Simple Golden Triangle (OD/AD) How To?

[dusty28]

Hello,

I know that there are a Bazzilion posts out there all asking about setting up a golden triangle (I think I have read them all!) The problem I am having is that they all seem inconsistant, and none of them have successfully guided me to a working setup (I realize that the single point of failure in this scenario is me)

So could anyone point me to a definitive guide for setting up a golden triangle? Here are my vitals:

OS X Server running 10.4.11 (This would be the OD Master… I think)
Windows Server 2003 Domain (3 servers, One File server hosting User accounts, One server hosting Exchange, One hosting DHCP,DNS, and other Misc apps)

I run a small/medium sized windows network with about 90 users,

We have about 10 Macs doing Video/Graphics applications.

I would like to get the Macs integrated into the AD so that the mac users can log onto either a windows machine or a mac and have access to their files.

I would like the mac home directories to be stores on the windows file server so that they are part of the normal backup routine.

I would also like to be able to give certain Windows users login access to the Mac machines and limit thier application access.

What I really need is a good step by step from a brand new 10.4 installation. I have rebuilt the OS X server 4 times now, and I am willing to do it again.

Any direction or assistance would be appreciated.

Thanks!

[dusty28]

So I thought it might be usefull to go through exactly what I am doing, and maybe someone could explain where I am going wrong:

I have been ising the [quote]AD/OD Integration[/quote] guide found here [url]https://www.afp548.com/filemgmt_data/files/AD-OD-2.1.pdf[/url]

The steps outlined by this guides Methodolog are:

[b]Configure the DirHost system:[/b]

The guide assumes that you will be using an OS X server to host the networked home directories of your users. Since I will be using the pre-existing network user directories that are on my Windows File server for my Home Direcories, I assume I can skip this step

[b]Create Home Sharepoint:[/b]

Again, I assume I can skip since these folders are already created on a SMB server that is joined to the AD Domain

[b]Configure AD Users:[/b]

All of my users already exist in the AD database. I would to do authentication against AD, and then have users account settings pulled from OD when the log into a Mac workstation. Since the guide really only explains how to map an AD user account the a Home Directory stored on a Mac Sharepoint, I assume that I can mostly skip this step.

[b]Configure Open Directory:[/b]

This is the start of where I run onto problems. I am starting with a fresh install of 10.4.3 server. I then immediatly run updates to 10.4.11.

When I am installing OS X I choose the “Standalone server” setting with all services turned off. After running updates, I use the server admin tool to turn on Open Directory services by Promoting the server to an OD Master.

I then use the Directory Access tool to join that server to my AD Domain. After I bind to the AD Domain, an information window pops up informing me that if I want to bind Kerberos to the AD domain (which I belive I do!) I have to: use Server Admin tool and select open directory, then select the settings pane, go to the General tab and click the [quote]Join Kerberos[/quote] button… the only problem is that button is missing. The only button that is availible to me is the [quote]Add Kerberos Record[/quote] So I am not sure what is going on here.

So ignoring that problem and moving on. I can know see my AD users in Workgroup Manager. I created a new group under /LDAPv3/127.0.0.1 and added AD users as members, however I can’t seem to manage individual users MCX settings, nor are they able to login on the Mac Workstations.

I have bound the Workstations to Active Directory and LDAP and moved AD to the top of the search path list for authentication and contacts.

[b]Kerberos Hamstring[/b]

I have also followed the instructions found here [url]http://support.apple.com/kb/TS2250?viewlocale=en_US[/url] to modify the OS X server’s Kerberos settings to use the AD Kerberos. Dont think it helped anything.

UUUGGGHHHH!

[CostasPPC1]

You are using a .local namespace?

[dusty28]

[QUOTE][u]Quote by: CostasPPC1[/u][p]You are using a .local namespace?[/p][/QUOTE]

Hi CostasPPC,

I have not configured anything to explicitly use the .local namespace. Some services seem to automagically configure themselves to use .local.

Are you aware of any issues that may be due to improper use of the .local domain.

All domain machines will have a DNS record (served by my Win 2003 server) As far as I can tell, all hostnames are resolving properly…. but there could be a problem I am unaware of.

[dagothere]

I have also come into this problem. I need to set this up soon and it has been very frustrating. It seems every manual I look at is a little different and none of them has helped me set it up all the way.

It also seems that if you try this too many times on the Mac server, it will start to act funny and possibly needs to be reinstalled.

Any help from anyone?

[r00tb00t]

I know this probally isn’t going to seem helpfull but the guide on bombich.com (http://www.bombich.com/mactips/activedir.html) was my saviour.

I just downloaded and printed it off, took it home Friday, read the whole thing, came to work on Monday, formatted my xServe and just started from fresh and sorted it out with that document.

Read the bombich guide and read the one on afp549 over the weekend and I reckon you will have it all straight in your head, then come in monday, blitz the server and go for it.

Worked a treat for me 😉

[samsungcon]

http://www.bombich.com/mactips/activedir.html
I did exactly mentioned in it and it worked for me.i dont know before getiing this document [URL=http://www.chacha.com/topic/how-many]How Many[/URL] times i formatted but all gone in vain.So all users who are facing difficulty in setting up this take a look at this website and all your problems will be solved.

Regards
jame
[URL=http://www.webtrends.com/Products/Optimize.aspx]Landing Page Optimization[/URL]

[lschafroth]

Since his site is dead does anyone have a good complete guide?

I have Open Directory runing on Snow Leopard. I have some software that ONLY works on AD so I need the OD accounts synced into AD. We dont use the AD server for anything else. It is a web server and SQL server and the AD is no longer in use but still running in AD mode.

Lannie

[Dave_H]

You need to bind the Server to the AD domain first – Then set up your server as an OD master

This way you will be able to log on to your mac clients with AD as it will use the AD domain as the Kerberos realm.

[lschafroth]

[QUOTE][u]Quote by: Dave_H[/u][p]You need to bind the Server to the AD domain first – Then set up your server as an OD master

This way you will be able to log on to your mac clients with AD as it will use the AD domain as the Kerberos realm. [/p][/QUOTE]

It sounds like the AD would always have to be the keeper of all the accounts. We dont want this at all, we just want it to sync the accounts from the OD master which is the server that keeps all accounts.

Lannie

[Author]

Posts