Love the forum name. Let's see if I can give some guidance to help you craft your deployment. You are looking for:
• Access to the server securely from outside our network at anytime
• Manage time machine back-ups
• Manage user access to files and folders stored on the server
The access side really needs to be some form of VPN. At this point avoid PPTP. Based on the services you are looking to deploy (time machine server, file services) you really want to protect those services as much as possible. Exposing File Services is just asking for trouble.
• Naming scheme, if i start OS X Server fresh and name it spacerangerserver.local and want to point a FQD domain over is there an issue there?
I firmly believe that all servers should be named with the expectation that they will one day need to route publicly. Using .local (bonjour conflict) or other private TLDs (non-routing) is just painting yourself into a future corner. Even in your post you talk about time machine and file sharing (both can be done without DNS and on a private, non-routing domain. But in a few bullet points you talk about Profile Manager and managing the devices. This means fully qualified hostnames, real domains, and a valid certificate. An alternative thought later.
• IP address - do I need a static IP at the modem level or can I set the IP of the iMac to a static address and then use Port Mapping on the AirPort to map connections back through to the Server?
Static addresses are preferred but you can use a dynamic DNS server to overcome your limitation. Think it through. If your ISP is giving you a dynamic IP address you have no idea when it will change. So you may take your current address, 17.18.19.20, and set it as the IP address to your host, server.spaceranger.com. But this will become invalid once the ISP refreshes your lease. Again, the way to overcome this is to signup with a dynamic DNS host. Then an agent inside your network will constantly keep your DNS updated with the changing IP address. Otherwise you are always aiming at a moving target that you can predict where it will appear.
• Certificates.... do i need to go through the certificate authority to get one or can a locally signed one suffice? What will I need a certificate for?
My general advice is if you are going to host any public facing services such as mail, web, calendar, contacts, or Profile Manager, you should use an SSL certificate. These services should send all communication over an encrypted channel and SSL is our best method at this time. But you are a home deploy, not a business. Since you will clearly touch and config all the devices, you can likely tolerate a self-signed cert warning.
• VPN secure access outside our network, what is required of this?
If you are using the server as the VPN server, you will need to port forward the appropriate ports. If you are using a Firewall, then you don't need to forward the ports as the firewall is running the VPN ports. Once again, you will want to be able to always access the VPN so this should be done by a fully qualified host name that is routable (vpn.spaceranger.com). And once again, if you are on a DHCP service use a dynamic DNS service to keep the name inline with your changing IP.
• User access - I want a user to be able to access anything on the server I set permissions for, are these local accounts or is it best to create Open Directory accounts?
Once again I favor Open Directory. It is designed to be a shared directory domain and many of Apple's services will work better with OD accounts. The local domain is for the local admin only (with a few exceptions).
• Pointing a domain to the server to access via an FQD....lets say I have my domain SPACERANGER.COM, do I create a subdomain such as SERVER.SPACERANGER.COM and create an A record to point to my IP address?
You can create a sub-domain, but commonly you just create a host name. For example above, SERVER.SPACERANGER.COM is a host name (server), domain (spaceranger), and TLD (com). spaceranger.com is your domain. To this you can create an infinite number of host names. abc.spaceranger.com, def.spaceranger.com, ghi.spaceranger.com, bob.spaceranger.com, mary.spaceranger.com, manny.spaceranger.com, moe.spaceranger.com, jack.spaceranger.com, mail.spaceranger.com, ftp.spaceranger.com, etc. To each of these you can point an IP address. Or you can define one as the A record and the others as CNAME (aliases).
• to be able to manage OS X updates across all devices on the network, perhaps even manage a few of the iPads and other Macs (appletvs?) i.e.; remote support, etc.
This is Profile Manager. If you want, you can even extend your reach to devices when they leave the house. After all, what happens when that iPad is left on a bus? You can use Profile Manager to brick the device (assuming it joins a network).
But I say why? Talk a look at Bushel. This may be right up your ally for device management and requires no networking knowledge, no port forwarding, no service management, etc. Now, not to discourage the use and exploration of Server, but you might be going down a road that can be avoided.
I encourage you to build and explore with OS X Server. Use good passwords. Make sure you are planning a complete backup solution. Remember, Time Machine just means you made a copy of data under the same roof. If the roof collapses there is a good chance the original and backup data just got smashed together. Only open what you need to. Only grant rights to the users than should have then (SACLs). Test. And then test again.
Reid
Apple Consultants Network
Author "El Capitan Server – Foundation Services" :: Exclusively available in Apple's iBooks Store
Author "El Capitan Server – Control & Collaboration" :: Exclusively available in Apple's iBooks Store
Author of Yosemite Server and Mavericks Server books
