Jorge Herskovic, a member of our community, wrote up a detailed account of his own experience working with OS X Lion Server for the benefit of our Mac forum readers. We asked Herskovic to expand on his thoughts a bit and share them with the rest of us; he graciously agreed. Here's one computer geek's experience with trying to govern his home Apple gadgets with Lion Server.

You can reach Jorge by going to his Twitter feed or his home page.

First, two confessions: I am a huge Apple fan. I am typing this on my 27” iMac, which sits under a painting of the old rainbow Apple logo in my home office. I own six Macs (four at home, two at work), my wife and I have iPhones, I have an old iPod I use as a car jukebox, and I have an iPad, an Airport Extreme, an Apple TV, and an Apple TV 2. I’ve been to the Apple campus in Cupertino more than once—and I live in Texas. Heck, I’m wearing an Apple T-shirt as I write this. I’m a drooling Apple fanboi.

I'm also a UNIX-loving geek. My first Linux install was Slackware from a stack of floppy disks, in 1993. I’m competent enough not to shoot myself in the foot too badly. I have owned and managed Linux machines before, still keep a Linux VM on my Macs, and have root to several Important Linux Servers at work. I’ve run mission-critical systems on Linux for more than one company.

My current home network, though, is all Apple, all the time. Until a few days ago, I was content enough to manage each machine individually. I used a few well-known tweaks to enable some server behavior; for example, I used the format a sparsebundle trick to let my wife’s Macbook Pro backup to a drive on my main machine. I also used this guide to enable the VPN server that ships with OS X; I use the VPN to provide a secure connection for notebooks and iPhones on untrusted networks.

A few days ago, my wife’s backups stopped working (again) and my kludgy VPN failed (again). Both were regular occurrences. Faced with the prospect of fixing hacky backups that were never a good idea in the first place, some free time for the holidays, and the desire to tinker with more technology, I gave Apple $49.99+tax and downloaded Lion Server. My main interests were the VPN and network backups, but I also found centralizing the management of all my Apple junk attractive. At its lowest price ever, Lion Server is priced attractively for a home user with a small network. Apple is clearly aware of this, as the Lion Server page on apple.com proclaims that Lion is “The Server for Everyone”.

So follow along as I bumble my way through setting up Lion Server. I’ll try to test Apple’s claim: is Lion Server really a good product for everyone?

The purchase and installation process

Like Lion Client, you purchase Lion Server from the Mac App Store. I purchased mine from a mid-2010 27” iMac running 10.7.2. The download was only 15 MB, but that is deceptive. What you get is an installer that downloads and installs more software. After approximately half an hour, the installer declared victory and I was greeted by my new friend, the Server app (new in OS X Lion Server).

Initial configuration

The first thing that Lion Server really, really wants you to do is set a hostname for your machine and get an SSL certificate. While iMac.local had served me well, this wouldn’t do for a server. I therefore created a subdomain of my main domain as a CNAME record and pointed it to a dynamic DNS hostname I use to actually reach my home network. I then created a legitimate SSL certificate using startcom’s awesome free SSL certificate service. This was as straightforward as creating an SSL certificate gets (not very, but doable). With my shiny certificate installed, I set forth to explore my new server.

My first obvious question was: what has changed? Judging by the lack of a reboot, not a whole lot. I clearly didn’t get the super-sekrit server kernel. Did I earn, at least, a “server” badge somewhere for my $50? “About this Mac” doesn’t look promising:

The “more info” box yielded an upgraded string. Woohoo! I have a Server!

After this Very Important Verification, I turned to the most important task at hand: FIX THE WIFE’S BACKUPS. My wife runs a successful Spanish-language cooking blog out of her Macbook Pro. Her backups are mission-critical, and the key to peace in our household. Flick the switch on the Time Machine panel, select the backup drive (Lion Server complains when using a USB drive, but will let you do it), and done:

My wife could see the new backup drive on her machine’s Time Machine Preference Pane. She clicked on it, entered her username and password for the now-server, and her backup started immediately.

So far, so good. This is what an Apple product is supposed to be. Easy, and it Just Works™.

For the sake of completeness, I tried pointing Time Machine Server to an NFS share and a CIFS share. Just like Lion Client, it wouldn’t let me use network volumes as a backup destination. And just like Lion Client,

defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1

will make those drives visible to Time Machine Server. Obviously, I do not recommend using unsupported backup volumes. Backup is a great place to be boring and conservative. But if you want to do it, you can.

Now on to fix the VPN. I deleted my old handmade configuration file and went to the VPN control panel. It’s tremendously simple; although I can promise that I have a Shared Secret, however, Lion Server refuses to acknowledge that. Devices still need it to connect, so it’s there. It just doesn’t want to be seen. No, clicking “Show shared secret” doesn’t bring it back.

I had problems with DHCP allocations on my network before (my AT&T modem/router is the designated DHCP server and tends to forget its assigned range), and I wanted to fix them. I decided to use my new OS X server to provide DHCP services to the rest of my little network. But I couldn’t find the DHCP server configuration anywhere.

But wait! There’s more installation!

Here’s where Anandtech’s gigantic OS X Lion Server review and this handy We Got Served guide to OS X Lion in the home come in. As it turns out, Server.app is not the whole story; it only allows you to configure some services. For the rest, you need the Server Admin Tools from Apple’s website. Why aren’t these part of the standard Lion Server install? Perhaps Apple considers them too advanced for the average Lion Server user; I don’t know. I downloaded and installed them, but they were outdated; I was greeted by an update prompt immediately. Another 200MB later, I had the latest and greatest version of Server Admin Tools.

In fact, unless your needs are trivially simple, managing your OS X Lion Server will require the Holy Triumvirate of Workgroup Admin, Server Admin, and Server.

Get used to the three icons clogging your Dock, because you’ll need all three to perform some tasks. Worse, their functionality overlaps partially; you can perform some tasks, or part of a task in either program (I’m looking at you, Users pane in Server.app) but to complete it you’ll need to move back and forth.

In general, the split is this: you can access a basic configuration for most, but not all, services from Server.app. More in-depth settings, or settings for less frequently used services, are available in Server Admin. Some user settings are available from Server.app, but to get down to the nitty-gritty of Open Directory you need Workgroup Admin.

Open Directory

Open Directory is Apple’s version of LDAP, and its answer to Microsoft’s Active Directory. I don’t really need Open Directory but centralizing user account management would certainly be nice. Apple’s Server.app can create accounts on Open Directory, but you need to start it using Server Admin first. I couldn’t find this anywhere in Apple’s documentation, which is (sadly) a theme we’ll revisit frequently.

Further, to connect Server.app to the Open Directory server, you need to figure out that the menu option for Importing network user accounts is actually where you specify the connection.

Open Directory runs under its own username (diradmin, by default) as a security measure. Workgroup admin requires diradmin privileges to make any meaningful changes to the Directory, as it should. The Workgroup Manager application itself is, sadly, confusing and buggy. For example, I tried to create a computer account. I changed my mind and deleted it only to have Workgroup Manager get stuck on a zombie delete prompt after the account was gone.

If there’s a way to migrate existing local accounts on the server to Open Directory, I haven’t found it either. Apple’s documentation was no help, but I suspect that there isn’t a way. I wanted to set up network home directories tied to Open Directory accounts for everyone, but it’s clearly not going to happen any time soon.