authenticating NT domain users, help!

poisonpill · #1 November 30th, 2006, 09:53 PM

I'm running server 10.4.8, how do I authenticate NT domain users on this? I tried to set the server to be a Backup Domain Controller, but then it wants Open Directory to be in replica mode. The problem there is that it needs an Open Directory server to replicate.

Any tips, suggestions? Thanks!

Go3iverson · #2 November 30th, 2006, 11:47 PM

You need to create a PDC installation in Mac OS X to begin this process. The PDC requires an Open Directory Master on the same box to operate. You can create BDCs only on Open Directory Replicas and if you have a Mac OS X PDC installation as well.

Michael

poisonpill · #3 December 1st, 2006, 08:34 AM

Thanks Mike.

I have created the PDC, but how do I then switch the Open Directory to replica? It keeps asking what I want to replicate and prompting for an ip, root pw, etc.

Is there any way I can do this with a single Mac OSX instance? Or would I need a separate PDC?

Again, I appreciate your help.

Smuth · #4 December 4th, 2006, 12:46 PM

Lets assume 2 things, you already have an Active Directory running on PC hardware,You have bound the server to AD using Directory Access.
You can set Open Directory to be 'Connected to a Directory System". You will also probably need to disable Kerbros on the server because 2 instances running, 1 between the server and AD, the other running between the server and client will cause problems. Then point the client to your Mac server using Directory Access for LDAP and it will Authenticate the users to AD through the Mac. You MUST have reverse DNS for the MAC to function properly within AD.

Hopefully I have given you some ideas, I am working on a White Paper for AD-OD intergration in my spare time.

Go3iverson · #5 December 5th, 2006, 11:22 PM

There are some pretty good whitepapers on AD-OD out there that may be able to help you. Remember, though, PDC/BDC is a very different bird than AD.

What are you trying to change to an OD Replica? The PDC? Can't do it. The PDC *must* be on a Master. The BDC *must* be on an OD Replica.

So, to wrap - you can have an OD Master + PDC on one box. You can have an OD Replica + BDC on a different box. You cannot have an OD Master + BDC on one box. Make sense?

In PDC/BDC (NT) terms, there was a, well Primary Domain Controller and then Backup Domain Controllers. This was absolved in AD, as that implemented a multi-master scheme, so there was not one specific primary.

Ideally, you'll have two servers, if this is for mission critical services, such as OD and PDC authentication. One will have both of your "Master" role services (OD Master + PDC) and one will have your "Secondary" role services (OD Replica + BDC), so if you were to lose one, you would still have the service available to your network.

Hope this helps!

Michael

Smuth · #6 December 6th, 2006, 09:46 AM

I didn't notice the NT, that is so old I assumed everyone was up to AD after 2002-2003 when NT support was dropped by Microsoft. Seriously consider upgrading, it is so much easier in AD and the plugins are already there in OS X. Going from PDC/BDC to just DCs makes life alot easier.

Go3iverson · #7 December 6th, 2006, 10:26 AM

All depends on their needs. NT --> AD upgrades aren't exactly free!

Michael