+ Post New Thread
Results 1 to 10 of 10
Mac Thread, Moving macs to new domian in Technical; Over the summer our network was moved from CC3 to server 2008. As a consequence we have a new domain. ...
  1. #1
    reggiep's Avatar
    Join Date
    Apr 2008
    Location
    In the vast area of space and time
    Posts
    1,548
    Thank Post
    517
    Thanked 56 Times in 50 Posts
    Rep Power
    29

    Moving macs to new domian

    Over the summer our network was moved from CC3 to server 2008.
    As a consequence we have a new domain.
    I now need to let my macs know this!
    I havew tried updating them with directory utility but it seems to be really slow to do anything and even after I change the domain it won't log on as a domain user.
    Do i need to change more than just the settings in Directory server?

    Thanks

  2. #2
    AntonioRocco's Avatar
    Join Date
    Oct 2008
    Location
    South Yorkshire
    Posts
    262
    Thank Post
    9
    Thanked 112 Times in 95 Posts
    Rep Power
    39
    Hi

    When you say you've changed the domain do you mean you've changed the zone name itself or are you just using the word metaphorically because you've gone from CC3 (a good decision) to Win2008?

    If you've changed anything to do with the DNS Service this can and does affect the macs in a major way. Especially true if you have a Mac Server in the mix.

    On the mac server launch terminal and issue this command:

    sudo changeip -checkhostname

    Post the result.

    For the mac clients it should not really matter. Simply 'unbind' from AD and 'unjoin' OD and rebind back again. Generally this would be AD first followed by OD. If they are being assigned IP addresses along with the relevant DNS Server addresses and domain name then they should be OK.

    Don't forget to configure mac clients and server to the appropriate network time server. Clearly if you've changed the environment with possibly different IP addresses then this aspect of Single Sign On can cause problems. Even a failure to log-in. Another area of focus is to make sure your Reverse DNS Zone is set to scavenge stale records every day or so. If you leave it at its default (7 days) this can display itself on the macs as poor performance. Especially when trying to find Home Profiles. On the mac platform Home Folder discovery is performed on the reverse pointer. Clearly if there are stale records assigned for IP addresses previously handed out to PCs then when the address is re-assigned to a mac client, the mac can become confused, as it will be trying to resolve its IP address to a hostname that is not itself.

    Do you understand this distinction?

    On a client what you can do is to disconnect the network cable, log-in as the local admin and launch Terminal. Issue these commands:

    sudo rm -R -v -i /Library/Preferences/DirectoryService

    At the prompts key in 'y' until you get back to the bash prompt. Now issue:

    sudo rm -R -v -i /Library/Preferences/edu.mit.Kerberos

    Again at the prompts key in 'y' until you get back to the bash prompt. Finally issue:

    sudo reboot now

    The mac will then restart itself. Whilst it's doing this reconnect the network cable. Log-in again as the local admin and launch Directory Utility. Click on the lock and authenticate. Select Show Advanced Settings. Click on Services. Select the Active Directory plug-in. Click the show advanced options disclosure triangle. De-select the force home folder creation on startup drive, enter the Domain Name and click Bind. You should know the rest from there?

    Antonio Rocco (ACSA)

  3. Thanks to AntonioRocco from:

    reggiep (7th September 2009)

  4. #3

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    24
    I did this over the summer actually- an old CSE-centric network needed updating so I bought two new HP servers and we migrated the network users and data over to a new domain and then did a domain rename on the Windows server to re-use our old suffix (there are easier ways but we HAD to do it this way). Worked fine. I then cleared out the Apple Server settings etc and re-bound the server to the new domain, making sure that the time etc. also reflected the new domain controller.

    After checking that this worked, I simply rebound the existing Macs (by first unbinding them from the old domain, rebooting, and then re-binding as Tony suggested in his reply).

    All is well. Macs and OS X Server happy and talking to each other and MCX settings coming out nicely.

    Interesting to read of the stale record scavenging and home directories though- hadn't heard that one before so I will be looking at this tomorrow!!

    Paul

  5. #4
    reggiep's Avatar
    Join Date
    Apr 2008
    Location
    In the vast area of space and time
    Posts
    1,548
    Thank Post
    517
    Thanked 56 Times in 50 Posts
    Rep Power
    29
    Quote Originally Posted by AntonioRocco View Post
    Hi


    sudo changeip -checkhostname

    Post the result.
    I get the following...
    Primary IP = 10.60.28.53

    Current Hostname = prentonhigh.internal
    DNS Hostname = prentonhigh.internal

    The names match there is nothing to change.

    The problem I can see here is that is the old domain name and the new one is prentonhigh.local

    Do I need to update my DNS for this??
    Last edited by reggiep; 7th September 2009 at 06:31 PM.

  6. #5

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    24
    Don't use .local!

    It might cause you more problems than you hoped for with Apple integration

    Paul

  7. #6
    reggiep's Avatar
    Join Date
    Apr 2008
    Location
    In the vast area of space and time
    Posts
    1,548
    Thank Post
    517
    Thanked 56 Times in 50 Posts
    Rep Power
    29
    Shoot,
    Don't tell me that!

    A bit late as the domain went live during the summer hols.

  8. #7
    reggiep's Avatar
    Join Date
    Apr 2008
    Location
    In the vast area of space and time
    Posts
    1,548
    Thank Post
    517
    Thanked 56 Times in 50 Posts
    Rep Power
    29
    Would it be best if I removed DNS completely from my mac server and then start again?

  9. #8
    AntonioRocco's Avatar
    Join Date
    Oct 2008
    Location
    South Yorkshire
    Posts
    262
    Thank Post
    9
    Thanked 112 Times in 95 Posts
    Rep Power
    39
    Hi

    If I understand you correctly DNS should not even be configured on the Mac Server. Least-ways not if you want a 'classic' AD-OD Integration? You should be using the existing (and hopefully correctly configured) DNS Service in the AD environment.

    Of all the gazillions of TLDs that could have been used you got the one that is going to cause problems! In hindsight configuring the AD Domain to not use .local would have been preferable. It is possible to use .local although it can be hard work and ultimately will cause problems. DNS has to be even more 'perfect' than normal for it to work effectively.

    Why even go there in the first place?

    You do have other possibilities?

    If your network topology allows you could 'ring-fence' your Macs (including server) on a completely different subnet/VLAN - it can also be done without going that far. You only need provide access to the internet. That way you avoid rebuilding your AD. You would of course have to configure the Mac Server to provide an OD environment. This would include configuring DNS and (if you wanted it) DHCP - if on a separate LAN.

    Opting for a separate LAN would mean you wont have access to the AD. You would have to key in (or import from AD using Passenger or something similar) all Users and Groups - again. As well as arranging for enough storage for Student/Teacher Profiles. Not forgetting backup.

    In effect a separate environment that would need all the resources that an AD environment would need. I know of some locations that have opted for this 'solution'.

    You might be looking at making a tough decision?

    How long is it going to take and how expensive is it going to be to do this as opposed to reconfiguring DNS correctly for your AD Domain? Or you could simply ignore the whole thing and put up with it. Who knows it might not be too bad? Since 10.5.4 OSX is Unicast first rather than Multicast. It can also deal with domains based around .local much better than before.

    Antonio Rocco (ACSA)
    Last edited by AntonioRocco; 8th September 2009 at 07:13 PM.

  10. #9
    eean's Avatar
    Join Date
    May 2006
    Location
    Kuala Lumpur
    Posts
    559
    Thank Post
    65
    Thanked 52 Times in 37 Posts
    Rep Power
    29
    This Apple WhitePaper Best Practices: Integrating Mac OS X with Active Directory is quite usefull.

    According to this, the .local problem is no longer after 10.5.4:

    .local domains
    Since Mac OS X uses the .local domain for Bonjour (link-local addressing), it will
    conflict with any .local AD domain. To get around this, add .local to the search domain settings in the Network preference pane. All .local DNS queries will be unicast to the DNS servers before being multicast to the network.

    Beginning with Mac OS X v10.5.4, the Mac OS X client recognizes .local domains, and the addition of .local into the search domain settings is not necessary.

  11. Thanks to eean from:

    reggiep (9th September 2009)

  12. #10
    reggiep's Avatar
    Join Date
    Apr 2008
    Location
    In the vast area of space and time
    Posts
    1,548
    Thank Post
    517
    Thanked 56 Times in 50 Posts
    Rep Power
    29
    Quote Originally Posted by AntonioRocco View Post
    Hi

    If I understand you correctly DNS should not even be configured on the Mac Server. Least-ways not if you want a 'classic' AD-OD Integration? You should be using the existing (and hopefully correctly configured) DNS Service in the AD environment.

    Of all the gazillions of TLDs that could have been used you got the one that is going to cause problems! In hindsight configuring the AD Domain to not use .local would have been preferable. It is possible to use .local although it can be hard work and ultimately will cause problems. DNS has to be even more 'perfect' than normal for it to work effectively.

    Why even go there in the first place?

    You do have other possibilities?

    If your network topology allows you could 'ring-fence' your Macs (including server) on a completely different subnet/VLAN - it can also be done without going that far. You only need provide access to the internet. That way you avoid rebuilding your AD. You would of course have to configure the Mac Server to provide an OD environment. This would include configuring DNS and (if you wanted it) DHCP - if on a separate LAN.

    Opting for a separate LAN would mean you wont have access to the AD. You would have to key in (or import from AD using Passenger or something similar) all Users and Groups - again. As well as arranging for enough storage for Student/Teacher Profiles. Not forgetting backup.

    In effect a separate environment that would need all the resources that an AD environment would need. I know of some locations that have opted for this 'solution'.

    You might be looking at making a tough decision?

    How long is it going to take and how expensive is it going to be to do this as opposed to reconfiguring DNS correctly for your AD Domain? Or you could simply ignore the whole thing and put up with it. Who knows it might not be too bad? Since 10.5.4 OSX is Unicast first rather than Multicast. It can also deal with domains based around .local much better than before.

    Antonio Rocco (ACSA)
    Ok I'll explain how it was set up (by a third party) before the new domain was installed.

    The clients were connected to open directory for locking down their shortcuts to apps and mapping their home drives etc. They were also connected to my domain. Both done with directory services.
    The DNS service is installed on the mac server and when I look at zones it has prentonhigh.internal as a primary zone which I have change (correctly or incorrectly to prentonhigh.local) and two reverse zones.

    Do I not need this then? Could DNS be set from the windows domain somewhere?

    I need the active directory integration as the school is now used to that and will not want to go backwards!

SHARE:
+ Post New Thread

Similar Threads

  1. Apple Macs
    By sharkster in forum Recommended Suppliers
    Replies: 18
    Last Post: 8th February 2010, 08:11 PM
  2. Training for macs
    By reggiep in forum Mac
    Replies: 3
    Last Post: 22nd May 2008, 10:53 AM
  3. So much for Macs being secure
    By Disease in forum Mac
    Replies: 46
    Last Post: 31st March 2008, 09:51 AM
  4. Macs in Cumbria??
    By SteveT in forum Mac
    Replies: 5
    Last Post: 20th March 2007, 09:41 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •