AD and OD integration

[jasonthat]

To all. I am sure questions about Mac integration to an AD domain might have been asked a million times here but since this is my first and fairly new to Macs, I just need to get the right “Mac” answers and trying to understand the differences between the options available to go ahead with this project ([b]If someone could confirm my statements that ends with a question mark, much appreciated[/b]).

As far as I have read, these are the options I understand that are available for adding macs to a windows domain:

– To use the built-in active directory that comes with Mac OS X ([b]I do not need to setup an OD server, correct? The mac clients are only joined to the domain and the purpose is served?[/b] )

– To use the method commonly known as the “Golden Triangle” – [b]I am guessing this method is used if we need to manage policies on our Macs, same as using Group Policy for windows?[/b] ([b]And for this, I need to setup an OD server, correct?[/b])
[i]*If we were planning on setting up an Apple Update Server for all the macs, we would still need to have the ability to manage policies on Macs?[/i]

– I have been reading suggestions by others to use third-party tools such as Likewise Open. – [b]Could someone tell me why exactly would we need to use such a tool?[/b] I figured from their website such a tool can be used for centralized management of policies & others such as from an AD MMC. [b]But my confusion is do I “really” need to use such a third-party tool?[/b]

Thanks in advance!

[jasonthat]

[QUOTE][u]Quote by: MacTroll[/u][p]
3. A couple of reasons why you might want to use a third party plugin. The plugins can sometimes handle more exotic AD configurations much better than the built-in plugin, cross forest trusts are a good example of this. Also some of the plugins allow you to manage the Macs with Windows-based tools. Although I think the vast majority of installations are using the built-in plugin.[/p][/QUOTE]

I am quite sure that might be true about the majority because of the cost factor. I myself am leaning towards the goldent triangle for now. Lets see how that works out first and later on, if the environment calls for advanced management abilities, I might look into the paid options. Anyway thanks MacTroll….

[jasonthat]

Ok I went ahead with testing out of the Golden triangle. A few questions along the way. [u]Steps I have tried so far:[/u]

*a running windows 2003 AD server, standalone 10.5 Leopard server and clients all at 10.5*

1) Made sure the OS X server is stand-alone
2) Went Into directory utility and joined the server to the AD domain
3) Went into Open Directory settings in Server admin and changed the role to OD Master
4) Then made sure the Authentication tab of search policy had the AD entry first and then the OD LDAP entry
5) Confirmed that the Kerberos was stopped in the Overview section of Open Directory settings in Server admin and saw the LDAP search base pointing to the OD (did not show the Kerberos realm, guessing it does not show in Leopard)
6) Verified the binding OD to domain worked properly (opened up WGM and saw the AD users listed in there)

[u]Clients:[/u] [b]Should I be “Binding” the mac clients to both the AD (first) and to OD as well. OR do I only bind it to AD and then only a connection to the OD (without binding) ?[/b]
Another thing I noticed here is that I am pretty pretty sure that on my first test client, while binding to the AD, I only had to follow the steps for binding it to the AD through directory utility and didn’t have to do anything else for connection to OD. After a logout and checking back in directory utility, I found that the OD server, along with the AD server, was automatically listed in the available “Directory Servers” and the LDAP entry as well in Authentication tab of the search policy (although the LDAP entry was found to above the AD domain in order).
Now this automatic showing up of OD server in the directory utility did not happen for the rest of the test clients. The only thing I remember changing is removing the LDAP entry in the Contacts tab of search policy of the OD server.
However, to mention, the AD account logins to the bound clients work perfectly well (although I have not tested the managed settings through WGM) and I am able to see all their home folders & working mobile accounts but for all this to work, [b]I have to manually add the LDAP entry in directory utility on the clients. Is this usually manual or are there any changes I need to make to have this automatic?[/b]

Sorry about the length, but if someone would care to confirm that I have followed the right procedure here in the AD-OD integration and client bindings, much aprreciated. Thanks.

[jasonthat]

While waiting for some replies on my previous post in this thread, I am just going to drop in a few more questions hoping someone would take the time to reply:

1) At the time of joining OD into AD, do I need to hit the Join Kerberos button before turning the server into an OD Master?
2) On the OD Master, does the LDAP entry have to be before the AD in order (in search policy – authentication) ?
On the Mac client, does it have to be the other way around? Search Policy order – AD first & OD second?
3) The “Enable authentication to directory binding” option in Open Directory – Server Admin – does this have to be enabled or does it matter?
4) I was looking at WGM, after a test client was bound to AD first and OD second – my confusion is, once the client is bind to an OD, wouldnt that computer record show up in the list of “Computers” in WGM (not the AD records) ?

These are the main ones for now but………If any of you know the answers to these questions or could explain, please do fill in. Thanks!

[Patrick Gallagher]

[QUOTE][u]Quote by: jasonthat[/u][p]While waiting for some replies on my previous post in this thread, I am just going to drop in a few more questions hoping someone would take the time to reply:

1) At the time of joining OD into AD, do I need to hit the Join Kerberos button before turning the server into an OD Master?
2) On the OD Master, does the LDAP entry have to be before the AD in order (in search policy – authentication) ?
On the Mac client, does it have to be the other way around? Search Policy order – AD first & OD second?
3) The “Enable authentication to directory binding” option in Open Directory – Server Admin – does this have to be enabled or does it matter?
4) I was looking at WGM, after a test client was bound to AD first and OD second – my confusion is, once the client is bind to an OD, wouldnt that computer record show up in the list of “Computers” in WGM (not the AD records) ?

These are the main ones for now but………If any of you know the answers to these questions or could explain, please do fill in. Thanks![/p][/QUOTE]

1. No. This would be used by a member server to kerberize services. If your Mac server is going to provide other services that should be kerberized, run “sudo dsconfigad –enableSSO”
2. I don’t know if there is a definitive answer to that. The AD-OD guide on this site (written for Tiger) says AD first, then OD. The paper by John DeTroye (written for Leopard) says OD first, then AD. I have not seen a difference.
3. You don’t want to do an authenticated binding to OD because that would mess up kerberos on the clients so I would just disable that so your techs are tempted to enter their credentials when joining machines to OD.
4. The machine only shows up in WGM with a secure bind (authenticated) which we can’t do with a triangle config because kerberos would get messed up. You will either need to add each machine manually into WGM or script the OD joining so that it also adds the computer account to OD.

[jasonthat]

Thanks Patrick

1. Yes I found that out later on.

2. I myself could not find any definitive answer to that, so I went ahead and kept it as “OD first & AD second” on the OD server and vice-versa on the clients. Hasn’t given me any problems so far,

3 & 4. Well I actually did do authenticated binding for all the clients – I really am not sure what kind of problems are going to occur. But then again there hasnt been any problems so far. One of the reason for doing this is the pain of manually adding machines and even if I used scripts, I was kind of confused about the part where I have to put in the mac addresses of the clients while adding to WGM. [b]I dont think I can add both Wired & Wireless mac addresses of the client for a single computer account, correct?[/b] If so, that would be a problem since it is an inconsistent process.
And I was wondering exactly what sort of issues have you seen on a client when it is bound authenticated, I mean, login issues or policies?

I have read elsewhere that since ‘Leopard’ onwards we do not have to worry about Kerberos getting messed up, since, as soon as the OD becomes a secondary member server of the “triangle” and after getting connected to AD (gets labelled as the primary directory server) -Leopard indefinitely kills the kerberos on itself. Not sure how far it is true, but does makes sense. What do you think?

[Patrick Gallagher]

Only en0 needs to be added which is built-in ethernet on everything except the MB Air.

Kerberos gets killed on the server, yes. That doesn’t affect what the clients try to do.

[Author]

Posts