OS X Server best practices

[mgnicks]

Hello All,

I am new to the OS X server side and generally macs too (used the clients for about a year but not the technical side). I have used and supported the Windows Server and clients for about a year and am now beginning to get to grips with the whole aspect of the management of the network through Microsoft Servers.

What i would like to know is probably pretty basic stuff, but i feel i need to understand this to get a good foundation to build my OS X installation on.

The overall outcome will be an integration of OS X into a predominantly Windows 2003 Domain. The clients will be intel imacs dual-booting XP and OS X 10.4.8 since we are an educational facility we need the XP to support the non-apple applications that were purchased in the past. Currently XP is running on the imacs until we can manage the OS X client-side on the network. XP has been joined to the AD and is running fine.

The installation of the OS X Server 10.4.8 has been started but that’s as far as it has got. This is where i could do with a little help to understand the process…

Under Server 2003 when creating an active directory you run the dcpromo and then it asks you for the FQDN and since the machine name was given previous to the promotion to domain controller it uses this to finish the FQDN. for example, server1 becomes server1.example.com.

Is this the same process when configuring the FQDN of the Open directory Server?
I have been doing it this way: Computername = server,1 Hostname = server1, and when promoting to Open Directory Master i use the example.com. If the OD is hosting its own dns then i enter the example.com as the domain name with the computer record of server1. This obviously then resolves to server1example.com.

But you can also set the computer name as the fully qualified domain name during the server setup, i.e. computername = server1.example.com and then set the hostname as just server. Is this Wrong?

When the active directory is hosting the dns records i create the forward lookup as server1 (which creates the pointer automatically) and then dns finishes the FQDN. This is the method i have followed, since it will be integrating into the AD. Is this right?

When i come to set the machine as open directory master it asks for the kerberos realm name. What should this be set to. For instance, is it correct to leave as default (SERVER1.EXAMPLE.COM) or is it set to the domain name (EXAMPLE.COM). I think this is the area where i am having problems when joining the AD since i cannot get a ticket from the AD domain. Is this the right process?

I am currently reading through the OD services manual and the AD-OD interagiton and the Leveraging the OD server? docs but i cannot see where the basic information is found. It may sound silly but i like to know the basics so i know that these are correct and are not the reasons behind future problems.

I have installed and bound my OS X server to AD and have continued to kerberise the services but it fails when used from the os x clients as per the AD-OD intergration paper. I checked the edu.mit file and the SMB.conf but to be honest i don’t know what i’m looking for when i’m in there since i don’t know what the realm supposed to be set to on installation. Should it be the kerberos realm of the AD eg EXAMPLE.COM or the realm of the OS X server SERVER1.EXAMPLE.COM/EXAMPLE.COM. The latter is obviously the same so how can the servers tell that the realms are different?

I have checked the kerebros tickets on the AD domain and each domain controller has a ticket (the OS X server is not listed) but the kerberos.app shows on the OS X server that it does not have any. Is this correct. I have run the klist -ke and see a lot of kerberos entries but they point to [email protected]. Is this again correct. One thing to mention though is that the SMB service is NOT listed. Is this supposed to be listed, i assume it is?

Sorry for all of the questions but it would put my mind to rest and then allow me to get on with the rest of my duties. Thanks in advance for any help or light that anyone can shed on my woes.

Once these are resolved i can then get around to asking even more questions. Lol

[mgnicks]

If anyone could point in the right direction with the FQDN questions that would be a great help as it would allow me to proceed on the right foot throughout the rest of the procedure.

One thing i have thought about is this…

If i have joined the Boot Camped XP side to the AD and then need to bind the computer to the AD through OS X to have that working. What about the computer accounts in the AD? If i for example name the XP computer1 and then bind using computer ,1 the account will already exsist. What effect will this have on the computer account in the AD for the XP side if i choose to replace it?

I will check this out as soon as i finish the install of OS X Server

[mgnicks]

I foound most of my answers to the first post by reading the leveraging OD to use the AD document properly. It states that the realms can be set to whatever you like really but for the main realm use the org name.

This is what the realm is set to on the AD and i set the realm on the mac side to macrealm.orgname.

I promoted the 10.4.8 to OD Master and then proceeded to bind it to the AD. I followed the instructions to remove the OD realm macrealm.org so as not to confuse the clients.

I continued to WGM and set up some groups on the OD and moved the AD groups into these OD groups to manage them.

I moved on to the clients to configure them to connect to the AD via the plugin and the OD. I moved the AD above the OD in the authentication list.

I proceeded to restart the machine to test the login of a user.

Once at the login window i cycled through the information and found a yellow ball stating some accounts available. I have tried all i can think of but cannot resolve this issue.

What have i missed?

[mgnicks]

Sorry, forgot the main point.

The Login worked-ish. I was able to log in except that the Managed preference (the dock was managed to the right as per the leveraging doc) did not apply. This suggests to me that the accounts that are not available are the OD managed group accounts but as i am relatively new to this and all seems to be correct with the configuration it is proving difficult to find the problem. Where would be the best place to track down issues, i.e, which log would be the best one to browse for answers. I have looked through each log on th OD but nothing seems obvious. I checked the kerberos app when logged in as an AD User and can see that it has picked up the kerberos ticket for the right domain.

If you need any more information or can point me in the right direction to help with this problem it would be most appreciated.

Many thanks for your time.

[Author]

Posts