View Full Version : OD/AD Help Needed
Jun 17, 2011, 04:47 PM
I am new to the server game and have no experience in IT. I work for a Communications department and since we do all of our video/audio/photo editing on Macs, we realized our workflow would be greatly enhanced by purchasing a Mac Pro Server. I am attempting to implement the Golden Triangle in an Active Directory environment but am running into a few problems.
I did a fresh install of Snow Leopard Server and did not autoconfigure any services. I gave the server a static IP address and named the server 'department.school.edu' (just an example). I then enabled DNS and Open Directory. I set the domain name to 'department.school.edu' and the Nameserver Hostname to 'department.school.edu'. I then bound the server to our Active Directory through the Open Directory admin panel. When I did so, it notified me that it could not connect to the Active Directory Kerberos Realm or that the DNS wasnt configured properly. I went ahead and got the server bound to Active Directory and then configured the server as an Open Directory Master.
I am able to connect to my Active Directory and create Augmented User Records, however the only thing I am able to augment is the picture! Also, if I create a normal Open Directory User Record, I cant connect to it from a client Mac, even though I have successfully bound that client to the Open Directory. Also, when I create a group in Open Directory, it does not let me select the Augmented User record as a potential member of that group.
Thoughts? Anyone have any suggestions for a complete newbie?
Jun 17, 2011, 05:25 PM
If you are trying to setup a golden triangle, you surely already have DNS being managed by a Windows Server?
If so, you needn't have OS X running DNS. Check the DNS resolves perfectly for the server using the nslookup command via Terminal:
Make sure they both resolve nicely.
Are you using WGM to actually manage Active Directory users or do you just want to manage machine preferences and such?
Jun 18, 2011, 03:16 PM
"If you are trying to setup a golden triangle, you surely already have DNS being managed by a Windows Server?"
I am certain you are correct, but for some reason I was thinking I had to have DNS configured on the Mac Server. I will try the nslookup command you recommend. How will I know if it doesnt resolve properly/how do I make it resolve properly?
"Are you using WGM to actually manage Active Directory users or do you just want to manage machine preferences and such?"
I am hoping to use WGM to configure Augmented User records, create groups, and manage computers. I dont want to touch the Active Directory records if at all possible.
Jun 18, 2011, 04:29 PM
To check that DNS is resolving correctly, the nslookup commands will not error. So for example, looking up the FQDN of the OD server should resolve in the IP address of the server. And looking up the IP address of the OD server will result in the FQDN of the OD server.
If you have a problem here then you need to go to DNS on your Windows server and check that you have both Forward and Reverse entries for the OD server.
Personally I stay away from Augmenting AD records. You can nest AD users in to OD groups within WGM to manage aspects such as preferences, share points, etc. But for User Account management I stick to using AD.
Take a look at some of the very interesting videos here (http://www.apple.com/education/resources/information-technology.html#dual-directory-architecture). Especially "Dual Directory Architecture" and "Joining Multiple Directories".
I hope this helps.
Jun 22, 2011, 09:33 AM
Thanks for your help on this. I have reinstalled my SL Server software and only enabled Open Directory as a service. I have used the nslookup command and the DNS settings are configured properly. On the Overview pane of the Open Directory tab in Server Admin, it reads that LDAP Server is running, Password Server is running, but Kerberos is stopped. My IT department tells me that the Active Directory provides Kerberos, so is it one of those things like the DNS where I dont have to worry about it running on my Mac server? Or is there a way to configure OSX Server to pull Kerberos from the Active Directory and apply it to the Open Directory groups?
P.S. Good call on pulling Active Directory records into Open Directory groups. I am planning on doing that once I resolve this issue of Kerberos.
Jun 22, 2011, 12:35 PM
Kerberos should indeed be stopped on the OD. There shouldn't be anything else to configure, but to check, run Terminal:
sudo klist -‐kt
The results should indicate that AD is being used for Kerberos.
Did you bind your Apple server to the AD? Can you see the AD users in WGM?
Make sure you use the same time server as your AD servers. Kerberos relies heavily on time.
Jun 22, 2011, 03:14 PM
I ran the sudo command and received this output:
klist: illegal option-- -
Usage: klist [-e] [[-c] [-A] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name]
Is that normal? It didnt seem like that should be the output, but then I didnt know what to expect.
"Did you bind your Apple server to the AD? Can you see the AD users in WGM?"
The Active Directory is currently bound and I am able to authenticate and see the entire Active Directory in the Workgroup Manager.
"Make sure you use the same time server as your AD servers. Kerberos relies heavily on time."
I have read that Kerberos is time sensitive, but how do I make sure it is connected to our time server?
Jun 23, 2011, 03:33 AM
No that is not the correct output. My mistake. One dash...
sudo klist -kt
Regarding time. You can either find out the time server your main FRDC is using and type in the same in System Preferences > Date & Time > Set date and Time automatically. Or if one of your servers is set as the internal time clock, type the IP address of that server in the same place as above in System Preferences.
Jun 23, 2011, 12:45 PM
Okay, when entering the sudo command I get a ton of results whose Principle begins with things like:
Is there one in particular I am looking for or am I just looking for the array to show? I am assuming that this is correct.
And thanks for pointing me in the direction of the time server. I will make certain it is configured to sync rather than the manual entered time I currently have it at.
Thanks again for helping me resolve this! If there is anything else you can think of, please let me know.
Jun 23, 2011, 02:05 PM
You should have three entries for each one. As long as you promoted to a Open Directory Master after you had bound to AD everything should be working dandy as it detects Kerberos settings automatically.
All that's left is to test your setup with clients and see that everything is working fine ;)
Let me know if you need any other advice. Good luck.
Jun 27, 2011, 05:13 PM
Okay I am now running into some difficulty on the client side. I created a computer account in WGM for the Mac Mini I am testing all of this out on, entering the ethernet ID and IP address. I then went to the Directory Utility on the client computer and successfully bound the Active Directory but cannot get it to connect to my LDAP Open Directory. I could only get it find the server when I unchecked the "connect using SSL" box. Once it is connected, under the Search and Mappings tab, it defaults the "Access this LDAPv3 server using" setting to "From Server." I assume that setting should be on "Open Directory Server," but when I switch that setting to "Open Directory Server" it gives me the message "The status of this server is unknown. This server is not in your authentication search policy."
I dont know enough to know which issues are connected and which are independent of one another. It may be that I have three separate problems with three separate answers and you need more specific information about each before you can help out. Just let me know what info you need and I will do my best to supply it. Thanks again!
Jun 28, 2011, 01:14 PM
Iceman, you don't need to add the computer to WGM manually by Ethernet. Delete all traces of your test Mac Mini from WGM. Unbind you Mac Mini and reboot.
Login to the Mac Mini and bind to AD. Then bind to OD. It should bind to OD ok now, as there is not a manually created record in there. After binding, the Mac Mini should then appear in WGM as a computer. From here you can either manage the preferences of the computer, or add it to a computer group to make management of multiple machines easier.