Tiger Server Overview
Today's the day! Mac OS X Server 10.4 hits the street and we can finally let the cat out of the bag, so to speak, on all the juicy tidbits we have been dying to tell you about.It took a lot of time and overcoming work schedules, illness, and international travel, but this article is our Tiger Server overview. Think of it as being your roadmap to many of the new features of the OS. Don't expect to find detailed walkthroughs in here but rest assured that we have articles in the works for everything you can think of.
Read on for the overview...
General Stuff
Overall, Tiger Server picks up all of the other niceties of the 10.4 series. Dashboard, Spotlight, and all that jazz. Of much more interest to us server folks is the new 64 bit libraries that Apple is using. These should knock down some of the remaining RAM limitations that applications have under 10.3. Combine this with the new 16GB RAM option in the Xserve G5s and you can build some pretty mean database servers.
Incidentally the 64 bit libraries allow the Unix-y stuff to handle up to 4 TB of RAM. Let me know before you buy 4 TB of RAM from Apple though, I might want to buy some stock first.
Another welcome feature is a new API that lets traditional UNIX tools such a cp, mv, tar, and rsync work with forked files. This should open up a much easier world of scripting for Mac OS X.
Our old friends Server Admin and Workgroup Manager come back with a nice round of improvements. Performance and stability seems to be a bit better with the server admin apps, even when dealing with 10.3 and 10.2 servers. Both apps have picked up some nice interface tweaks, but nothing too drastic, just a bit of cleaning up. The changes mainly reflect the new services and features that have been added in 10.4.
One new feature of Server Admin that does stand out is the Gateway Setup Assistant. You can use this to automate the setup of a NAT gateway and VPN server for your network.
Odd man out, Server Monitor, is pretty much the same however.
The Network Image Utility is 90% new, and allows much greater control over image creation. You can now restrict images by hardware type and have a few easy post-install options for tasks such as naming Macs after you do a Network Install on them. Check the Netboot section of the overview for more info.
A new administration application, Xgrid Admin, allows you to monitor your processing grids, manage Xgrid agents, and manage your processing jobs. The general setup for Xgrid is done in Server Admin on the Xgrid controller and Xgrid agents have their settings enabled in the Sharing Preferences on the client.
Apple is approaching the HPC arena very aggressively and has had some great successes. I would expect Apple to continue to gain ground in the HPC arena with Xgrid's tight integration into the client and server versions of Tiger.
An odd tweak to the setup process is that you can no longer specify your host name, it only allows for automatic now. Just remember that when you set it to the final name you will need to use the changeip tool, just like on 10.3 before.
Another change is that Mac OS X Server now checks for duplicate serial numbers at boot time. This is handy as it eliminates the very common error of people trying to setup an OD master and replica with the same serial number. We hope that site-licensed serial numbers will be an option for 10.4 under the new serial scheme.
Closing out the general info section on a replication note, you can not mix 10.3 and 10.4 servers in your OD system. You can bind a 10.3 client to a 10.4 server and vice versa, but you can not replicate disparate systems. If you attempt to do so, Server Admin will complain about it and not let you get yourself into trouble.
OK, enough of that. On to the specifics...
Open Directory
Open Directory has picked up a bevy of new options and features in Tiger. None of the good stuff is gone, but there is a lot of extra goodness now.
On the server side the OpenLDAP and Berkeley DB were updated to versions 2.2.19 and 4.2.53 respectively. Also Apple now supports LDAP schema replication which makes the next feature possible. OD now supports a GAL like list of user info. There is now an "Info" tab for the user records that you can populate info such as names, addresses, chat addresses, phones, and more. All you need to do is point the Address Book at your OD server and you can lookup any user you like. You could make the modifications to the LDAP DB in 10.3, but without schema replication you would need to manually update all of your replicas.
(FWIW, the 10.3.9 server update installed all the 10.4 schema on your servers, so you should be able to use a copy of 10.4 WGM against a 10.3 server and still get all of this address fun. The lack of schema replication in 10.3 is why the 10.3.9 Server update must be applied to replicas first.)
Another, terrific feature, is the ability to easily dump your entire OD system out to an archive and restore it later. This feature backs up everything, and I mean everything, related to your OD setup onto an encrypted sparse image. At any time in the future you can select a backup image and restore your OD system to that point in time. Nice. Good backups of you OD system are more critical than ever now with the introduction of the GUIDs for users and groups. The backups are all done through the Server Admin GUI and can also be done from the serveradmin command to allow for easy scripting of this feature.
Security of LDAP binding is up significantly in 10.4 with the introduction of trusted binding. Trusted binding creates a computer record on the server and a server record on the client. This way there is a two way verification, or trust, setup between the managed Mac OS X client and the server. Much like in an Active Directory domain, you will be asked for a directory administrator's name and password to bind and initiate the trust.
In order to secure that LDAP connection your server will create a self-signed SSL certificate when you promote it to an Open Directory master. It's then just a simple matter of telling it to use the certificate for all your SSL needs. Additionally you can disallow clear text passwords, force SSL, digitally sign all of your LDAP packets, and block any packets that don't match those signatures in order to prevent man in the middle attacks. The best thing about all of these options is that they can significantly increase the security of your server with just a few clicks in Server Admin. Keep in mind that the packet signing options require Kerberos.
Speaking of Kerberos, Apple has made it easier to join your Tiger Server to a 3rd party Kerberos realm hosted on other platforms now. More services join the Kerberos party in 10.4 with the additions of Xgrid, ipp, http, XMPP (Jabber), and vpn. Note that while these services are in the keytab of the server, not all the services are yet Kerberized. So take that for what you will.
Password Server security has gone up as well with simple check boxes to enable and disable password types. If your users don't need APOP or WebDAV-Digest style passwords then you will probably want to turn them off since they are recoverable. An important note on this though is that you will need to reset the passwords of any existing users if you decide to re-enable a password style at a later time.
Other under the hood changes in Tiger include the addition of
memberd, the group membership resolution daemon. This daemon is responsible for the new inherited groups feature that allows you to nest groups of users and for users to belong to more than 16 groups. While this is a nice feature to gain for pure Mac environments, it is a wonderment for people who deal with Active Directory, and should make that task a lot easier now.On the Active Directory front, the AD Plugin has gained a few features as well. All of the existing
dsconfigad options are now in the GUI, and they have added additional mappings for primary group ID and group ID. Also new is the -enablesso flag for dsconfigad that will enable SSO via Kerberos for all services.Another really nice addition to the CLI family in 10.4 is dsconfigldap which allows you to do manipulate your LDAP client configuration in Directory Access from the CLI. Another item of note is that dscl can now be used to manipulate your authentication and search paths from the command line.
Another, very welcome, feature is that Server Admin will prompt you to create a new, domain, admin when promoting a server to a master role. This will help prevent the ever present namespace collisions that seem to plague many Open Directory systems.
And lastly, you'll be very pleased to know that Workgroup Manager finally has a create new folder button in it when you are setting share points! As an added bonus there is a second button to allow you to easily setup NFS reshares.
Overall the additions to Open Directory in Tiger serve to strengthen an already sound foundation. If we had to pick any area that is still lacking it would be in replication control and efficiency.
Client Management and Mobile Homes
After all these years of using mcx there has always been a few features offered by Macintosh Manager that we did not have for Mac OS X workstations. Two of them get taken care of today.
First up is managed preferences. With the new preference system in 10.4 you can push preferences down to most any application. There are a few ways to do this. If the developer has kept their application current for 10.4 then it should contain what is called a preference manifest. This file is essentially a human readable form of preference file and it should contain clear descriptions of all the settings for that app. You can simply select the application you want to manage in Workgroup Manager and edit away. You can still edit the old style .plist preference files and push them with Workgroup Manager, but they tend to be more cryptic as to how they work. It will really be up to you to test each change to see what effect it has on the client side.
Secondly, we have synchronized mobile homes now! Macintosh Manager had a "Check Out" feature that would sync your data down to a workstation and then sync it back when you checked it back in. Tiger brings a new feature called Portable Home Directories that allows us several ways to synchronize the mobile home to the network one. You can define how the sync takes place in Workgroup Manager's Mobility preferences. The Portable Home Directory is synchronized on it's first login after creation and is then kept synchronized in several ways. You can define a periodic background sync, or a login or logout sync. Also the user can select Sync Home Now from the menu bar at any time. You can also specify rules to determine what gets synced, for example you might not want to sync the Safari cache folder.
The addition of Portable Home Folders is a very nice one, and it eliminates one of the most common complaints about the mobile user accounts in 10.3
Access Control Lists
New in Tiger are access control lists, and they are everywhere! In a nutshell ACLs allow you to set much more granular access rights to the file system and services of Mac OS X Server. By section of application they break down something like this:
File Services:
When you need more control than read, write, and execute provide in your file system you can turn to ACLs for more flexibility.
Apple's ACL provides for 13 additional permissions in three categories:
Administration:
Read:
Write:
You can use four different methods of inheritance to propagate these permissions:
The ACLs are set at the folder level and are applied to files as a result of the inheritance method, or methods, you use. To setup ACLs you can use Workgroup Manager on Mac OS X Server, or chmod on any flavor of Tiger. File system ACLs only work on HFS+ volumes and they only apply to SMB and AFP network connections.
When you setup an ACL you are actually creating an Access Control Entry, or ACE. ACEs are the building blocks of an ACL and consist of the user/group, permissions type, permissions, and inheritance information. You can combine multiple ACEs in each ACL and because each ACE is assigned to a user or group (Via its Mac OS X GUID and Windows SID.) your ACLs can be very flexible indeed.
Furthermore you can mix ACLs and the traditional POSIX permissions (Just read, write, and execute). If there are ACEs defined for a file or folder they take precedence over the POSIX permissions.
Service Access Control Lists, or SACLs, allow you to restrict access to services by user and group. So you could create a FTP group and then only allow members of that group, or inherited group, access to the FTP service.
Directory Access Controls, or DACs, allow you to control access to the schema of your Open Directory servers. This will allow much more granular control of who can edit what in the user database than we have ever had before.
AppleRAID 2
While technically not just a server tool, Apple's RAID software has received a lot of attention in Tiger. Some highlights include:
The ability to set the block size of the RAID. By using this feature you can tune your RAID set for the best performance. You can also now use any volume on a disk to create a RAID, not just the devices themselves.
Mirroring has received the most updates, you can now tell a mirror to auto-rebuild itself in the event of a failure. Making this feature even stronger is the ability to designate spare drives for the mirror sets. Another key mirror update is the ability to easily split a mirror for an instant backup of your file system. This has been a general practice in data centers around the world for years and now we can use the same strategy.
A new "RAID" type in Tiger is a concatenated set. This pseudo RAID level allows you to combine drives into one larger volume. Like a mirror, you can start the concatenated set non-destructivly but you will loose the data on each drive you add to the set. To be honest, this option puzzles us a bit. It has all the fragility of a stripe, with none of the speed gains. I think that Mac OS X would be better served with full support for union mounts instead, but that's for another day.
Another new feature is the ability to nest RAID sets. This allows for mixes such as 0+1, 1+0, and you can use concatenated disk sets inside your RAID arrays.
All in all, AppleRAID is a much stronger part of the OS now, and one that all sysadmins should take a hard look at. Especially the ability to split off a mirror set drive is going to open up a whole set of backup strategy changes.
ASR
Again, ASR isn't specific to the server OS, but that is where most of our readers will see it. ASR in Tiger gains one, gigantic, sexy feature in the form of a multicast image server. Any Mac with Tiger on it can invoke asr with the -server flag and a correctly built image and plist to enable the image server. Other workstations can then run asr with an asr:// URL as the source and restore off the network.
This is a big, huge addition to the asr system and it is so high on our in-depth article hit list it has a nose bleed.
Web Log Server
New in Tiger Server is a Web Log Server. While this is probably not the 'killer feature' that will juggernaut Apple into most enterprise environments, it has its place in today's society. Keeping with recent traditions at Apple, when searching for their Blog Server, they immediately turned to the Open Source community and came up with Blojsom, which is a Java version of Rael Dornfest's Blosxom.
Apple's Blog Server has a very polished and elegant look and feel to it, with four professional themes to choose from. Users will find that the interface is quite simple and provides an all in one window design, allowing them to quickly and easily create categories, entries and adjust settings for their personal blogs. User defined settings can include the name of the blog, a general description, owner name, owner email, the theme to use and can even create a list of authorized readers of the blog. Administrators will love that Blog Server not only works with local user accounts, but is fully integrated into Open Directory, as well as third party directory services, such as Active Directory. Included in your completed blog entries are ATOM, RSS 2.0 and RSS 1.0 feeds, taking advantage of the new features in Safari RSS, which also ships with Tiger.
DHCP
Not too much has changed in the DHCP server of Mac OS X Server. bootpd still provides the service, but Apple has made a few nice changes in Server Admin for DHCP. Apart from the typical 10.4 Server Admin refinements there is now a tab for setting static DHCP assignments. Not much else to see here. Move along.
Software Update Server
A common question that everyone asks when looking at OS X Server is 'how do you deploy updates to your users?' Apple has Remote Desktop, which is quite handy at pushing out packages, but that comes at an extra cost. Most folks don't want to have a whole group of OS X machines individually downloading the same packages from the internet and causing all sorts of traffic.
Included in Tiger Server is a new software update mechanism built into the plethora of new features that ship with the server platform. Software Update does exactly as its name indicates; it updates software, but does have some nice features to help you keep your Macs up to date.
First and foremost, Software Update will allow you to mirror all the updates that Apple offers. I use the word 'all' because Software Update will mirror every current update available from Apple, including applications that you do not have installed on the host machine. You can disable this feature and do this manually, or you can let Apple tell your server what updates to mirror and even automatically enable them for local distribution. You are able to disable any mirrored updates that Apple sends your way and the GUI also provides the update notes for each package as well. There's also the ability to limit bandwidth usage and change the port in which to provide your updates.
The SUS will not allow you to push out updates to 3rd party applications, however. You can only do Apple updates, so you still have reason to keep radmind or Apple Remote Desktop around.
A final note on Software Update is that it requires you be running an Open Directory on your network. Out of the box, Software Update is distributed to your clients as a managed preference in Workgroup Manager. WGM requires minimal configuration to accomplish this, simply asking where the server is that you want to update from for your clients.
iChat Service
Based on Jabber, Apple's iChat service allows you to setup internal messaging servers for your organization. If you have an all Mac workgroup, contained in one subnet, you can still just use Bonjour (previously known as Rendezvous) messaging but with the Jabber server you can do much more. For one, Jabber is cross platform and there are clients for every platform under the sun. Also, if you use the iChat Service you will not be restricted to one subnet and, like nearly everything else in Tiger Server, SSL is only a checkbox away.
Apple provides a typically minimalist interface in Server Admin but you can modify the splendidly well commented config file at /etc/jabber/jabber.xml for more functionality such as registering your server with the internet Jabber directories. This bring up another nice point of Tiger Server, not only are more of the services controlled by standard config files, but the documentation actually points out where they are located!
My biggest beef with the Jabber server is the lack of integrated logging. This is almost a black-box internal messaging solution for Enterprise environments. However, have no fear gentle admin, Jabber can be made to log, but the process isn't necessarily the easiest. More on this later.
The Jabber server really shines with the new version of iChat. Your users, if they have their contacts path set to search your OD LDAP domain, will be able to live search LDAP for jabber and other IM names. All from the add buddy window in iChat. Additionally the Jabber server and the new iChat fully allows for audio and video conferences to be setup.
NAT
The NAT server interface in Server Admin has picked up two little niceties. One is just a clarification of which interface to select as it now clearly says "External network interface:" the other is the ability to just turn on IP Forwarding without NAT to create a gateway. Remember that you still need to turn on the Firewall service to use NAT.
Following the trend for Tiger, the docs are a bit nicer now and they contain the methods and syntax for configuring port forwarding in your NAT. In general the NAT documentation grew from 3 pages to 10, a nice gain.
NetBoot and NetInstall
We've all been there before. You finally convince your boss that a new fleet of Apple brand computers is simply 'the way' to go. You're excited. You're pumped. You're going to take so many pictures for the fan sites that you're sure to finally get little Suzy's phone number at the company party. Then, reality sets in. How are you going to get all of those brand new brushed aluminum and shiny white beauties out to your users before rumors of the next update hit the web?
Enter NetBoot and NetInstall.
NetBoot and NetInstall do as their names would indicate. These services give you the ability to remotely install systems or completely boot your systems off a network stored image, even without an internal hard drive. Some of the features that you'll quickly notice include block copy network install images, remote storage of your images and Directory Service configuration. What's that mean? That means that you can transfer your images faster, make better use of your network storage and set up all of your Directory Services without visiting each machine. You're even able to synchronize your previously created images with an updated source, giving your images more longevity.
For most of us, being able to setup Directory Services remotely is a real timesaver. True, there are very nice login hooks available out there for things like binding to Active Directory, but wouldn't it be easier to simply specify a configuration and give your installation server a list of hostnames to use?
For those of you who want to actually boot your systems with this service, you'll be happy to know that there are features for you folks as well. You're able to copy your NetBoot image to multiple drives and increase your performance. Also, you are able to balance your NetBoot clients across multiple servers, allowing you to balance your load more efficiently as well.
This is an area where a nice amount of progress has been made. Apple has really listened to its users and bundled in some very popular third party features to Mail. In fact I'd even go as far as to say that the mail module in Server Admin is the singularly most updated module in 10.4.
First and foremost is integrated virus scanning, provided by ClamAV. This is a feature that will be very popular with the OS X Server crowd, as it is a component that was almost a must have for all admins out there in charge of an OS X Mail Server. By default, your server will update its virus definition database once a day (FreshClam). You'll be best served to increase the amount of daily updates to a higher number, as the freshclam folks will suggest that your target be 8+ updates daily. Infected messages can be deleted, quarantined or bounced, depending on the policy you set in Server Admin. You are also able to receive alerts on receipt of infected messages on your server and notify your users as well.
Another component of Mail that should seem very familiar to the OS X Server vets out there is junk mail screening, which is provided by the built in SpamAssassin project. Built right into Server Admin, you now have the ability to control the fate of your junk mail. You are able to define the threshold of what you consider junk mail, by assigning it a score in hits (1-40), define languages that you will accept messages in, define how junk mail messages should be handled (delivered, deleted, bounced or redirected) and you can even attach a string to the subject tag of the message, to alert your users that your server believed that the message was junk.
There are also a few more added features that you'll find helpful in using Tiger. Users of Mac OS X Server versions 10.1 and 10.2 will be glad to see that Apple included a migration tool, allowing you to specify the location of your previous database and either migrate all the listed entries, or migrate your users on a per-user basis. Also included is Virtual Hosting, which allows you to host multiple domain names on a single server, using the same IP. You'll also be happy to find more robust quota handling and maintenance tools. You can run the cyrus reconstruct command and you can monitor and maintain your postfix queues right from Server Admin.
Firewall
The first thing you notice about the Firewall Service is that its interface in Server Admin has been cleaned up a great deal. It's now much easier to figure out what your rules are doing and how to set them up. If you dive under the hood though you will find a tasty nugget in the fact that
ipfw now includes dummynet as well. Dummynet has long been a part of ipfw on other BSD based platforms, but has long been missing from Mac OS X. Now that we have it you can use your Mac OS X Server for doing things like traffic shaping and bandwidth management. "Where the heck is dummynet?" is a very common question to people moving to Mac OS X and now it has an easy answer.Web
Web is an area that was fairly mature in Panther, using Apache, and not much has changed in the leap to Tiger. You'll find that Apache version 1.3 the heart of the Web service and Apple still includes version 2 in /opt for evaluation purposes (it's not supported in the GUI tools).
Along with the Weblog features (see the Weblog section for more information about this service), you'll also find a more streamlined interface to SSL and certificate management, as well as a new WebObjects service, which has been included as its own service and the ability to check box your way to Server Side Includes. Also changed is the GUI for Aliases of your site. You are now able to set up a virtual host, as well as URL aliases and redirects from the Server Admin GUI, in two specific lists. Web admins will also find that you can now restrict access to your proxy server as well, with a simple checkbox interface.
A really nice feature is one-click set up of Kerberos authentication to web realms. With Safari being kerberized this means that your users will be able to navigate to web realms without having to renter their passwords. Very cool indeed.
DNS
This is the one part of Server Admin that I think might have regressed slightly. Apple tweaked the GUI a bit to make it more easy to manipulate the DNS zones, especially for those admins that are new to BIND. I think the changes that they made were rather decent and effective. The first time out it is a bit weird but you quickly get to know where all the checkboxes are.
But, and there is a big but in this one, you've lost the ability to edit your reverse zones through the GUI. I imagine this is a function of "protecting" the admin from having to understand what a reverse record is, but it can get really ugly quickly. For example, if you create two forward records for an IP address, perhaps in different domains even, the system will create two reverse records for the same IP address. Now there isn't anything technically wrong with this, except that you'll randomly get one or the other when you do a reverse look up. This is probably not what you were expecting.
So, if you're serious about your DNS zones, you're probably still doing this by hand like you were before.
VPN
This is relatively unchanged, but with 2 rather big improvements. First of all you get the ability to have Kerberos authentication for the L2TP/IPSec VPN connections. While this won't do a whole lot for your remote users, since they'd have to get the TGT first before using the VPN which is a bit of a chicken and the egg scenario. Your LAN users can now go down remote VPN links without having to authenicate there, or more importantly, change the password in their keychain when their system password changes.
Secondly, the IPSec VPN gets the ability to use certificates instead of passwords for the shared secret. This is a bit more secure way of doing things. Since this functionality also appears in the VPN client, OS X potentially gains an easy GUI to access a lot more VPNs in this world.
Speaking of the VPN in OS X client, you can now set VPN domains, which will cause the VPN to automatically start whenever you access a server within that DNS domain. That's pretty cool. Especially when coupled with the Kerberos authentication.
Another little hidden gem is the s2svpnadmin setup that is a rather nice CLI wrapper around racoon. It easliy allows you to set up a plain IPSec VPN without getting your hands dirty with knowing anything about racoon. This is billed as allowing you to set up VPN tunnels between two OS X servers, but you should be able to do a lot more with it.
Managed Network Views
As part of the new features in user management, Apple has included the ability for you to manage how your users view (or browse) the network that they are on. While this may seem like a modest feature, those of us who have the pleasure of working in larger environments know how slow and jumbled the Network view in the Finder can get. Even for those of us in smaller environments, it still can be advantageous to help make your end users' day a little less confusing.
There are three types of Managed Network Views in Tiger Server. First is Named view. This view allows you to specify a list of computers to which you can publish a view, so that you could differentiate views between one department's Macs and another. Second, there is the Default view, which is only visible on computers that have the directory in which you stored the view in their search path. This view will not be seen if the computer already has a Named view assigned to it. Finally, there's the Public view. Think of this is the 'last resort' view. If a computer on your network is not set up with a managed view already, this type of view will provide their browsing information. This view is accessible by any of your Mac OS X clients that are configured to access the directory in which this is stored. The difference between Public and Named, as pertaining to Directory Services, is that Public view clients do not need to have the directory in their search path.
Now that you know what types of views there are, you'll want to know the types of information with which you can fill these views.. Apple, again, has provided three choices for you here. First is a dynamic list, which will dynamically update its list of network resources. You might specify different SMB domains, AD domains, SLP or Bonjour as your services here to browse. Second is the ability to create a network neighborhood, which will allow you to create a collection of resources on your network. Think of these as network OU's, which can be filled with dynamic lists, other neighborhoods, computers and additional resources. Third is computer, which allows you to add computers to your defined network views, or add them to the neighborhoods that are assigned to your network views.
Can we all see that Apple is really into granular control these days?!
Windows Services
If your OS X Server needs to support the 95% of the world that uses Windows, you're in luck! Apple has added some new features for you, including tools that will allow you to reduce that number by one more user.
In Panther, you could use Active Directory's Kerberos and logins, but you still were a standalone server while doing this. In Tiger, Apple has upped the ante and will now allow your OS X Server to be a member of the Active Directory domain, even through the GUI. Also, if you are not using Kerberos, Apple has included NTLMv2 authentication for your Windows clients and has given us the option of selectively disabling older authentication protocols such as NTLMv1 (Which has documented insecurities).
In Panther, you were able to set up your OS X Server to be a Primary Domain Controller. That feature is still in Tiger, but now Apple has included the ability for an OS X Server to be a backup domain controller (BDC) as well. This opens up more uses for OS X Server in Windows environments. Of course, you can also bid your NT domain adieu and use the new Apple supplied NT Migration Tool and migrate all of your vital user data over to your Tiger Server.
For your users, you'll be happy to know that the ACLs (see the ACL section for more info on this) provided in Tiger are compatible with those in Windows. If you're in a situation where you have shares that need to be shared over AFP and SMB, Tiger has unified file locking. This will ease your mind, knowing that your data is safe from corruption, by properly locking files across transfer protocols. Previously, if you were sharing the same files over AFP and SMB, you had to be sure to check the box to "Enable strict locking" in Workgroup Manager.
High Availability
How often do you want to see your server offline? Apple didn't think it was that often, so Tiger has included some extra features to keep you up and running, even if you hit a bump in the road.
A big feature that's commonly asked about is link aggregation. The Xserve hardware ships with dual gigabit ethernet ports. If your switch supports it, you are now able to combine the two ports to provide better performance and fault tolerance, if link is lost on one of the two ports. The GUI provides monitoring of the link aggregate in System Preferences. Also, using ifconfig -a will display will display your link aggregate interface name, as well as the interfaces that are part of the bond.
Apple has also included launchd. This not only provides faster startup, but also ensures that all of your processes are running as they should. Tiger Server users will enjoy the capabilities of launchd, as it has incorporated the capabilities of inetd, init, mach_init, SystemStarter and other services of this nature. On the rare occasion that your server becomes completely disabled, you also have the ability to set up your servers in a master and backup roles, allowing IP failover to provide your redundancy, using heartbeatd and failoverd.
Print Services
Let's be brutally honest for a moment. Up until now, the print server in Mac OS X Server has been pretty bad. Apple used CUPS to send the jobs to the printers, but the spooling and queues were controlled by an odd bit of Apple software. All of that has changed now and the entire system is run by CUPS.
The new print services allow us to now create IPP print queues, select cover pages for queues, and even setup authenticated printing with a quick trip to the cups.conf file. Ditching the Apple software for a pure CUPS environment was a common hack done by admins everywhere. Now it's that way, and supported, out of the box.
Wrapping up
Apple has said that they are going to slow down the pace of major OS updates with 10.4. With all of the new features that Tiger brings this is a pretty good idea as the additions of GUIDs and ACLs alone will take some time to really get the hang of.
We are also happy to see Apple further embracing the Open Source community. A great example of this is the print service. If you had asked any Mac OS X Server admin what the weakest service was they would probably answer, "Why, the print services of course!". It seems no small coincidence that the print services were one of the last remaining Apple proprietary services on Mac OS X Server. Another example of this was when Apple needed a messaging server, they didn't try to re-invent the wheel, they just made a nice implementation of Jabber. It seems that the software has caught up to the marketing speak, "Open source made easy".
Look for many focus articles from us in the coming days, weeks, and months as we cover all of the nifty new features of Mac OS X Server 10.4!