Mac Thread, AD-OD Client Management in Technical; I'm currently working in an AD environment with an existing OD server that is not bound to AD (standalone). The ...
31st December 2008, 09:59 PM #1
- Rep Power
AD-OD Client Management
I'm currently working in an AD environment with an existing OD server that is not bound to AD (standalone). The 10.4 clients & users are managed completely via OD.
I wish to use AD auth and still have the OD management (I've read the afp548 sandbox whitepaper) so setup a second OD server, bound it to AD, set the search order, etc and all appears to be working well at the server side.
I've bound a client to AD and can login just fine (even without running an OD server) so my question is: how do I specify on the client how to use the OD server for management & how can I slowly migrate users/computers from the old OD server to the new OD server which is bound to AD). In other words, how do the clients know where to get their configuration from -- is it managed completely by the OD server via mac address in the computer group section of WGM?
I have apx 350 clients to convert at this early phase.
1st January 2009, 12:51 PM #2
OK. I think i understand what you want to do. You could make the new OD server a replicating server of the old OD server. Once all information has been replicated promote the replication server to an OD master. This will transfer the information. I have not done this myself so you may want to test it first before destroying the data on the old server.
You should then have your new OD server complete with data and connected to the AD. What you need to do now is bind the clients to both the AD AND the OD. You will need the AD above the OD in the authentication list in the directory utility on the clients. This will make the clients check the AD for user authentication first.
IMO though you may be better off upgrading the server AND the clients to 10.5.x first though as leopard does seem to work better in this configuration and is somewhat a little more forgiving when problems arise.
You can use ARD if you have access to it to send a script out to your 350 clients to bind them to the AD and OD. If you do upgrade to Leopard then you will have to tweak the script a little since it doesn't work quite the same as it did under Tiger.
You can find the script here:
You will need to remove the local KDC realm on Leopard as well.
The Tiger script to bind can be found here:
Hope this helps a little.
2nd January 2009, 10:44 PM #3
User Accounts need to exist in the AD node
What Mark has suggested is very good and might work? DNS has to be configured correctly - as always on the AD. There are other variables that need to be taken into account. Namely SMB Digital Signing is not supported. NTP is another critical area to look at.
However I'm not sure if you can have a Replica when the Master is not the KDC? Personally I think Replication may fail as slapcat and kerberosautoconfig won't be able to do their thing. SSH needs to be on as well and I think this too will be affected if the OD Master is not the Key Distribution Centre. I suppose the only real way to find out is to try it?
There may well be further problems with this? For example how are these users going to be able to authenticate when the AD KDC knows nothing of them? Don't forget they only exist in the LDAP node regardless of whether replication works or not. At some point these users would have to be imported into AD. What about home folders? You'd have to let the AD know the UNC path. That's a lot of typing for 350 users.
Antonio Rocco (ACSA)
By ClaireL in forum Windows
Last Post: 19th May 2008, 02:38 PM
By mark.hopgood in forum *nix
Last Post: 11th July 2007, 03:32 PM
By monkeyx in forum Network and Classroom Management
Last Post: 23rd March 2007, 03:24 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread