Mac OS X Servers in Windows AD forest

T

Tamino

Registered
Okay, Here we go. I have the following network setup.

Windows AD forest:mydomain.com
1 Primay domain controller adpdc.mydomain.com

3 Macintosh servers data1, data2, MACPDC
2 servers have 3 400GB drives and are to be used as data servers
1 server is configured with 2 80GB drives as a mirrored Array.

What I need to do is bind ALL three servers to the AD domain.
I need to be able to use AD user group and account permissions from the AD domain on the data servers.

Ultimately I want a single point of user accounts (Active Directory)
I want a user to be able to log in to a PC or a Mac and be able to access his/her documents from either. The data storage is located on the Mac servers.
My Mac clients have already been successfuly bound via AD.

All OS's are 10.4.5 with the latest updates installed.

I eventually want to be able to manage users and workgroups via workgroup manager on the mac side but that may not be possible. I may need to use GPO's or ACL's via AD.

Any idea on how to get this to work?
I can see the Active directory accounts in workgroup manager on the data servers and I can assign permissions to the shares. I can access these shares via a PC, however I can't see the shares on the Mac side.
Also I need to make sure the permissions are correct. I think I may have to modify the schema due to the UniqueID issue.

Anyone have any experience with Mac OS X Server Tiger and Active Directory (Windows Server 2003)

Thanks!
 
You may want to consider a consultant to come in and configure all of this for you.

If not, if you are trying to publish managed client settings to the Mac OS X clients, you'll need to do one of two things. One, you could create an Open Directory Master, populate OD Groups with AD users and add in a second authentication node to your OS X clients. The alternative is to extend the schema of the AD to include the Mac OS X specific attributes. If you want to go that route, let me know off the site and I can give you the details about that implementation.

How are you searching for the shares on the Mac side? What file sharing services do you have enabled?

Michael
 
Going the Schema extension route is not a good idea at this point in time. Once, it was really the only option if you wanted to have managed users while authenticating from AD. With Tiger server, it is possible to map a attribute or two or leverage an unused schema attribute within AD or replicate what you need into OD via a script. If you need more information, feel free to visit the links in my signature below or sign up for our Advanced Server Training which goes over Active Directory Integration. BTW: in a properly setup AD/OD integration, management of user accounts is done via the Active Directory Users and Computers Application on the AD Server and the Workgroup Management in WGM is done on Groups or Computer Accounts.



Go3iverson said:
You may want to consider a consultant to come in and configure all of this for you.

If not, if you are trying to publish managed client settings to the Mac OS X clients, you'll need to do one of two things. One, you could create an Open Directory Master, populate OD Groups with AD users and add in a second authentication node to your OS X clients. The alternative is to extend the schema of the AD to include the Mac OS X specific attributes. If you want to go that route, let me know off the site and I can give you the details about that implementation.

How are you searching for the shares on the Mac side? What file sharing services do you have enabled?

Michael
Click to expand...
 
Sure, there are alternatives, such as the OD Master supplementing the AD, which tends to be my favorite deployment, but AD schema extension is still exceptionally viable in many cases. Barring specifics in implementation architectures, some folks simply want a single point of administration and want it on AD. They also want to be able to manage individual users, in an AD, but with MCX data as well.
 
The good thing is that I have a completely new AD domain and a completely new OD domain to work with. Once I figure out how we are going to do this, we'll do it over the summer and re-create all the student and faculty accounts in the AD domain. I've always planned to do the usermanagement from the AD domain. Only problem is that we have 5 elementary schools that are still on OS9 with Mac Manager on an OS X server. If I can get Mac Manager to see the accounts in AD that will be the goose and the golden egg. But for now I'd just like to get the OS X systems taken care of. Worse comes to worse I'll just let the OS 9 users log on locally.
 
Oh! I would love to take the advanced course, however I'm working on my BSIT at The University of Phoenix online and I'm a bit strapped for $$$ right now.
 
Tiger is not a big platform for MM use :)

Besides budget, is there anything stopping you from migrating them to OS X?

If you already have the hardware and licensing, no reason not to do the magic triangle then, with your OD supplementing the MCX to the AD to the client for you.

Michael
 
We are going with the magic triangle approach.
Now here is the kicker. I have 8 replica servers that do basic DHCP, authentication and AFP. I have four other servers that are for home directories in addtion to the replicas being home directories. I've just removed 6 Dual XServe G4 boxes from a school. They were netboot servers.
What I want to do is the following:

In addtion to the 6 netboot servers I have 2 more Dual G4 XServes. I plan to bump the memory up to 4GB and put dual 400GB drives (mirrored with an XServe RAID CARD). I plan to create an OS X (tiger) server for each of the schools. The server will do the following:
1. DHCP
2. AD/OD Replication & Authentication
3. Print spooling
4. User Home Directories. (Home directories lie on an XRAID)

Now I want to connect the 8 servers via a fiber channel switch to an XRAID box maxed out with 500GB drives in each bay. I also will have a back up server connected by fiber channel to backup the XRAID.

Does this sound feasable? I need to keep the AFP/SMB connections per server around 100 (per Apple). We have about 85 - 110 average simultainious connections on each of our servers that host home directories.

Of course the OD Master will be bound to a Active Directory Master and we will use kerberos for the authentication. This way all the servers will be bound to the AD/OD/MCX magic triangle.

If I'm ok with my thinking, and not a candidate for a straight jacket, I'd like to make different partitions on the XRAID. One for each School's faculty and one for all the students sectioned off in shares by Year of Graduation. Or could I just split the XRAID box and put faculty on one side and students on the other and just make sharepoints for each school faculty group and student YOG group?

By the way this is all being done in a sandbox environment. Not production mind you.
 
Ok, sorry, I've lost you with what server is going where and how many of which server was on a train headed for Atlanta at 75MPH while another server was headed towards Miami at 90MPH... :)

Can you clarify that a bit for me?

Things to keep in mind, though:

With the addition of a FC switch, you can really connect as many hosts as you want to an XSR unit. I'm not a huge fan of partitioning XSR units. You could create 2 x 3 drive RAID 5 LUNs and then edit the fstab file to prevent multiple hosts from grabbing the same LUN.

Alternatively, you could consider Xsan for this task (test this heavily!) and create multiple volumes, so that each machine only has access to specific volumes. You could still grow the volumes in this scenario, but Xsan for home directories is a mixed bag, this second.

Your OD replicas will only be replicating the data directly in the OD, not the AD as well. What I mean is, the OD won't be able to go live as a replacement for your AD, if the AD was lost. Alternatively, I have migrated folks from AD installations to OD installations in the past, so if for some reason you decided you wanted that, it is possible.

What are you planning to use for backup of this solution?

Michael
 
We want to have all the student group shares (home directories) on the XRAID. Class_of_2009, Class_of_2010 etc. Each school will need to access these directories since we want to create a user home directory and leave the users data in it as they go thru grade by grade.

The faculty would need to be put on another sharepoint on the other side of the XRAID that would need to be seen by all the servers.

i.e. student Mike Lamb's home directory would be
NFS "/Network/Servers/Wilsonserv.nps/Volumes/StudentSharepoints/Class_of_2009/mlamb"
AFP "afp://wilsonserv.nps/StudentSharepoints/mlamb"

So each school (8) would have one server connected via fiber to the XRAID via a FC switch.
 
You must log in or register to reply here.
Back
Top