[jasonthat]

Thanks Patrick

1. Yes I found that out later on.

2. I myself could not find any definitive answer to that, so I went ahead and kept it as “OD first & AD second” on the OD server and vice-versa on the clients. Hasn’t given me any problems so far,

3 & 4. Well I actually did do authenticated binding for all the clients – I really am not sure what kind of problems are going to occur. But then again there hasnt been any problems so far. One of the reason for doing this is the pain of manually adding machines and even if I used scripts, I was kind of confused about the part where I have to put in the mac addresses of the clients while adding to WGM. [b]I dont think I can add both Wired & Wireless mac addresses of the client for a single computer account, correct?[/b] If so, that would be a problem since it is an inconsistent process.
And I was wondering exactly what sort of issues have you seen on a client when it is bound authenticated, I mean, login issues or policies?

I have read elsewhere that since ‘Leopard’ onwards we do not have to worry about Kerberos getting messed up, since, as soon as the OD becomes a secondary member server of the “triangle” and after getting connected to AD (gets labelled as the primary directory server) -Leopard indefinitely kills the kerberos on itself. Not sure how far it is true, but does makes sense. What do you think?

[jasonthat]

Thanks patrick. Got it fixed 🙂 it might have been because I did not add “sudo” to the dscl commands (that’s strange even though we run the script as root) and also corrections to the writing of the SearchNodeConfig.plist files – we do not need to add LDAP search paths in there. These are the changes that had to be made to the whole script (if it helps anyone):

Quote:
#Add LDAPv3 to od server
odcsp=”/LDAPv3/$odserver”

Quote:
# Bind to OD
sleep 10
dsconfigldap -v -f -a “$odserver” -n “$odserver” -c OD_$computerid -u $odudn -p “$odpassword”
sleep 20

Quote:
sudo dscl “/Active Directory/All Domains” -list /Computers > /dev/null
sleep 10
sudo dscl /Search -append / CSPSearchPath “$csp”
sudo dscl /Search -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath
sudo dscl /Search/Contacts -append / CSPSearchPath “$csp”
sudo dscl /Search/Contacts -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath

sudo dscl /Search -append / CSPSearchPath “$odcsp”
sudo dscl /Search/Contacts -append / CSPSearchPath “$odcsp”

# This works in a pinch if the above code does not
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig “Search Node Custom Path Array” -array “/Active Directory/All Domains”
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig “Search Policy” -int 3
#plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
#killall DirectoryService

Thanks again for the reply!

[jasonthat]

While waiting for some replies on my previous post in this thread, I am just going to drop in a few more questions hoping someone would take the time to reply:

1) At the time of joining OD into AD, do I need to hit the Join Kerberos button before turning the server into an OD Master?
2) On the OD Master, does the LDAP entry have to be before the AD in order (in search policy – authentication) ?
On the Mac client, does it have to be the other way around? Search Policy order – AD first & OD second?
3) The “Enable authentication to directory binding” option in Open Directory – Server Admin – does this have to be enabled or does it matter?
4) I was looking at WGM, after a test client was bound to AD first and OD second – my confusion is, once the client is bind to an OD, wouldnt that computer record show up in the list of “Computers” in WGM (not the AD records) ?

These are the main ones for now but………If any of you know the answers to these questions or could explain, please do fill in. Thanks!

[jasonthat]

Ok I went ahead with testing out of the Golden triangle. A few questions along the way. [u]Steps I have tried so far:[/u]

*a running windows 2003 AD server, standalone 10.5 Leopard server and clients all at 10.5*

1) Made sure the OS X server is stand-alone
2) Went Into directory utility and joined the server to the AD domain
3) Went into Open Directory settings in Server admin and changed the role to OD Master
4) Then made sure the Authentication tab of search policy had the AD entry first and then the OD LDAP entry
5) Confirmed that the Kerberos was stopped in the Overview section of Open Directory settings in Server admin and saw the LDAP search base pointing to the OD (did not show the Kerberos realm, guessing it does not show in Leopard)
6) Verified the binding OD to domain worked properly (opened up WGM and saw the AD users listed in there)

[u]Clients:[/u] [b]Should I be “Binding” the mac clients to both the AD (first) and to OD as well. OR do I only bind it to AD and then only a connection to the OD (without binding) ?[/b]
Another thing I noticed here is that I am pretty pretty sure that on my first test client, while binding to the AD, I only had to follow the steps for binding it to the AD through directory utility and didn’t have to do anything else for connection to OD. After a logout and checking back in directory utility, I found that the OD server, along with the AD server, was automatically listed in the available “Directory Servers” and the LDAP entry as well in Authentication tab of the search policy (although the LDAP entry was found to above the AD domain in order).
Now this automatic showing up of OD server in the directory utility did not happen for the rest of the test clients. The only thing I remember changing is removing the LDAP entry in the Contacts tab of search policy of the OD server.
However, to mention, the AD account logins to the bound clients work perfectly well (although I have not tested the managed settings through WGM) and I am able to see all their home folders & working mobile accounts but for all this to work, [b]I have to manually add the LDAP entry in directory utility on the clients. Is this usually manual or are there any changes I need to make to have this automatic?[/b]

Sorry about the length, but if someone would care to confirm that I have followed the right procedure here in the AD-OD integration and client bindings, much aprreciated. Thanks.

[jasonthat]

Hey userosx
could you tell me if you were using lauchnd to do the renaming & binding, after the machines had been imaged. sorry i am not familiar with lauchnd but would it be possible to use launchd for this purpose if my 500+ machines were already imaged. If so, what other ways are there to do this for all these machines over the network? Thanks.

[jasonthat]

[QUOTE][u]Quote by: MacTroll[/u][p]
3. A couple of reasons why you might want to use a third party plugin. The plugins can sometimes handle more exotic AD configurations much better than the built-in plugin, cross forest trusts are a good example of this. Also some of the plugins allow you to manage the Macs with Windows-based tools. Although I think the vast majority of installations are using the built-in plugin.[/p][/QUOTE]

I am quite sure that might be true about the majority because of the cost factor. I myself am leaning towards the goldent triangle for now. Lets see how that works out first and later on, if the environment calls for advanced management abilities, I might look into the paid options. Anyway thanks MacTroll….

[Author]

Posts