OD binded to AD or just AD?

Discussion in 'Mac OS X Server, Xserve, and Networking' started by tahoskier, Mar 2, 2012.

  1. tahoskier macrumors newbie

    Jun 19, 2008
    I'm new to networking MACs so I apologize for the noobie questions. We have an existing AD network. Until recently we had two MACs binded to AD. We recently added 10 more. I have 8 macs that will be used for iOS development. We purchased a MAC mini server running Lion Server. I would like to setup a common storage repository for coding. While I'm at it I would like to create a Time Machine backup for all the MACs. We have setup our Open Directory environment and if I were to create a user in OD, I can log a client in as that user. If I import AD users in OD, I cannot login to a client with any of the imported AD users. Also the OD user that was setup cannot login to the client unless it is on the network. It doesn't create a local profile on the client.

    So questions that I have are:

    Is this the right setup, OD binded to AD on the server? And client binded to OD? If so, how do I setup a local profile for the user on the client.

    How can I log into the client as an AD member.

    If I binded the client to AD then I can log in as an AD user. There is also a setting to create an offline profile for the AD user.

    I would really like to use some of the management that OD has to offer but I do need to log in as an AD user.
  2. MisterMe macrumors G4


    Jul 17, 2002
    It's Mac, not MAC. Mac is short for Macintosh, Apple's current line of laptop and desktop computers. MAC is an acronym for Media Access Control, the hardware address of network devices. There is a huge difference between the two. The two terms are sometimes used in the same sentence. For example: Every Mac has a MAC address.
  3. tahoskier thread starter macrumors newbie

    Jun 19, 2008
  4. rwwest7 macrumors regular

    Sep 24, 2011
    I was never able to get that working. We just bind the clients to AD, works much better than the golden triangle of death. Look into the Casper suite if you want to manage your MACs :)rolleyes: ) over the network. It works great. Only having 8 MACs :)rolleyes: ) you can easily create local accounts for the 8 users on the Mini Server to access shares.
  5. mrbrown macrumors 6502a

    Mar 27, 2004
    Ozark, Missouri
    That really doesn't help anyone nor does it provide anything substantive towards answering the poster's question.
  6. cbott macrumors newbie

    Jan 26, 2012
    We bind our Lion Server and the Mac workstations to AD. This lets us log in as AD users and create a local user. Binding the Lion Server also lets us assign permissions to AFP shares as well as our Time Machine server to certain AD users.

    We don't have anyone too versed in OD so this seemed like the best option for now. My suggestion in your situation would be to just use AD and assign permissions through the Server App.

    Hope this helps a little.
  7. Yebubbleman macrumors 68030


    May 20, 2010
    Los Angeles, CA
    While this is true, it's still a good distinction to make that may help the poster avoid further unintended confusion.
  8. Mattie Num Nums macrumors 68030

    Mattie Num Nums

    Mar 5, 2009
    You may be over complicating things by doing an AD/OD replication. What does your environment look like in general? How many PC's, what Exchange version, etc. Exchange and AD can do almost everything you need without the headaches of managing an AD/OD situation.
  9. it365 macrumors newbie

    Aug 13, 2012
    Hello there,could I kindly ask something?
    Do your macs connect to the lion server (via network account server settings) and then able to access home folders of windows users, that appear say in workgroup manager as it's binded to active directory?
  10. cbott macrumors newbie

    Jan 26, 2012
    We aren't using network home folders for Windows or Macs. We can log in as a network user on any of our Macs but it creates a local home folder. We then use Time Machine Server to back up the Macs (and therefore the home folders).

    All of our users have a SMB share on the network (and our Macs can access those) as well as an AFP share on the Lion Server for a select group of people to access.
  11. devorebo macrumors newbie

    Jul 26, 2012
    I am responsible for thousands of computers for a school district. I am luckily in a position to also be responsible for Active Directory. I modified the Active Directory schema to support mac computers 3 years ago, and it is awesome. It took several weeks of testing, but I eventually put it into my production AD.

    I used to run Open Directory from 10.2 up to 10.5, and it is very unstable. My OD database would get corrupt several times a semester and would have to completely rebuild it. If there is anything of major dependance on a directory system, do NOT use OD.

    I've modified the schema on a 2003 server, and when I upgraded my AD 2008 r2 it migrated without any issues. Very reliable.

    Apple has released a white paper here.
  12. Truffy macrumors 6502a


    May 9, 2005
    somewhere outside your window...
    The past particple of bind is bound, not binded.
  13. marc7654 macrumors newbie

    Jul 2, 2007
    'cbot' and 'devorebo' have two answers you should seriously consider. For your environment I'd recommend the simpler solution of setting your Lion Server up as just a Mac file server for your Time Machine etc. No need to run an OD on your server.

    First create the machine account in AD for your server then also setup forward and reverse DNS for the servers static IP. Lion doesn't do DDNS right in many AD environments and your Mac probably turned on it's own DNS server because of that. DNS is critical and should be run outside your Mac unless you want your Mac to run all your DNS but that's getting complicated.

    Now rebuild the server. Because you have OD running and possibly some other things like DNS you want to just start clean, it's faster. Don't let it do any kind of auto setup of OD or binding to AD just enter the proper IP and DNS name.

    Now get updates etc. Then bind your server to OD. Use the Server App not Directory Access. Look under the Manage menu for the option to join a domain. I forget exactly what it says. This assistant will walk you through the binding process and get your server connected to your AD so that users can user their AD credentials to connect to the server. No need to import users form the AD.

    Now you can set setup share points and add users from your OD to those shares. If you also bind your Macs to AD you can get single sing on because everything is now using Kerberos for authentication.

    You can even turn on the Profile Manager and use it as a Mobile Device Management system for your iOS devices. It will let you use users use AD credentials to login to the service and manager their devices or your Admins can do it.
  14. Les Kern macrumors 68040

    Les Kern

    Apr 26, 2002
    Every Mac has a MAC address. should be in quotes sayeth the grammar police police.


    Most people I know say boundeded, binderlated, bindederated or bow-wow-eye-en-ded.

Share This Page