Integrating / binding Mac OS X to Active Directory 2003 domain

ssiruuk2 · 24 Jan 2008 at 20:55

At work we are being forced down the road of buying in a load of Apple notebooks.. which I can see that we are going to have to integrate onto the domain somehow so users can use their normal Windows usernames / passwords and connect to their usual network home directory etc.

Anyone have any experience of this and do you know of any good resources on the internet that covers it? Any pointers ?

What do you do about policies/locking them down and rolling out settings such as internet connection details etc? Sorry Apple OS X client or server is totally new to me.

Thanks

WotDa · 24 Jan 2008 at 21:08

http://www.macwindows.com/ADinstruct.html#2

Should detail the instructions, it seems to deal with policies too, but I just had a quick brose.

Caged · 24 Jan 2008 at 21:36

Don't expect an easy ride

ssiruuk2 · 25 Jan 2008 at 09:55

Thanks very much thats just what I was after!

Caged - I wouldn't expect anything less!!

Oh well here goes..

Thanks again,

WotDa · 25 Jan 2008 at 10:21

Have fun.

epswat · 26 Jan 2008 at 22:12

Check out Centrify (http://www.centrify.com/products/overview.asp), as this will allow GP for Mac clients.
AD integration of Macs is easy, using only AD, as a Mac client will natively bind into AD without needing OD. Do not go down the route of OD/AD integration, as you will spend more money on a OD server + Backup OD server, and will spend most of your time propping up the OD system. OD is the most fragile directory service I have ever seen, whereas AD is rock solid.
What Centrify allows is GP for Mac clients where the GP objects are specific to Macs, and it does not make ANY schema changes to AD at all.

Sorry if this sounds like a sales pitch for Centrify, I do not work for them, but I do work for a Systems Integrator that specialises in Windows/Mac integration.
Hope this helps. If you want more help, e-mail me on [email protected]

Elliott

Whiskas · 27 Jan 2008 at 12:34

I've found that Leopards AD binding is horribly broken and buggy (if you search www.macwindows.com you will find various reports of this, with varying degrees of success and failure).
You should have more success if you can use Tiger, or you have a fairly simple AD setup at your workplace (i.e 1 DC, no Exchange, 1 DNS domain).

epswat · 27 Jan 2008 at 14:12

Agreeded with Leopard, but then no one in their right mind would be using 10.5 in a business enviro.

However I have integrated Macs into quite complex enviro's (corporate AD with multiple domains/forests) with no problem.
Also Entourage will work with Exchange (although no kerborised connections).

Entourage 2008 fixes this with a kerborised connection to Exchange, although as far as I can tell, still no native Exchange connector (still using IMAP).

Whiskas · 27 Jan 2008 at 14:49

Tiger's binding functionality is great, I can't fault it but there are issues (both w.r.t. licencing and hardware compatibility) of installing Tiger on new Macs that have shipped with Leopard. Plus users dont seem too keen on us taking their shiny new Leopard box and installing Tiger on it

Until this binding issue is fixed satisfactorily by Apple deploying Leopard is going to be a no-go here which is a shame as it's this problem that's put our whole deployment project on hold :mad:

It's a shame as Leopard offers some Kerberos functionality that was missing from Tiger which would make life a lot easier (e.g. Kerberized CUPS print queues)

epswat · 27 Jan 2008 at 15:15

Plus, Leopard supports WINS as well.

If you ask me, 10.5 is a step backwards for corp users.

JonB · 27 Jan 2008 at 16:00

epswat said:
Plus, Leopard supports WINS as well.

If you ask me, 10.5 is a step backwards for corp users.

It'll get there, just give them time!

ssiruuk2 · 28 Jan 2008 at 09:46

Thanks for your pointer Epswat; thats really helpful - thank you.

It sounds ideal so far, I was looking at the link further up the post but that requires a dedicated Mac OS server which we dont currently have I really don't fancy implementing on just to act as a bridge between the macs and AD.

Most of our Apple machines are Tiger but these 15 new notebooks are going to be running leopard so I might have a test with this on our G5 and see what this software is like.

Thanks again Epswat :cool:

epswat · 28 Jan 2008 at 11:02

Be aware that 10.5 does not work well with Centrify. There should be a new V4 plugin for mac due soon that fully supports 10.5

For the time being, I would stick with a 10.4 machine for testing purposes.

Glad to help.

Elliott

ssiruuk2 · 29 Jan 2008 at 09:47

Spoken to Centrify sales and got an evaluation download; however they say that they now won't have a market ready version 4 plugin for Mac OS X due till March / April due to Apple's own teething problems with the Leopard OS.

So my next question is... does anyone know if I can get a 10.4x version of the Apple OS and wipe / install it onto the new Mac computers / notebooks that have just been purchased that are running 10.5x?

Sorry but Apple OS is totally new to me.

Thanks

WotDa · 29 Jan 2008 at 10:49

ssiruuk2 said:
So my next question is... does anyone know if I can get a 10.4x version of the Apple OS and wipe / install it onto the new Mac computers / notebooks that have just been purchased that are running 10.5x?

You can do that, yup.

Just pop the disk in, wait for the window to pop up and install away. You'll need to look for the advanced options and do a zero and install if the users haven't yet used them, or an archive and install if they have.

epswat · 29 Jan 2008 at 11:11

You might have a few problems getting boxed copies of 10.4 now. Apple only sell 10.5

Ebay might be your best option, assuming you want to be legal in terms of licensing.

I do not believe owning a licensed copy of 10.5 entitles you to install 10.4 without owning it.

Elliott