for Windows connections by including the Windows password hashes directly in the user record. Although no one, including myself, suggest that you should rely on these.
Apple has also thrown in GUI hooks for setting up your server as a Windows PDC. All of this is through Samba and could be set up on earlier versions of system, but not nearly as easy. Apple has ensured that there is full support between the PDC and OD so you won’t have to play around with keeping the passwords in sync. Roaming profiles, network home folders and changing passwords at login are all supported.
This is very cool. Throw away your NT server providing authentication services for your PCs.
Authentication services on Panther server were enhanced with global settings that include forcing passwords to have numbers and/or characters in them. Also a password history feature has been included that retains a configurable number of previous passwords forcing the user to create a new password and not just reuse an older one. As before admin users are exempt from these policies.
To top all of this goodness off, the whole setup is able to be replicated. The LDAP database, the Kerberos stuff, which we will cover later, user passwords and the PDC information can be replicated to another server. Clients will automatically cache the replica’s IPs when connecting to a shared domain for the first time. So if your primary goes down the clients will magically rebind to a replica without any user interaction. Very slick indeed.
On the client side, there is now a built-in Active Directory plugin for Directory Access. This means that AD integration is all of a 30-second process. In its simplest setup this plugin will use a domain admin username and password to generate a machine account for your Mac OS X computer on the AD server and then do an LDAP lookup against the AD database for directory information. All of the necessary fields will be mapped, or as in the case of the unique id, automatically generated. The user will be given a local home folder, and if the user has an SMB network folder defined in AD, it will be mounted on the Mac OS X machine, but not used as the actual home folder. The client machine will also cache the username and password of the last successful login so that it can be used if the machine is disconnected from the network. Now laptop users can continue to use their AD accounts when they are outside of the office.
If you want to customize the connection beyond what the plug-in offers, you are free to use the LDAPv3 plug-in as before.
In my testing of the LDAP services are quite fast and worked as well as NetInfo ever did, if not better. Plus it’s fairly easy to wrap an SSL connection around the LDAP server. Combine that with disallowing anonymous access to the LDAP database and your directory services are about as secure as you can get them.
Kerberos
Everybody has been buzzing about Kerberos since Apple announced at WWDC that Kerberos was going to be the primary authentication mechanism for Panther. If you haven’t worked with Kerberos before, and not many have, Apple has gone to great pains to make it as simple and as automated as possible. Many installations won’t even know it’s there, that’s how good the automation is.
I’ll start off with a little info about Kerberos, feel free to skip to the next paragraph if you’ve heard this before. Kerberos is a highly secure authentication system that allows clients to connect to machines and services without ever sending the password, encrypted or not, across the connection. Until now its use was primarily limited to higher education facilities and organizations where security was a very high priority due to the complexity of the setup. For most installations with Mac OS X Server that’s all behind us.
When you choose to become an OD Master the server is automatically configured as a Kerberos Key Distribution Center, no questions asked. Additionally all users in the OD database get Kerberos principles, essentially Kerberos passwords. When a client machine binds to your parent LDAP domain it reads in a small Kerberos config file at the root of the LDAP store which becomes the edu.mit.Kerberos config file on the client. This triggers the login window to try and get Kerberos tickets when a user logs in.
When the Kerberos user logs in the user gets a TGT, or ticket granting ticket, which is cached by the client machine. After that the user will not have to enter in a username and password when connecting to the Panther server. SSH, AppleShare and a number of other services support this. The first time you experience this is very eerie. It certainly takes a little getting used to.
Workgroup Manager allows you graphical ways to setup Kerberos admin accounts and machine accounts so your users can authenticate automatically to Kerberos services on other servers. This also facilitates the replication of the KDC from one machine to another.
If you are used to setting up Kerberos on your own, you will be happy to hear that Apple’s implementation is pretty much a standard install of the MIT distibution with only minor changes to allow for the OD integration. Apple has made no changes to the protocols unlike other operating system manufacturers. You are more than able to use ktadmin, ktutil and the other Kerberos applications to administer your system.
Also your Panther Server should fit into an existing Kerberos domain with a minimum of effort. Better yet, why don’t you host your Kerberos domain on your Panther Server so that you don’t have to mess with the replication and user creation as much. I think Apple might be on to something here.
This is certainly one of the biggest “killer features” for 10.3 server, it is also probably the biggest question mark for a lot of admins. As I said, though, setting up Kerberos with Panther server is stupid simple. So simple in fact that you don’t even see the term “Kerberos” during the installation process. I still have reservations about what happens when things go wrong, but so far Apple has automated the heck out of this and hid the really nasty pieces away.
The mail server in 10.3 has been changed as much, if not more than, the directory services. Apple threw out its limited mail service and replaced it with Postfix for SMTP and Cyrus for IMAP and POP. Both support SSL encryption and Kerberos authentication. They also are fully integrated into OD. Additionally Mailman, a very full-featured open source mailing list manager, comes preinstalled and ready for action.
The GUI for the mail server is remarkably similar to 10.2. E-mail for a user is still set up in the user’s record in Workgroup Manager. Notable changes for the server are the ability to select an SSL certificate and the option of using more than one RBL. There is no support for complex spam and anti-virus setups or virtual domains. All of this, and more, is possible with the basic setup from Apple so look for a lot of future articles on this.
Under the covers, Postfix and Cyrus provide a world class e-mail system that should be more than capable of supporting most setups. Apple has made very few changes to the standard installation of these applications, so admins who’ve used these servers in the past should feel right at home. However, do be prepared for giving up on the GUI if you want to make changes by hand.
Apple has made extensive use of include directives for the UNIX config files. This way the Apple admin tools won’t overwrite your own changes. Postfix, however, doesn’t have this ability so we’re back to the old way of doing things. Either lock the config files, or just don’t touch the mail settings in Workgroup Manager.
Squirrelmail is still included as the webmail system that ships with Mac OS X Server. It’s still configured using the perl script supplied with the distribution, so no changes there.
As I mentioned, Mailman is installed and Apple has done a good job of providing a GUI for it in Server Admin. Not that Mailman’s normal Web interface isn’t good, but it is nice to have all of your configuration options under one roof.
Overall I am very happy with the new mail system. Of course with the all-star cast that Apple has put together for this it would be hard not to be impressed. I’ve put a fair amount of mail through the system and have been happy with the results. It would be nice to have a GUI for setting up virtual domains and access control lists on the mailboxes that cyrus supports, but compared to what we had before this is more than enough to keep me happy for a while.
Web
Apple continues to ship Apache 1.3.x as the standard web server with Apache 2 as an optional service. The interface has been enhanced to allow you to add and remove modules from the GUI. Also aliases and redirects can be done from within Server Admin. Apple has added in the ability to hand-craft your own log format. All in all, you shouldn’t have to edit the config files by hand much any more. WIth an application like Apache, that’s a huge statement to make and a bold testament to how much Apple has changed the interface.
If you still feel the need to do hand edits, Apple has added an include directive to /etc/httpd/httpd.conf. They seem to be trying to do this with as many config files as possible. As long as you put all of your directives in the specified “user” config file, Apple won’t stomp on them. Plus they should be read before the Apple config files are, allowing you to override the GUI created settings.
I also found it pleasantly surprising that the standard install of PHP comes precompiled with a number of options, including LDAP. However, they’ve left a few out, like IMAP, so you might have to recompile PHP for additional features. At least adding and removing the PHP module should be easier.
JBoss comes as the preinstalled J2EE application server. It works with Tomcat to provide web services. These are pretty vanilla installs which the GUI offers limited configuration. Although anyone using these would probably be happier doing the config on their own anyway, so no big deal there.
Web services in 10.3 are an absolute joy to work with. Most anything that you would want to work with is right there in the GUI for you.
File Services
With the exception of Windows services, the other file services have remained much the same.
The AppleShare server still uses version 3.1 of the protocol. However Sherlock will no longer report files that the user doing the search doesn’t have access to. Organizations with older clients should keep in mind that AppleTalk is officially removed as a connection option. The server will still be browseable over AppleTalk, but all connections need to be IP-based. Also clear-text authentication has been shut off. All clients have to encrypt the password in some way to connect. This rules out connecting from Mac OS 7, but anything after that should work.
The biggest change to the AppleShare GUI is the inclusion of a checkbox to allow admin users to masquerade as other users. In previous versions you were able to use any user name and an admin password to log in as that user. This made it very easy to check on the permissions you had set up for a user. Since that behavior took some admins by surprise, especially the ones that had a blank password, this is now an option.
NFS configuration is mostly the same, although the NFS structure has been greatly updated. File locking and much faster speeds are some of the bigger changes. This should come as very good news for those sites using NFS, as prior versions of NFS in Mac OS X were woefully far behind.
Windows services is all based off of Samba 3.0. This should make Mac OS X Server play much nicer on a late-model Windows network. I’ve already mentioned the PDC features, so no need to cover that again. As far as the GUI goes things haven’t changed too much there, either.
FTP is also much the same.
Nothing too big here, but that’s fine. If it isn’t broke...
Print Services
At first I was quite depressed about the Print Server in Panther. My reading of the documentation suggested that not much had changed. Take heart tough, gentle reader, my single biggest issue with the Print Server has been remedied!
The Print Server is now able to share out over AppleTalk, LPR and SMB a non-Postscript printer. This means you can use Panther Server to share out a $100 ink jet printer to all of your Mac OS 9 clients over AppleTalk.
It gets a little interesting since the queue is presented as a Postscript queue to the client machines, so don’t expect the same options and color clarity as you would on a real Postscript machine. It’s still a $100 printer after all, but it does work and it’s very easy to set up.
I’m still hoping for Apple to allow us to use all of the chewy goodness of CUPS, the Common UNIX Printing System, that drives printing on Mac OS X. It has support for encryption and user authentication that we can’t do through the GUI yet. But, hey, they have to have something to do for 10.4!
DNS
10.3 brings BIND up to version 9 and a GUI to configure the zone and config files. Don’t get too excited about that last bit though until you’ve seen it.
While an admin can add, remove, and edit zone files from Server Admin, it’s hardly more than a GUI to vi. There is only basic automation to the process. For example, Apple thankfully added the ability to auto-generate a reverse record from a forward record that you are entering, but there is no option to take a host name prefix and fill out an entire range with records that you could then go in and change your server records to something more specific.
The real shame of all of this is that Mac OS X Server really, really wants to have a proper DNS environment. You need forward and reverse records for your server, and hopefully your clients, for things to go smoothly. This is especially necessary when you are working with Kerberos and other directory services. Casual, or first-time, admins on Mac OS X Server are going to be lost in this GUI and will end up going to a third party utility for help.
Again, look for more info, and an updated version of Bindery, my DNS management app, to help you out with this.
Maybe I’ll use the GUI to make quick changes if I don’t want to get an ssh connection up and running, but other than that I think I’ll stick to my current method of either using my own application or doing it from the command line.
VPN
While you could set up a PPTP VPN in 10.2, you were taking your setup into your own hands. 10.3 comes with a very nice GUI to set up either a PPTP, or an L2TP over IPSec VPN. You can authenticate the remote users through the OD auth server in addition to setting up DNS and default routes for the clients through the GUI.
This is slick and provides a simple way for secure remote connections from pretty much any platform.
I’d like a full-blown GUI to just the IPSec bits without having to use them with an L2TP connection, but hopefully that will come in time. With that in place things like opportunistic encryption become much easier. Plus Mac OS X would be easily compatible with a number of firewalls that include IPSec VPNs.
NAT
Finally! You don’t have to write your own NAT (Network Address Translation) scripts anymore. A very simple interface in Server Admin allows you to share a network connection with your other interfaces.
Nothing fancy here, but nice to have in the GUI.
Firewall
Apple has also made some real strides in the firewall configuration settings. Gone is the “My First Firewall” approach. Instead we have a simple interface, but with good functionality, for those who aren’t familiar with ipfw, and then a more advanced interface that easily allows you to craft any ipfw statement you can think of.
No longer will you be pulling your hair out if you try to integrate an ipfw script with Apple’s GUI tools. While I can’t say that it’s easier to do your ipfw rules this way, it probably isn’t any harder than doing it by hand, plus you can easily remotely administer them. As such, if you buy into using the Apple tools, you’ll be better off in the long run.
NetBoot/NetInstall
This is another area where Apple has really made major improvements. The underlying technology hasn’t been changed too much, but the tools to configure it have.
A rewritten Network Image Utility is the heart of the changes. You can now easily create customized NetBoot or NetInstall images from installation CD’s or from installed systems. It’s also quite easy to add in your own packages on top of the image. This allows you to quickly integrate upgrades and other changes to an existing image.
The images can now be shared out over NFS or HTTP, and the bulk of the image can even come from a remote machine other then the netboot server. Another killer feature of the 10.3 server is the ability to easily create “diskless” NetBoot images that don’t require a local drive on the client machine. Now you can easily make a repair NetBoot image that allows you to use DiskWarrior, or any of the other disk tools, on your internal drive.
The server will support both Mac OS X and Mac OS 9 images, just like 10.2. However, do pay attention to the documentation when it states that only dynamic clients are supported. This rules out the tray-loading iMacs and the Blue and White G3s. However, “man bootpd” claims that the daemon itself will still support static clients if you want to take matters into your own hands.
Overall the changes to NetBoot are huge. I found the Network Image Utility to be fairly easy to use, although it did help to read the documentation on this one. Plus you’ll find some hidden gems, like how the utility has a built-in sftp client to allow you transfer the image from one server to the other. My only gripe is that by allowing you to save the image anywhere it implies that you can serve the image from anywhere. However, only the images in /Library/NetBoot are useable.
DHCP
In 10.2 DHCP was pretty much intertwined with NetBoot. Panther eliminates that dependency, at least in the admin tools. Other than that the GUI offers few changes. While the system can still handle DHCP reservations there is no place to configure it in the admin tools.
Apple also has added the ability to give out WINS information to your Windows clients.
A quick look at the man page for bootpd, the daemon that services DHCP requests, will show you a wealth of changes not present in the GUI. For example, you can now set up your server to be a DHCP helper and forward on requests to another DHCP server in another subnet by editing the DHCP configuration in your server’s local NetInfo database.
Client Management
This is an area that Apple has polished up a bit, but made no major changes.
You can now control the startup and shutdown schedule for your managed machines. While small, this alone might be worth the upgrade for some organizations.
Also you can create either a list of allowed applications, denying all others, or new in Panther a list of excluded applications, allowing all others.
Login options have also been expanded. For example you can now prevent a user from using “>console” at the login window to get to a UNIX shell. Also, drum roll please, we can now auto-logout a user after a specified period of inactivity. Again, a seemingly small option but one that could be killer for some situations.
Another option that will certainly bear some experimentation is the mobile account option. This allows a user to have a local home directory, but still keep the user in the parent LDAP database on the server. Users can now login from network machines, and get a network home directory, or choose to be a “mobile user” and get a local home folder on the machine that they are working on. The local machine will now cache the network user’s login information. This allows a laptop user to authenticate against the server when on the local network, but still be able to login at home without a network connection.
This is a great start, but you need to be careful with this option. While at first this may seem like roaming profiles on the Windows side, the local home folder is never synchronized with the network home folder. Instead the user now has at least two, if not more, home folders scattered across the network.
Since we can now sync our iDisks with our local machine I hope that technology gets integrated into the mobile accounts. This also should be an area where you can roll your own solution. A logout hook that runs psync to the network home folder would get you part of the way, but with Apple getting us so close to mobile user Nirvana here, they should be able to take us the rest of the way soon.
All in all, Apple has done well with client management. Combine Mac OS X Server 10.3 with Apple Remote Desktop and you have a very easy to use robust management system.
QuickTime Streaming Server
QTSS has been updated to version 5. The primary change is that you no longer have to use the Web interface. Instead all of the general QTSS administration can be done through Server Admin, and all of your media can be managed through a new application called QTSS Publisher.
Publisher is very nice. It allows you to manage playlists on remote machines in a very simple manner. However, its real value is that it will automatically hint your streaming video files for you! You don’t need to buy QuickTime Pro to do this anymore.
Awards
On the whole I have found 10.3 to be a very worthy upgrade. Sure I have a few nits to pick, but Apple needs to leave something for 10.4. The new features and simplicity of the system, combined with the insanely great hardware that Apple has been producing lately will definatly score Apple more than a few converts.
I’m sure that Mac OS X version 10.3 Server will win a number of awards in the coming months. However, since none have been announced yet, I’d like to be the first to lavish a few on the system.
Best Ensemble: The Panther Server engineering team. No doubt about this one. The elves at Apple have seriously overhauled their flagship server operating system in just a year’s time. Sure this wreaks havoc on training schedules, purchasing cycles and upgrade paths, but after all the complaining is done we’re all tingly over the new features.
Before continuing I’d like to suggest a moment of silence for all of the family members and other loved ones of the engineering team who have been neglected over the last year. Your suffering has not been in vain!
Lifetime Achievement Award: NetInfo. Almost two decades old and still going strong! Sure it isn’t handling network directory services anymore, but NetInfo still shines as a local directory service. I look forward to a long future with NetInfo now that I have had some time over the last few years to get to know it.
Most Improved: LDAP. While LDAP was bolted onto 10.2, it was never really implemented the way it should have been. 10.3 has corrected that mistake and boldly paves a way into the future of open standard networking.
Rookie of the Year: Kerberos. Sure it’s been around for years, but it’s pretty new to us! Kerberos is quickly becoming the rising star of network authentication for much more than just higher education environments, and I’m very happy with how Apple has seamlessly integrated it into 10.3. The autoconfiguration mechanisms are works of beautiful simplicity and should keep 10.3 server at the forefront of network authentication for some time to come.
E for Effort: DNS. More specifically the DNS GUI. Don’t get me wrong, BIND 9 is great and the GUI that we have, for what it does, is usable. However, for Mac OS X Server to really take a lead we need more than that. The DNS GUI should setup basic records for a server and its clients with a just a few clicks. Having to manually enter every host record is no picnic and is better done from the CLI.