TITLE
    Mac OS X Server: Inside NetBooting
Article ID:
Created:
Modified: 		31061
7/26/99
7/27/99
TOPIC

    This article gives an overview of NetBooting.

DISCUSSION

    About NetBoot Software

    NetBoot is a suite of software that supports these features:
    • Single point of administration--As all computers that start up from a NetBoot server use the same client Mac OS image, you need only to manage this single image.
    • Personal desktop--Users can log in to any computer connected to a NetBoot server and obtain their personalized Macintosh user experience.
    • User authentication--Authentication provides a way to control who can log in to the computers connected to your server.
    • Access control--You can decide which network resources (such as printers and applications) and which features of the Mac OS your users can access. Access control helps you to maintain desktop and network security.

    The Three Types of Software in NetBoot
    Your NetBoot network needs three types of software to make it work properly--administration applications, server programs, and the client operating system.

    You use administration applications to set up and manage your NetBoot server. Some of these administrative applications run on the server, and others are used from a network-connected client.

    Server programs run on the server under the Mac OS X Server operating system. Some of these programs don't have a user interface. Although you won't "see" server programs, you need to know what they are and how they work to understand how your NetBoot environment operates. (You can use Process Viewer to check the status of a server program.)

    The Mac OS used by your client computers is downloaded from the server when a client computer starts up. The client Mac OS stored as a single image on the server. Every client computer uses the same Mac OS image. You need only to manage this image to administrator all NetBoot clients.

    Administration Applications
    • NetBoot Server Setup Assistant--The assistant guides you through the setup process step-by-step.
    • Macintosh Manager--You use this application to manage information about users, user preferences, documents, client computers, and network resources.
    • NetBoot Desktop Admin--This application unlocks the client Mac OS so you can install applications and customize the Mac OS for your users.

    Server Programs
    • BootP server--This server program assigns an IP address, subnet mask, router address, and domain name to a computer when the computer starts up. It also supplies the client computer with a string path to the client Mac OS image stored on the server. This Mac OS image is downloaded to the client using the Trivial File Transfer Protocol (TFTP).
    • AppleFileServer--This server program implements the AppleTalk Filing Protocol (AFP), which allows users to access files on a server as if they were on the client computer's hard disk. (AppleFileServer is also the server program that AppleShare uses to allow users access to files and applications on an AppleShare server.)
    • Macintosh Management server--This server program stores and looks up information about user accounts and workgroups, provides authentication services, and can assign a default location on the server for users to store documents. The Macintosh Management server can be used to administer client computers that start up from a local hard drive.

    Note: You are not required to use Macintosh Manager server software on NetBoot Macintosh computers, although it is installed by default. It is possible for computers to startup from a NetBoot server without using Macintosh Manager software. See the section "Starting up a NetBoot Client Computer Without Using Macintosh Manager" for more information. It is also possible to manage Macintosh computers that start up from a local hard drive with Macintosh Manager. See the section "Using Macintosh Manager to Manage Computers that Start Up from a Local Hard Drive" for more information.

    Client Mac OS
    • Your Mac OS X Server stores a single Mac OS image which is downloaded to all the client computers that start up using BootP. This allows changes that are made to that single image to be reflected in all Macintosh computers that start up from the server.

    How a Computer Starts Up From a Server
    This section describes the underlying processes that take place during startup and login. The information may be useful if you need to troubleshoot a problem in the future or if you're just curious about how this new type of networked Macintosh works.

    Which Macintosh Computers Can Start Up From a NetBoot Server?
    Macintosh G3 machines manufactured after January, 1999 can be NetBoot clients. All iMacs, regardless of date of manufacture, can be NetBoot clients.

    Insure that the NetBoot clients' firmware has been updated. The latest firmware updates can be found on the World Wide Web at: http://www.apple.com/support .

    Setting Up a NetBoot Client
    There are two ways to start up a computer from a NetBoot server:
    • Press and hold the N key as you start up the computer.
    • Open the Startup control panel and choose NetBoot HD.

    Note: If NetBoot HD does not appear in the Startup control panel, press and hold the N key as you start up the computer. NetBoot HD should then appear in the Startup control panel.

    Where the System Folder and Applications Folder for NetBoot Client Computers Are Stored
    When NetBoot software is installed on the server, images of the Mac OS and the Applications folder are copied onto the server's hard disk. The Mac OS image contains the Mac OS system software that each of your NetBoot clients needs to start up. The Applications image contains application software for your users. These appear as two separate hard disks on the desktop after the computer has started up.

    Establishing a Network Connection
    When a user turns on a NetBoot client computer, the computer broadcasts a message to find the startup server program. The startup server program responds by sending information (such as an IP address) the client computer needs to establish a connection to the NetBoot server.

    IP addresses used by NetBoot client computers are retrieved from the list of number you entered when you used the NetBoot Server Setup Assistants.

    The first time a NetBoot client computer starts up from a BootP server, the server stores the client computers' Ethernet hardware address in a table along with an IP address it will use for that client. Each time the client computer starts up, the IP address stored in the table is used. Once assigned, a client computer will always uses the same IP address, and it cannot be reused for another client computer. Therefore, it is important that you provide one IP address for every client computer you plan to connect to the NetBoot server.

    You can view the table of Ethernet hardware and IP addresses by logging in to Mac OS X Server and using NetInfo Manager.

    Copying the Mac OS to a NetBoot Client Computer
    Once a connection is established between a client computer and the server, portions of the Mac OS ROM image are copied from the server to the random access memory (RAM) in the client computer. This is done using Trivial File Transfer Protocol (TFTP).

    Note: The /private/tftpboot directory on Mac OS X Server contains a link that points to the Mac OS ROM file, located at the root level of the HFS volume you selected in the NetBoot Installer. Be sure not to move or delete the file. If you should add newer machines to your network over time, this file may need to be updated with a new ROM file to support your new hardware.

    Next, the Mac OS ROM image that has been copied to the client computer's RAM mounts the image of the Mac OS and opens the System file. This is done using AFP protocols, and is the reason the AppleFileServer program must be running on your server to use the NetBoot feature. You see an icon on the screen that indicates the Mac OS is starting up.

    Logging In
    Before allowing Mac OS client computers to connect to your server, you must set up options using the Macintosh Manager administration application. For more information see the installation manual that came with your software.

    The first time a computer starts up a dialog box opens. Users see the dialog box as soon as Macintosh Manager and other extensions load. The user must choose a Macintosh Manager server from those listed in the dialog box.

    The user enters his or her Macintosh Manager user name and password into the log in window. If the name and password are valid, Macintosh Manager copies the Preferences file for that user to the client computer. At that point, the user sees the Mac OS environment and can begin using the computer. The environment the user sees--Panels, Restricted Finder, or Finder--depends on how options are set in Macintosh Manager.

    In the Finder environment, the Mac OS image and the applications image appear as mounted volumes on the desktop. The user has access to any application in the Applications image.

    How User Preferences Are Handled
    A user's environment is defined by settings, such as a desktop picture, that personalize the desktop for that user. On a stand-alone Macintosh, when a user changes a setting, the setting is saved in the Preferences folder located in the System Folder. Computers that start up from a NetBoot server all start with the same client Mac OS image, so a user's preferences can't be saved in the usual manner.

    For NetBoot client computers, you use Macintosh Manager to set options that define which preferences and settings can be saved. When user preferences are changed, the changes are stored in a location on the server that's referred to as a "shadow volume." The shadow volume contains the differences between the Mac OS image and what the user has changed. For example, if the user changes the desktop pattern to show Bubble Poppy instead of the Mac OS default, the changes to the Mac OS image to store this user preference are written to the shadow volume instead.

    The server uses a special disk driver called a "block driver" to deflect what is written to the shared Mac OS image into the shadow volume, and to determine when to read from the shadow volume instead of the shared Mac OS image when retrieving data.

    When the user logs out, changes to preferences that are being saved are stored in a file in the Macintosh Manager Items folder located in the Macintosh Manager sharepoint.

    The next time the user logs in, his or her saved preferences are retrieved from the Macintosh Manager Items folder. Using the desktop pattern example discussed previously, information about the user's desktop pattern is saved when the user logs out and restored when the user logs in. The shared Mac OS image will not be modified. The shadow volume will contain all of the changes made during this procedure. The environment the user sees is a combination of the shared Mac OS image and the changes to it that are stored in the shadow volume.

    Each preference or setting you allow users to save must be copied from the Macintosh Manager Items folder to the user's computer when the user logs in and from the user's computer to the Macintosh Manager Items folder when the user logs out. If the computer shuts down unexpectedly during a session, changes made during that session are lost.

    The changes to the shared Mac OS image are maintained in the shadow volume until the client machine is restarted or shutdown. At this point all changes to the Mac OS image that were not saved by the Macintosh Manager are lost. A restart or shutdown is the equivalent of re-installing the system.

    How User Files Are Handled From a NetBoot Client Computer
    If the user has permission to save files and folders, the items are saved to the disk images on the server, in a location you set up in Macintosh Manager. Users may also save items to a local hard drive or other storage device if you set up permission in Macintosh Manager.

    Starting up a NetBoot Client Computer Without Using Macintosh Manager
    Macintosh Manager client software is installed into the Mac OS image as part of the NetBoot server software installation. It is possible to use NetBoot server software without using of Macintosh Manager software. Without Macintosh Manager you won't be able to preserve users' desktop environment, turn on security features, or authenticate users through the log-in process. To disable Macintosh Manager you must remove Macintosh Manager client software from the client Mac OS image using NetBoot Desktop Admin software. If you remove the client software you can also remove Macintosh Manager server program from the server.

    Using Macintosh Manager to Manage Computers That Start Up From a Local Hard Drive
    You can use the Macintosh Manager Installer to install client software or Macintosh Manager administration software on a Macintosh computer that starts up locally. The computer must meet these minimum system requirements:
    • Mac OS computer 68040 processor or later
    • Mac OS version 8.1 or later
    • 8 MB RAM (physically installed, not virtual memory)
    • 2 MB hard disk space
    • Appearance control panel 1.0.1 or later
    • Ethernet networking set up

    Instructions for installing Macintosh Manager client software are in the About Macintosh Manager Read Me file.

    Shadow Volumes and Computers That Start Up From a Local Hard Drive
    Shadow volumes are only used by computers that start up from a NetBoot server. Macintosh Manager clients that started up from a local hard drive do not use shadow volumes. Local-startup computers still store preference information on the Macintosh Management server.

    Where NetBoot Server Software Is Installed
    One of the hard drives in your server has at least two partitions. One partition is formatted for Mac OS X Server, using User File System (UFS) format. The other partition is formatted using Mac OS Extended format. The NetBoot installer puts some components in the UFS partition and others in a Mac OS Extended partition.

    Components Installed on the UFS Partition:
    • Startup server (BootP) program (located in the /usr/libexec directory)
    • Macintosh Management server program (located in the /usr/sbin directory)
    • NetBoot Server Setup Assistant (located in the /System/Library/Assistants directory)
    • AppleFileServer program (this program can only share items on HFS and Mac OS Extended Partitions, and is located in /usr/sbin directory)
    • Mac OS ROM image (a link located in the /private/tftpboot directory points to the ROM image, which is located at the root of the HFS volume you selected in the NetBoot Installer)

    Components Installed on the Mac OS Extended Format Partition:
    • Mac OS system image--This image is mounted on a NetBoot client computer when it starts up. It contains the system software used by the client.
    • Application image--This image is mounted on a NetBoot client computer when it starts up. It contains the applications that came with your NetBoot Server Software. The applications are available for your users.
    • Administration folder--This contains Macintosh Manager software and Macintosh Manager Help. You use these applications from a client computer connected to the server. When you need to set up or change your Macintosh Manager configuration.

    Where Administrative Applications Are Located
    Some administration applications are used from the Mac OS X Server computer, and some are used from a client computer. You access administration applications stored on Mac OS X Server by choosing Server Administration from the Apple menu. You may need to provide an administrator or root-level password to use administration program. See the onscreen help provided with Mac OS X Server for more information about network administration.

    Administration programs such as Network Manager let you see information in the users and group's databases. Utilities such as ProcessViewer let you check whether or not a server program is running. It's best to use these program and utilities to view, but not to change, information. You should use the appropriate set up assistant to make changes to the Mac OS X Server configuration or to the NetBoot server. To access the Setup Assistant, open the Apple menu, choose Server Administration, then choose Assistant.

    To access administration programs that are used from a client computer, you must log in a client computer as an administrator or other user with system access, and you must choose System Access as your workgroup. Then you must use the Chooser to mount the NetBoot server volume. From the client computer, you use Macintosh Manager to set up and maintain the Macintosh Manager configuration. You use NetBoot Desktop Admin to make changes (such as install applications or change the system configuration) to the client Mac OS image.

    You use Web-based tools to set up and manage the AppleFileServices program. You can use WebAdmin from any client computer connected, provided you logged in to the client computer with an as an administrator or user who has system access.

    Examples of NetBoot Networks
    You can use a NetBoot server and network-startup computers in a variety of computing environments. The simplest environment is a single lab that has one NetBoot server supporting network-startup computers. A more complex environment is an existing network of computers that spans buildings and crosses routers and that has a NetBoot server and network-startup computers integrated into it.

    Each of the following sections describes a typical computing environment from simple to complex and shows how a NetBoot server can be used to support the technology objectives of each.

    Setting Up a Lab That Contains Only NetBoot Client Computers
    An elementary school equips a new computer lab.



    Technology Objectives:
    • Support educational goals in various areas of instruction, such as reading and math.
    • Ensure that each computer has the same software.
    • Promote desktop security by protecting the computer and network resources from tampering.
    • Set up a network that's easy to maintain.

    Network Strategy:
    • Use only network-startup computers.
    • Use one server with both the startup server software and the Macintosh Manager server software installed. The server will store users' documents and applications.
    • Use Macintosh Manager to set options that promote desktop security.
    • Set up workgroup administrator accounts for teachers then show them how to use Macintosh Manager to manage user accounts and workgroups.

    Summary
    Network-startup computers use system software supplied by the NetBoot server to ensure that each computer has the same version of software and access to the same applications. Regardless of what a user changes during a session, network-startup computers return to the same system configuration after a user logs out.

    Using Macintosh Manager Administration to control which network resources students can access can ensure desktop security. You can protect the System Folder and Applications folder. You can set options that promote password security, startup security, and security when using applications.

    This network is easy to maintain because the user applications need to be installed only on the startup server. The teacher can manage user accounts and workgroups from any computer connected to the server. Once the network is set up, there is very little daily management. Teachers can distribute and collect assignments through the network. A teacher can also make available network resources, applications, and CDs that promote teaching objectives for the class.

    Integrating Local-Startup Computers With NetBoot Client Computer in a Single Lab
    A large high school has an existing general-access computer lab with a mixture of Macintosh computers. They've received funding to replace some of the older computers with state-of-the-art equipment.




    Technology Objectives:
    • Support educational goals in various areas of instruction by providing students access to course content, research tools, and teachers.
    • Ensure computer literacy by requiring computer use throughout the educational experience.
    • Provide students with a state-of-the-art computing experience.
    • Ensure that only authorized users log in to computers in the lab.
    • Promote desktop security by protecting the computer and network resources from tampering.
    • Set up a network that's easy to maintain. All computers, whether new or old, need to be managed with the same network administration tools.
    • Leverage the use of existing hardware and software. The school needs to get the most out of the past investments it made for client computers, servers, and software licenses.

    Network strategy:
    • Integrate network-startup computers into a lab that already has local-startup computers.
    • Install Macintosh Manager client software on local-startup computers to allow easy management of existing computers along with the newer, network-startup computers.
    • Use existing servers along with a NetBoot server to provide resources to the entire network. With several servers, it's possible to dedicate one computer as a startup server, one computer to manage Macintosh Manager user account information and user preferences, and the another computer to store user's documents and site-licensed applications.
    • Set password options in Macintosh Manager to promote log-in security and to be sure only authorized users can log in.
    • Use Macintosh Manager Administration to set options that promote desktop security.
    • Set up workgroup administrator accounts for teachers then show them how to use Macintosh Manager Administration to manage user accounts and workgroups.

    Summary
    A NetBoot server and network-startup computers can be integrated into an existing network so you don't need to abandon older technology. When a computing environment supports a large number of users, it's best to install several servers to distribute the load for network resources such as document storage and access to applications. It's possible to install the server programs that come with NetBoot on different servers. For example, you can install just the startup server software on one server, and the Macintosh Manager server software and user documents on one or more additional servers.

    Integrating NetBoot Client Computers and Local-Startup Computers in Multiple Labs
    A college has a classroom and two general-access computer labs located in different buildings. Students, faculty, and staff may log in to any computer on the campus to access their documents.



    Technology objectives:
    • Enhance the college's position as a world-class institution by providing general-access computing facilities to support instructional and research goals.
    • Provide students, faculty, and staff access to the Internet as well as the most recent and most appropriate software applications across a number of academic disciplines.
    • Provide students with a state-of-the-art computing experience.
    • Ensure that only authorized users log in to computers in the lab.
    • Promote desktop security by protecting the computer and network resources from tampering.
    • Set up a network that's easy to maintain. All computers, whether new or old, need to be managed with the same network administration tools.
    • Leverage the use of existing hardware and software. The school needs to get the most out of the past investments it made for client computers, servers, and software licenses.

    Network strategy
    • Integrate network-startup computers into a lab that already has local-startup computers.
    • Install Macintosh Manager client software on local-startup computers to allow easy management of existing computers along with the newer, network-startup computers.
    • Use existing servers (such as an AppleShare server) along with NetBoot servers to provide resources to the entire network. With several servers, it's possible to dedicate one computer to act as the startup server and others as the Macintosh Manager server and to store users' documents and site-licensed applications.
    • Use routers to allow networking between the two computer labs and the classroom.
    • Set password options in Macintosh Manager to promote login security and to be sure only authorized users can log in.
    • Use Macintosh Manager Administration to set options that promote desktop security.
    • Set up student workers as workgroup administrators to help with the daily management of user accounts and workgroups. You can give some students system access so they can help install and upgrade site-licensed application software that's used in the labs.

    Summary
    This is an example where NetBoot computers that are integrated into an existing network. When setting up a network that encompasses two or more subnets, a router to connect the subnets is necessary. BootP startup packets cannot cross a router, so you need to have one BootP startup server for each lab or classroom that you plan to connect to network-startup computers.

    Macintosh Manager can cross subnet boundaries, so it is possible to have one Macintosh Manager server for the entire college. (One Macintosh Manager server can handle up to 8000 user accounts.) A single Macintosh Manager server allows students to maintain their personal preferences, desktop, and access to server based documents on any NetBoot Macintosh on the network, regardless of location.

    When a computing environment supports a large number of users, it's best to install several servers to distribute the load for network resources such as document storage and access to applications.

    Macintosh Manager Administration software can be used by users with limited authority (workgroup administrators.) If you hire students to help manage the labs, you can easily set up workgroup administrator accounts that let them manage some network resources but not change global options for your network.

Document Information
Product Area: Mac OS System Software
Category: Mac OS X Server
Sub Category: NetBoot

Copyright © 2000 Apple Computer, Inc. All rights reserved.