+ Post New Thread
Results 1 to 9 of 9
Mac Thread, Creating Mac Domain + joining to AD in Technical; Ok ladies and gents, I've spent now the best part of 3 hours reading just about everything I can stand ...
  1. #1


    Join Date
    May 2009
    Location
    UK
    Posts
    2,105
    Thank Post
    256
    Thanked 450 Times in 251 Posts
    Rep Power
    141

    Creating Mac Domain + joining to AD

    Ok ladies and gents, I've spent now the best part of 3 hours reading just about everything I can stand by apple and multiple other forums about how to setup what I want, and the majority is either out of date, unhelpful, or just so full of waffle that it was of no use.

    I'm hoping someone here can assist, and in which case I'll help in writing up a new guide on what to do/how to do it in one place without, as one place put:
    "If you don't know what this is, then your probably out of your depth anyway."
    (yeah, a guide actually told me that.....)

    Systems:
    -Windows 2003 Domain (1x 2k3 server + 1x 2k8r2) both running in 2003 mode, forest domain = 2003 mode.
    -NAS raid box (Buffalo Terrastation) connected via iSCSI to the 2k3 box, hosting all shares including user and data shares.
    -Cisco networking gear: Cisco switches and wireless controller (vlans for server, curriculum pc's, and wireless. Also an admin vlan, hoping to decom that soon)
    -Windows workstations (mixes of XP, Vista and Windows 7. Considering/hoping to roll up to windows 7 on all machines within the next 18 months.)
    -Brand new Mac Mini server running Lion OS X + Server App
    -16x Macbook Pro's running Lion OS X
    -20 Ipad 2's running iOS 5
    -30+ Ipad 1's running iOS 5

    What I want:

    -For users of the windows domain to be able to logon to any machine, windows or mac alike.
    -File shares on the NAS to be accessible by both mac's and windows machines alike.
    -Network based User home directories/profiles.
    -Shared printing (might have some compatibility issues with the large network copier/printer monstrocity and the apple gear, don't know yet)
    -Management of Mac images + Ipad layouts and Apps for both devices centrally from the Mac server.
    -(optional) considering using the mac server for handling a new email, calendar and ideally collaboration/web file access system, but not sure how the hell it works, never used it before, no idea what it does frankly. This would need to be completely open to multiple platforms and devices.

    Ramblings:


    My initial thought, was to run the apple's in their own domain, and simply setup a trust between them for sharing login's/printing/file shares. This isn't as straight forward as I had hoped, as there seems to be 8,000 different ways of connecting open directory to AD and the configuration of user profiles to go with it.
    From what I can tell, this is basically the magic triangle layout, which I have no idea if it's still valid; everything I can find on this setup seems to refer to OSX 10.4/10.5/10.6, and have not yet found anything that actually says how to do it in 10.7, or if 10.6 works the same way, what are the differences etc etc.
    I've also read about issues with the '.local' domain extension, which I've currently got setup on my windows domain.

    I'm pretty good with MS side of things, I know my way around AD pretty well (I've done the MCTS on it, and found it a little boring in the most part having done a lot of it just from working with AD for 6+ years). I can even get around linux if I keep a guide handy on a few of the commands (too many years of using dos commands, I get mixed up).
    But I'm afraid I'm a complete novice at Apple, no idea really what it or I can do and cannot at the server/config side, though I have used MAC's as an end abuser a few times.

    If you have some guides that would help here, please link them.

    So far I've found these that help to varying degree's:
    http://manuals.info.apple.com/en_US/...dmin_v10.6.pdf (ok but waffles a lot, it's more like a thesis on server admin than a guide on how to use it.)
    http://manuals.info.apple.com/en_US/...dmin_v10.6.pdf (similar to above, a bit waffly, but some good info here if you are technical enough. You pretty much have to read it all, you can't really skip to later points as I kept being referenced to earlier bits)
    http://help.apple.com/advancedserveradmin/mac/10.7/# (similar to the above stuff, but less waffly, still not quite a guide, but shows examples and takes you through the layouts and the different services clearly)
    Apple Magic Triangle Setup with Windows File Server backed Portable Home Directories. | Copious Communications (magic triangle setup. Assumes higher than normal technical knowledge, and frankly unhelpful on a few places where it skips over stages that can cause confusion)
    http://manuals.info.apple.com/en_US/...mage_v10.6.pdf (not read this through yet, but suspect it’s similar to above with a lot of waffle to tell not a lot)

    If you can assist with any of this, tips, tricks, suggestions etc please do.

    I am heavily documenting everything I do here, so will write up anything I do and hopefully produce a proper guide at the end.
    Last edited by Rydra; 13th March 2012 at 12:15 PM.

  2. #2

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,184
    Thank Post
    299
    Thanked 211 Times in 181 Posts
    Rep Power
    55
    As far as I'm aware OS X still hasn't brought iSCSI support to the table, so unfortunately you will be out of luck unless you can find a third party alternative. I know that drobo provide an iSCSI application to allow macs to support their own devices. Whether this can be gotten from elsewhere and whether it supports other devices I don't know.

    As far as I'm aware the process is pretty similar in Lion to the other versions. Saying that though I haven't done it yet myself. Guides for this sort of stuff more than likely won't have been written yet since most places running AD-OD integration wouldn't have upgraded to lion yet as it's very limited compared to 10.6's offering in services.

    I have a Lion server currently sitting on my desk. I would be more than happy to go through the process and document how I do it along the way. I need to look at it myself anyway for the near future.

    But I would also address the first issue I pointed out if this is a problem.

  3. #3


    Join Date
    May 2009
    Location
    UK
    Posts
    2,105
    Thank Post
    256
    Thanked 450 Times in 251 Posts
    Rep Power
    141
    I've succeeded in connecting to AD now, though it took a LOT of fighting.

    I had to do it several times with a lot of trial and error to make it work, but I got there.

    I used a mix of here: https://help.apple.com/advancedserveradmin/mac/10.7/#

    Which I found somehow, but it is quite well buried and hard to find this page.

    And here:
    Apple Magic Triangle Setup with Windows File Server backed Portable Home Directories. | Copious Communications

    Which is slightly out of date, but if you combine that with the above advanced guide you should get it done.

    I'll try and write it up in a proper guide soon, but at this point I had to do it about 12 times with slightly different methods before I found the right one, so I forget what some of the windows/processes to follow are, simply because I tried so many.

  4. Thanks to Rydra from:

    rgriffiths (12th April 2012)

  5. #4


    Join Date
    May 2009
    Location
    UK
    Posts
    2,105
    Thank Post
    256
    Thanked 450 Times in 251 Posts
    Rep Power
    141
    Quote Originally Posted by HodgeHi View Post
    As far as I'm aware OS X still hasn't brought iSCSI support to the table, so unfortunately you will be out of luck unless you can find a third party alternative. I know that drobo provide an iSCSI application to allow macs to support their own devices. Whether this can be gotten from elsewhere and whether it supports other devices I don't know.

    As far as I'm aware the process is pretty similar in Lion to the other versions. Saying that though I haven't done it yet myself. Guides for this sort of stuff more than likely won't have been written yet since most places running AD-OD integration wouldn't have upgraded to lion yet as it's very limited compared to 10.6's offering in services.

    I have a Lion server currently sitting on my desk. I would be more than happy to go through the process and document how I do it along the way. I need to look at it myself anyway for the near future.

    But I would also address the first issue I pointed out if this is a problem.
    I'm happy enough with the iscsi drive going via the windows server, though it would have been nice to have direct access though.

    The client side magic triangle setup seems a little different too, but as above can probably be pieced together. My argument would be that if you release something, you have to provide the documentation on how to operate it, not just throw it out the door and expect it all to work.
    I mean they've had 9 months since business release and nearly 6 months since full public release. I can understand the public not doing it fully yet, but Apple should be publishing official manuals by now on it.

    The next stage for me is to get a machine setup and working, but I'm currently investigating how Apple Image creation and deployment works before I set about changing or installing anything, incase I end up having to do it all again.

    Also got a large amount of Ipads due to arrive, and I'm eyeing up the Apple configurator and how the hell that thing works, so I can start building Ipad images and profiles.

  6. #5

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,184
    Thank Post
    299
    Thanked 211 Times in 181 Posts
    Rep Power
    55
    As long as you can work around the lack of iSCSI support is the main thing. I have done a quick search online and there does seem to be a few mentions of some companies having iSCSI initiators for the mac platform.

    The main thing to do is to place the AD above the OD in the authentication list found in the Directory Util. This is due to the mac client looking at the AD first for authenticating the username/password combo and then dropping down to the OD for client management prefs (MCX records). If done the other way around OD first, this would suggest that the client would look to the OD for username/password authentication instead, resulting in a login failure. This was the done thing in tiger and I have done it ever since. Whether it has changed I don't know but I would still do it now and plan to if/when we upgrade our clients.

    Hope this helps a little.

    I have also re-installed my lion server and about to write a little guide as best I can anyway. From the looks of my posts I may waffle on too much as well.

    Oh, and Apples documentation is poooooooor. Always out of date and never of any use really. Lacks most of the detail and also contradicts other sources sometimes. EG using Time Machine to back up a server. Yeah fine, but Time Machine doesn't support the ability to stop services to get a consistant snap-shot of the password/slapd database.

    Anyway, I'm ranting now abit.....

    Glad you're moving in the right direction.

  7. Thanks to HodgeHi from:

    Rydra (15th March 2012)

  8. #6


    Join Date
    May 2009
    Location
    UK
    Posts
    2,105
    Thank Post
    256
    Thanked 450 Times in 251 Posts
    Rep Power
    141
    Quote Originally Posted by HodgeHi View Post
    As long as you can work around the lack of iSCSI support is the main thing. I have done a quick search online and there does seem to be a few mentions of some companies having iSCSI initiators for the mac platform.

    The main thing to do is to place the AD above the OD in the authentication list found in the Directory Util. This is due to the mac client looking at the AD first for authenticating the username/password combo and then dropping down to the OD for client management prefs (MCX records). If done the other way around OD first, this would suggest that the client would look to the OD for username/password authentication instead, resulting in a login failure. This was the done thing in tiger and I have done it ever since. Whether it has changed I don't know but I would still do it now and plan to if/when we upgrade our clients.

    Hope this helps a little.

    I have also re-installed my lion server and about to write a little guide as best I can anyway. From the looks of my posts I may waffle on too much as well.

    Oh, and Apples documentation is poooooooor. Always out of date and never of any use really. Lacks most of the detail and also contradicts other sources sometimes. EG using Time Machine to back up a server. Yeah fine, but Time Machine doesn't support the ability to stop services to get a consistant snap-shot of the password/slapd database.

    Anyway, I'm ranting now abit.....

    Glad you're moving in the right direction.
    Thanks for that, I hadn't noticed but it had set OD as the primary authentication source.... You've already provided more help than the approximately 800 pages of Apple documentation I've read in the last 3-4 days

  9. #7

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,184
    Thank Post
    299
    Thanked 211 Times in 181 Posts
    Rep Power
    55
    It's what we're all here for.

    All of the information i have obtained either came from Bombich and his AD-OD integration PDF or the guide attached at the top of the mac forum, and AFP548 - Changing the world one server at a time..

    The site linked is a good resource, but not updated regularly. They know their stuff though and do have a decent discussion board. One guy from there was working with me to get Outlook working with our IMAP service via email over the course of a few days. Turned out Outlook 2003 didn't support Kerberos authentication.

    Also keep an eye on the Lion Server discussions baord at http://discussions.apple.com. I have started to post a bit over there again, and already read some useful info, such as WGM doesn't add any newly created users made through WGM into the correct groups resulting in failed logins. Apparently you need to create users using the new server.app to have them created properly. That's not the first time I've heard to avoid using the WGM though. I think Lion server is still in the process of being migrated over to the one application, and that more changes are to come with each 10.7.x release.

    Also on the imaging/deployment front, I was going through it with someone on Lion Server 10.7.3 and he was having some issues with booting clients. It turned out that you will need to download the nightly build for 10.7.3 support.

  10. #8


    Join Date
    May 2009
    Location
    UK
    Posts
    2,105
    Thank Post
    256
    Thanked 450 Times in 251 Posts
    Rep Power
    141
    Quote Originally Posted by HodgeHi View Post
    It's what we're all here for.

    All of the information i have obtained either came from Bombich and his AD-OD integration PDF or the guide attached at the top of the mac forum, and AFP548 - Changing the world one server at a time..

    The site linked is a good resource, but not updated regularly. They know their stuff though and do have a decent discussion board. One guy from there was working with me to get Outlook working with our IMAP service via email over the course of a few days. Turned out Outlook 2003 didn't support Kerberos authentication.

    Also keep an eye on the Lion Server discussions baord at http://discussions.apple.com. I have started to post a bit over there again, and already read some useful info, such as WGM doesn't add any newly created users made through WGM into the correct groups resulting in failed logins. Apparently you need to create users using the new server.app to have them created properly. That's not the first time I've heard to avoid using the WGM though. I think Lion server is still in the process of being migrated over to the one application, and that more changes are to come with each 10.7.x release.

    Also on the imaging/deployment front, I was going through it with someone on Lion Server 10.7.3 and he was having some issues with booting clients. It turned out that you will need to download the nightly build for 10.7.3 support.
    We've bought into a day's support from a guy who's coming in next week to take a look and book in a day to do it all properly.
    I plan on making me look good in having half of it running by then, then pointing out the fail of Apple when things don't work as they should

    I had a look at that AFP site originally, but found it hard to navigate or find anything and gave up.
    Last edited by Rydra; 15th March 2012 at 12:45 PM.

  11. #9

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,184
    Thank Post
    299
    Thanked 211 Times in 181 Posts
    Rep Power
    55
    Quote Originally Posted by Rydra View Post
    We've bought into a day's support from a guy who's coming in next week to take a look and book in a day to do it all properly.
    I plan on making me look good in having half of it running by then, then pointing out the fail of Apple when things don't work as they should

    I had a look at that AFP site originally, but found it hard to navigate or find anything and gave up.
    Bear in mind that Apple's latest OS version always takes a few .x increments before it becomes relatively stable. 10.6 only became useable around 10.6.5. It's their way of releasing service packs

    As for your issue with the screensaver. Do you have it asking for a password on resume? I have only ever seen an issue with the login after screensaver once elsewhere. This was due to locations being used. The location on which the machine was in was still logged in but the client had been moved. You cannot change the location once a user is logged in and a password is set, cuasing the issue where the user cannot authenticate against the server which it was talking to previously. I hope that makes some sort of sense

    Anyway, if you have any questions feel free to ask. I'll do my best to answer them.

    And yes,the AFP site is difficult to navigate but there are some nuggets in there. I used it to provide cross-realm authentication which provides the ability of having an AD infrastructure and OD infrastructure and the users being able to authenticate against both kerberos realms. Intersting stuff if you can get your users to work it. It was just a case of switching the domain in the log on box under windows to use the OD services and shares. Too much for a primary school though This was before augmented records arrived.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 16
    Last Post: 14th April 2011, 09:41 AM
  2. Replies: 5
    Last Post: 23rd July 2010, 09:19 AM
  3. how to config openfiler join to AD
    By dh613 in forum Wireless Networks
    Replies: 1
    Last Post: 11th July 2010, 05:40 PM
  4. Replies: 4
    Last Post: 6th August 2009, 10:25 AM
  5. Replies: 4
    Last Post: 27th February 2008, 01:41 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •