+ Post New Thread
Results 1 to 3 of 3
Mac Thread, AD-OD Client Management in Technical; I'm currently working in an AD environment with an existing OD server that is not bound to AD (standalone). The ...
  1. #1

    Join Date
    Dec 2008
    Location
    Oregon
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    AD-OD Client Management

    I'm currently working in an AD environment with an existing OD server that is not bound to AD (standalone). The 10.4 clients & users are managed completely via OD.

    I wish to use AD auth and still have the OD management (I've read the afp548 sandbox whitepaper) so setup a second OD server, bound it to AD, set the search order, etc and all appears to be working well at the server side.

    I've bound a client to AD and can login just fine (even without running an OD server) so my question is: how do I specify on the client how to use the OD server for management & how can I slowly migrate users/computers from the old OD server to the new OD server which is bound to AD). In other words, how do the clients know where to get their configuration from -- is it managed completely by the OD server via mac address in the computer group section of WGM?

    I have apx 350 clients to convert at this early phase.

    thanks!
    Eric

  2. #2

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    OK. I think i understand what you want to do. You could make the new OD server a replicating server of the old OD server. Once all information has been replicated promote the replication server to an OD master. This will transfer the information. I have not done this myself so you may want to test it first before destroying the data on the old server.

    You should then have your new OD server complete with data and connected to the AD. What you need to do now is bind the clients to both the AD AND the OD. You will need the AD above the OD in the authentication list in the directory utility on the clients. This will make the clients check the AD for user authentication first.

    IMO though you may be better off upgrading the server AND the clients to 10.5.x first though as leopard does seem to work better in this configuration and is somewhat a little more forgiving when problems arise.

    You can use ARD if you have access to it to send a script out to your 350 clients to bind them to the AD and OD. If you do upgrade to Leopard then you will have to tweak the script a little since it doesn't work quite the same as it did under Tiger.

    You can find the script here:
    http://www.bombich.com/mactips/files...gin-leopard.sh

    You will need to remove the local KDC realm on Leopard as well.

    The Tiger script to bind can be found here:
    http://www.bombich.com/mactips/files...login-Tiger.sh

    Hope this helps a little.

  3. #3
    AntonioRocco's Avatar
    Join Date
    Oct 2008
    Location
    South Yorkshire
    Posts
    262
    Thank Post
    9
    Thanked 112 Times in 95 Posts
    Rep Power
    39

    User Accounts need to exist in the AD node

    Hello

    What Mark has suggested is very good and might work? DNS has to be configured correctly - as always on the AD. There are other variables that need to be taken into account. Namely SMB Digital Signing is not supported. NTP is another critical area to look at.

    However I'm not sure if you can have a Replica when the Master is not the KDC? Personally I think Replication may fail as slapcat and kerberosautoconfig won't be able to do their thing. SSH needs to be on as well and I think this too will be affected if the OD Master is not the Key Distribution Centre. I suppose the only real way to find out is to try it?

    There may well be further problems with this? For example how are these users going to be able to authenticate when the AD KDC knows nothing of them? Don't forget they only exist in the LDAP node regardless of whether replication works or not. At some point these users would have to be imported into AD. What about home folders? You'd have to let the AD know the UNC path. That's a lot of typing for 350 users.

    Antonio Rocco (ACSA)

SHARE:
+ Post New Thread

Similar Threads

  1. Task management?
    By ClaireL in forum Windows
    Replies: 4
    Last Post: 19th May 2008, 02:38 PM
  2. Replies: 6
    Last Post: 11th July 2007, 03:32 PM
  3. PC/User Management
    By monkeyx in forum Network and Classroom Management
    Replies: 1
    Last Post: 23rd March 2007, 03:24 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •