[r00tb00t]

This is something that confused me for a while and I think the secret is all about what order you do things in;

1. Format the Apple server (obviously this might not be an option, if not demote it from an OD master to a stand alone “nothign” server although I can not say that will 100% be enough I was lucky enough to just format mine)
2. Bind the server to AD with the directory util
3. Promote the Apple server to an OD Master (now then you promote it, it will realise that it is already bound to AD and sort of “slave” to AD)
4. Then turn on Single Sign On and go from there

I hope this helps 😉

[r00tb00t]

I know this probally isn’t going to seem helpfull but the guide on bombich.com (http://www.bombich.com/mactips/activedir.html) was my saviour.

I just downloaded and printed it off, took it home Friday, read the whole thing, came to work on Monday, formatted my xServe and just started from fresh and sorted it out with that document.

Read the bombich guide and read the one on afp549 over the weekend and I reckon you will have it all straight in your head, then come in monday, blitz the server and go for it.

Worked a treat for me 😉

[r00tb00t]

A cheeky side note:

Hey guys, this is a facinating topic as I have an all windows network with a handfull of mac users and I would like to extend the AD Schema to support those macs (they only need simple management nothing to special) but I can’t find any good resources about how to actually extend the schema to do this. How did u guys get the info from Apple? Where can I get it? Does anyone recommend any tutorials or documents as I have no experince with working the AD Schema in any fasion?

Sorry for hijacking…

Jamse 😉

[r00tb00t]

I have users in groups in AD (they are in both the “Domain Users” group and in their individual groups for each set of users) and I have nested the user groups in AD.

Example;

AD > Users OU > 2008 Students OU > (all the students who startin 2008 are in here)

In the 2008 Students organisational unit is a user group called “2008”. User in the 2008 Students OU are members of both “Domains Users” and “2008” then in OD I have nested “2008” in a group called “2008nest” (for example) and applied my settings to “2008nest”.

Just my two pence 😉

[r00tb00t]

What about if I also configure my kerberos.edu.mit file and anything else that requires it, basically users in domain1 in forest1 want to mount shares from xServes in domain2 (which is a magic triangles set up) in forest2. We are having to set up a cross-forest trust anyway because they wan’t to mount some of the shares on the windows file servers which we know works already.

Is there any way anyone knows of that cross-forest trusts can be used, I don’t belive OS X doesn’t have the capability, I would of thought that as long as all kerbers ticket request request the xServes get are then passed to the AD Domain Donctroller (which is also DNS) it would take care of validating the thicket (which it would because they would be for our cross-forest trust?)

[r00tb00t]

Thanks for your reply Zanzan, this seems strange though seeing as I can bind my server (or a workstation) to the Apple Open Directory Master as a client (and log onto a network account) so why can’t I make a Replica/BDC?

Stupid Windows!

[quote]DNS SRV records are not a Microsoft specific animal.[/quote]

I didn’t think they were as I have seem them on various different DNS servers across different platforms (mostly Debian) however I can’t see why this is such an issue. Seems like another cheap Micro$oft trick so I “have” to put Windows in charge and Apple as the slave and not the other way around? I can’t manually add the records entries either because the OS X DNS Server doesn’t structure its entries in the same way.

Surely this must be possible, do you think it would work if I were to use a separate windows DNS Server? Remove the Apple PDC, set it to use my standalone DNS server, then re-create the PDC? If OS X doesn’t auto-create the required DNS entries for me (like a Windows PDC does upon creation) then at least I might be able to put them in manually?

Any help is greatly appreciated.
Regards,
r00tb00t 😉

[Author]

Posts