Mac OS X Servers in Windows AD forest

[Tamino]

Okay, Here we go. I have the following network setup.

Windows AD forest:mydomain.com
1 Primay domain controller adpdc.mydomain.com

3 Macintosh servers data1, data2, MACPDC
2 servers have 3 400GB drives and are to be used as data servers
1 server is configured with 2 80GB drives as a mirrored Array.

What I need to do is bind ALL three servers to the AD domain.
I need to be able to use AD user group and account permissions from the AD domain on the data servers.

Ultimately I want a single point of user accounts (Active Directory)
I want a user to be able to log in to a PC or a Mac and be able to access his/her documents from either. The data storage is located on the Mac servers.
My Mac clients have already been successfuly bound via AD.

All OS's are 10.4.5 with the latest updates installed.

I eventually want to be able to manage users and workgroups via workgroup manager on the mac side but that may not be possible. I may need to use GPO's or ACL's via AD.

Any idea on how to get this to work?
I can see the Active directory accounts in workgroup manager on the data servers and I can assign permissions to the shares. I can access these shares via a PC, however I can't see the shares on the Mac side.
Also I need to make sure the permissions are correct. I think I may have to modify the schema due to the UniqueID issue.

Anyone have any experience with Mac OS X Server Tiger and Active Directory (Windows Server 2003)

Thanks!

[Go3iverson]

You may want to consider a consultant to come in and configure all of this for you.

If not, if you are trying to publish managed client settings to the Mac OS X clients, you'll need to do one of two things. One, you could create an Open Directory Master, populate OD Groups with AD users and add in a second authentication node to your OS X clients. The alternative is to extend the schema of the AD to include the Mac OS X specific attributes. If you want to go that route, let me know off the site and I can give you the details about that implementation.

How are you searching for the shares on the Mac side? What file sharing services do you have enabled?

Michael

[sourcehound]

Going the Schema extension route is not a good idea at this point in time. Once, it was really the only option if you wanted to have managed users while authenticating from AD. With Tiger server, it is possible to map a attribute or two or leverage an unused schema attribute within AD or replicate what you need into OD via a script. If you need more information, feel free to visit the links in my signature below or sign up for our Advanced Server Training which goes over Active Directory Integration. BTW: in a properly setup AD/OD integration, management of user accounts is done via the Active Directory Users and Computers Application on the AD Server and the Workgroup Management in WGM is done on Groups or Computer Accounts.

You may want to consider a consultant to come in and configure all of this for you.

If not, if you are trying to publish managed client settings to the Mac OS X clients, you'll need to do one of two things. One, you could create an Open Directory Master, populate OD Groups with AD users and add in a second authentication node to your OS X clients. The alternative is to extend the schema of the AD to include the Mac OS X specific attributes. If you want to go that route, let me know off the site and I can give you the details about that implementation.

How are you searching for the shares on the Mac side? What file sharing services do you have enabled?

Michael

[Go3iverson]

Sure, there are alternatives, such as the OD Master supplementing the AD, which tends to be my favorite deployment, but AD schema extension is still exceptionally viable in many cases. Barring specifics in implementation architectures, some folks simply want a single point of administration and want it on AD. They also want to be able to manage individual users, in an AD, but with MCX data as well.

[Tamino]

The good thing is that I have a completely new AD domain and a completely new OD domain to work with. Once I figure out how we are going to do this, we'll do it over the summer and re-create all the student and faculty accounts in the AD domain. I've always planned to do the usermanagement from the AD domain. Only problem is that we have 5 elementary schools that are still on OS9 with Mac Manager on an OS X server. If I can get Mac Manager to see the accounts in AD that will be the goose and the golden egg. But for now I'd just like to get the OS X systems taken care of. Worse comes to worse I'll just let the OS 9 users log on locally.

[Tamino]

Oh! I would love to take the advanced course, however I'm working on my BSIT at The University of Phoenix online and I'm a bit strapped for $$$ right now.

[Go3iverson]

Tiger is not a big platform for MM use

Besides budget, is there anything stopping you from migrating them to OS X?

If you already have the hardware and licensing, no reason not to do the magic triangle then, with your OD supplementing the MCX to the AD to the client for you.

Michael

[Tamino]

We are going with the magic triangle approach.
Now here is the kicker. I have 8 replica servers that do basic DHCP, authentication and AFP. I have four other servers that are for home directories in addtion to the replicas being home directories. I've just removed 6 Dual XServe G4 boxes from a school. They were netboot servers.
What I want to do is the following:

In addtion to the 6 netboot servers I have 2 more Dual G4 XServes. I plan to bump the memory up to 4GB and put dual 400GB drives (mirrored with an XServe RAID CARD). I plan to create an OS X (tiger) server for each of the schools. The server will do the following:
1. DHCP
2. AD/OD Replication & Authentication
3. Print spooling
4. User Home Directories. (Home directories lie on an XRAID)

Now I want to connect the 8 servers via a fiber channel switch to an XRAID box maxed out with 500GB drives in each bay. I also will have a back up server connected by fiber channel to backup the XRAID.

Does this sound feasable? I need to keep the AFP/SMB connections per server around 100 (per Apple). We have about 85 - 110 average simultainious connections on each of our servers that host home directories.

Of course the OD Master will be bound to a Active Directory Master and we will use kerberos for the authentication. This way all the servers will be bound to the AD/OD/MCX magic triangle.

If I'm ok with my thinking, and not a candidate for a straight jacket, I'd like to make different partitions on the XRAID. One for each School's faculty and one for all the students sectioned off in shares by Year of Graduation. Or could I just split the XRAID box and put faculty on one side and students on the other and just make sharepoints for each school faculty group and student YOG group?

By the way this is all being done in a sandbox environment. Not production mind you.