After you install and configure the AppleTalk protocol, you're ready to install and configure the Macintosh services themselves. Even though FSM and PSM are two separate packages, they are grouped together in this section because their respective installation processes are very similar. You can install the components in any order.
Before installing the Macintosh service components, you must meet a few prerequisites. First, if you're going to install FSM you must have at least one NTFS partition on your server. This is because you can create MAVs only on NTFS or CD-ROM File System (CDFS) partitions—and even if you want to create MAVs only on CDFS partitions, you need an NTFS partition or FSM won't install.
Second, you should already have installed and configured the network adapters you plan to connect to your AppleTalk networks and verified that they work. Finally, you should have installed and configured AppleTalk and tested your installation to make sure that your existing network clients can see your new server as an AppleTalk node. You might need a tool like EtherPeek or Dartmouth's InterNetMapper to do this.
If you want your Macintosh users to have access to files that are on ordinary shares (not MAVs), you can either upgrade them to Mac OS X 10.1 or later, or use a third-party utility like Thursby Software's (http://www.thursby.com) Dave, which allows Macintosh computers to log on to Windows NT or Windows 2000 domains and use shared files and printers using Microsoft's native network protocols.
Although installing and managing FSM is pretty straightforward, there are some magic numbers that you need to be aware of. These numbers (or, more accurately, limits) curb some of the things you can do with FSM:
FSM and PSM get account information from Microsoft Windows 2000 Active Directory service. This means that Macintosh clients can't log on to your FSM or PSM servers unless they have a valid account in your directory or unless you allow guest access to your servers. It's a good idea to set up the accounts you'll need for your Macintosh users as part of installing and configuring Macintosh support on your server; that way, as soon as you get the MAVs and shared printers created, your users can start connecting to the server.
Mac OS users can supply a domain name along with their user name when they log on. Suppose that you have accounts in two domains: Engineering\Paulr and Ra\Paul. If you want to log on to an FSM server that's part of the Engineering domain as Engineering\Paulr, you can leave off the domain name; if you want to use your master account (Ra\Paul), you can, but you must add the domain prefix.
PSM must be supplied with a set of user account credentials so that it can send print jobs to the standard Microsoft Windows 2000 print manager. It uses the system account by default, but for security purposes it's a better idea to create a separate account to be used only with PSM.
To install both PSM and FSM, you use the Windows Components Wizard. The actual process is very simple:
Figure 23-9. The Other Network File And Print Services dialog box.
After you've installed the FSM and PSM components, you must configure them before they'll do anything useful. The only MAV that a newly installed FSM server offers to clients is the one containing Microsoft's plug-in authentication module.
When a Mac OS client connects to a Windows 2000 FSM server, the client has to send its user name and password credentials as clear (plain) text with no encryption. This is nonsecure because an attacker with a network analyzer can easily grab the credentials from the network and use them to log on to the Windows 2000 Server directly.
Mac OS supports encrypted authentication when talking to AppleShare servers, but to add that same level of security to Mac OS-FSM connections you must choose one of two options. One is to configure your server to accept Apple-encrypted authentication, and the other is to install an additional user authentication module (UAM) on the Macintosh side. The Microsoft UAM allows the Mac OS client to encrypt its credentials using the same scheme that Windows clients use when talking to a Windows 2000 Server. It also offers two other useful benefits: it allows you to use longer passwords (14 characters instead of the 7-character limit imposed by AppleShare), and it lets your clients know when their Windows 2000 password has expired.
Mac OS X 10.1 and newer versions support encrypted authentication directly with Windows file servers, without the need for FSM. This is good, because Microsoft hasn't written a native Mac OS X UAM.
The Microsoft UAM is stored in a special MAV called Microsoft UAM Volume. This MAV is always available to Macintosh clients on an FSM server; there's no way to remove or rename it, and it's available as soon as the FSM service is started. The UAM volume contains four items: a text file (Readme.uam) explaining what the UAM does and how to install it, an application that automatically installs the appropriate UAM for a given Mac OS configuration, and versions of the UAM for AppleShare versions 3.8 (present on Mac OS 7.5 and later) and 3.6 (for earlier Mac OS versions). The following steps illustrate how to install the Microsoft UAM on a classic Mac OS client:
Figure 23-10. The Chooser with the FSM server and its zone selected.
If you want to install the UAM on multiple machines, it might be easier to copy the appropriate UAM to the destination machines instead of logging on from every workstation. This process is a little different from the one just outlined:
After you've installed the Microsoft UAM, the logon process for Mac OS clients is a bit different from what they're accustomed to. The ordinary process works like this: the user picks a zone and server in the Chooser, clicks OK, and fills in the AppleShare logon dialog box. When multiple UAMs are installed—as will be the case after you complete the preceding steps—clicking OK in the Chooser produces a dialog box listing the available UAMs. You'll need to train your users to use the Microsoft Authentication 5.0 UAM. After choosing that UAM, they'll see the logon dialog box shown in Figure 23-11.
Figure 23-11. The Microsoft UAM logon dialog box.
Apart from its obvious uses, the Shared Folders snap-in also allows you to configure some helpful FSM parameters, including the message that users see when they log on, the kinds of authentication your server accepts, and the number of users that can connect at once.
To get to these options, open the Shared Folders snap-in, right-click Shared Folders, and choose Configure File Server For Macintosh from the shortcut menu. You see the Configuration tab of the File Server For Macintosh Properties dialog box, shown in Figure 23-12. You can perform four useful tasks with this tab:
The contents of the Limited To box are stored in HKLM\System \CurrentControlSet\Services\MacFile\Parameters\MaxSessions. A value of 0xFFFFFFFF means "unlimited"; otherwise, FSM interprets this number as the session limit.
Figure 23-12. The File Server For Macintosh Properties dialog box.
The File Association and Sessions tabs of the File Server For Macintosh Properties dialog box are covered in the sections Managing Type and Creator Codes and Sending Messages to Users, respectively, later in this chapter.