Recently I was hired to give my opinion about merging an existing Macintosh Open Directory(OD) network into a Windows Active Directory(AD) network. This was being done because Company A merged with Company B, and Company B being more powerful and larger wanted to stay with their AD infrastructure. My opinion was to move to a “Magic Triangle” setup where an OD server is bound to an AD Domain Controller(DC). The users and groups are managed by Active Directory, however the Mac clients are bound to both AD and OD for the purpose of being able to hand out MCX records to users, groups, and computers. I wrote this how to because no matter how much documentation I read I have not been able to find some of the key pieces of information I needed to accomplish this goal. On a side note, I would like to give a big hello to Alper Bac, current Systems Administrator of Cohos Evamy for his invaluable help in solving some of the AD configuration issues we were having.
On the Mac Server 10.6
Step 1: Check the Active Directory configuration.
Make sure your Active Directory server and its DNS service is properly configured and running.
Step 2: Turn on Open Directory service.
Use Server Admin to turn the Open Directory service on. After the service is turned on you can configure Open Directory service settings.
Step 3: Ensure the computer is a standalone directory service.
Step 4: Connect to Active Directory.
- Go to Server Admin, Open Directory.
- Click Settings button at top, then the General tab. The window should report that its role is “Standalone Directory.” If this is correct you can now click change, otherwise go to Step 3.
- In the pop-up dialogue choose “Connect to another Directory”
- Then Continue, and click “Open Directory Utility”
- The Directory Utility application will appear. If it is locked please unlock it.
- Ensure that active directory is uncheck
- Double click “Active Directory”
- Type in your domain and expand the arrow beside “Show Advanced Options”
- Ensure that “Create mobile account at login” and “Force Local home directory on startup disk” is uncheck. Then click OK
- Quit Directory Utility
- Back in the Open Directory Wizard box click Done
- Open System Preferences and go to Accounts
- Click on Login Options and Click “Join”
- Type the name of Active Directory Domain Controller (DC) in where it says “Server:” as well as the AD Admin user/password credentials in the appropriate boxes. Also give the computer an record name. This name will be the record that is created in Active Directory.
- Once joined the Mac will ask about Kerberos. Just ignore this for now.
Step 5: Set up an Open Directory master.
- Go to Server Admin, Open Directory
- Click Settings button at top, then the General tab. The window should report that its role is “Connected to another directory” If this is correct you can now click change, otherwise go to Step 4.
- Choose the first option “Remain connected and set up an Open Directory Master”
- If it complains about Kerberos just ignore this again.
- Setup the diradmin account. Give it a secure password as this is our Directory Administrator account.
- Now type in a relevant LDAP Search Base. If you don’t know what should go here just click continue. However if you don’t know what goes here yet you’re trying to integrate a Mac into AD I must say that you may be in over your head.
- Confirm your settings and click continue.
- Now in Server Admin we want to set a policy under Open Directory. So click on Policies tab and then Bindings subtab and enable the “Require authenticated binding….” check box.
Step 6: Disable Kerberos on Open Directory master.
Disable Kerberos on your Open Directory Master server to avoid conflicts with your Active Directory Kerberos realm. In a terminal type: (use the diradmin credentials)
sudo sso_util remove -k -a username -p password -r NAME. OF.KERBEROSREALM
Step 7: Kerberize services.
Kerberize your Open Directory server services with the Kerberos realm of your Active Directory server, in a terminal type:
sudo dsconfigad -enablesso
On the Windows Server 2003
What we need to do is assign a home folder to an existing user account. So let’s grab the user account “Test” and map a home folder to it.
- Go to Start, Administrative Tool, Active Directory Users and Computers
- Right click domain name and search for users
- Open Properties and then profile tab
- Click the “home folder” radio button and select an unused drive letter. For our example it will be “Z:” and then enter beside it the Windows File server fqdn in this format. \\fqdn\share\username
- Once you accept Windows will go and create this folder and assign all the appropriate ACLs
On the Mac Client 10.5
What we need to do on the Mac client is bind it to both AD and OD.
- Login as a the local admin user
- Open Applications/Utilities/Directory Utility.app
- Click on “Services” and then double click “Active Directory”
- Expand the Show Advanced Options arrow and disable “Force local home directory on startup disk”
- Now click on “Directory Servers” and click on “+”
- From the drop down select “Active Directory” and type the name of the DC
- Enter the computer ID and AD username/password and click join.
- If this fails then try clicking on Services and double click on Active Directory
- Type in the domain and client ID here and click “Bind”
- Open Applications/Utilities/Directory Utility.app
- Click “+” and select “Open Directory” from the drop down menu
- Type in the name of the ODM
- The computer should ask you for the OD diradmin password and client ID. Type in the same ID as you did for the Windows box (for consistency’s sake)
Now you should have two directory servers listed in the Directory Utility both with green lights.
You should now have a working Magic Triangle. The user and group accounts come from Active Directory and their home folders come from a Windows back File Server. We can now use WGM to introduce things like Portable Home Directories and MCX records. Yay!
Portable Home Directories
- Open WGM (WorkGroup Manager) and authenticate as diradmin
- Create a new group called “Mobility” we’re going to use this group to designate PHD users.
- Under the members tab click on the Plus sign, a side bar should appear.
- At the top of the side bar will be a text string like “Directory: /LDAPv3/127.0.0.1” click on this and change it to “/Active Directory/All Domains”
- Wait up to a couple minutes and you will start to see users from Active Directory appears. You can drag these users into the members pane of WGM. AFAIK you can also embed AD groups although I’ve never tried this.
- Now we have an OD group with an AD user member as well as a computer record from the mac client.
- Let’s click on Preferences for the mobility group and then click on “Mobility” under Overview tab.
- Under account creation tab click on “Always” and check “Create mobile account when user logs into network account” a
- Then click on rules tab and select always for all three subtabs yet leave their default values. Except for checking on “Show status in menu bar” under “options” sub tab
- Now try logging in with your AD account again and watch as the mac creates you a PHD and enables the HomeSync menu.
If you have problems with this process then feel free to leave a comment with some contact info and I’ll try to get back to you and help. I’ll have another post coming up for you Windows Sysadmins on how to easily managed your mac clients with Group Policy. If you would like me to help you directly then please refer to my company website and use our contact form.
Update: Please check out next post regarding the deployment of this solution: http://jordaneunson.com/2010/10/apple-magic-triangle-deployment-results/
Update #2:I had a reader have trouble with this above procedure, we communicated for a while about his setup here: http://www.edugeek.net/forums/mac/72958-magic-triangle-permissions.htmlTweet