?
Solved

OD Replicating to AD.  OSX Server 10.6 and Server 2008

Posted on 2011-03-07
6
Medium Priority
?
896 Views
Last Modified: 2012-05-11
So I have a unique and PITA situation here.
I have a school that is running Snow Leopard Server and Windows Server 2008.  They are 99% MAC Based in their workstations, but have a couple PCs.  They have file shares on both servers.  The are adamant about not removing the windows server from the network.
What they want to do is have the OSX Server be the master and replicate the user info (just Login Name, User Name, and Password) to AD so that file sharing and such won't be a problem regardless of the platform they are using.
My issue is getting the Two server to talk to eachother.  I have replicated a similar network in my office where I have a Snow Leo Server and Window Server 2k8 running on the same test network.  The win2k8 server is setup on domain dns.lan the OSX server is setup on DNS.lan as well.
The OSX server is called "server.dns.lan"
The Win2k8 server is called "winsrv.dns.lan"
when I go into Directory Utility and enable Active Directory then go into the settings to bind it I am leaving the Active Directory Forest set at " - Automatic - "
Active Directory Domain I input "dns.lan"
Computer ID I leave with the default which is "server"
I then click Bind and it brings up the Network Administrator Required field.
I put in the Username and password for the windows Server and Click OK and I get the attached error. Bind Error
So I turn to the experts that have been oh so helpful in the past.
they are also wanting this live in 2 weeks, even though I was originally told it wasn't happening until May.  -.-

Thanks in advance for any help!
0
Comment
Question by:dnetsol
  • 3
  • 3
6 Comments
 
LVL 11

Expert Comment

by:gmbaxter
ID: 35062630
I think you'll struggle here. You cant replicate between OSX and Windows AD. OS X runs an outdated version of samba 3, itself which is based around NT4.

Your mac server isn't running a PDC role is it?

To bind it in, check that your mac server can resolve the name of the windows server ( set mac servers DNS server to the AD one) then bind it in via directory utility > Active DIrectory

Still don't see how this is going to assist you as previously stated. How about running AD/DNS/DHCP on the windows server, and using the OS X server bound to the domain as a member server as a file server?

You can then add another small windows box to the mix to add some redundancy.
0
 

Author Comment

by:dnetsol
ID: 35062736
Hi gmbaxter - Basically what they are trying to accomplish is having the same user accounts on either box w/o having to manually enter them twice.
To be honest I don't care which box they enter them on, but if (for example) they enter it on the Windows Server at least the name, shortname (login name) and password needs to be replicated over to the MAC Server so that they can then use the MAC Administration stuff for privilege restrictions and such on the MACs in the enviroment.

I don't know what their MAC server is running (in regards to PDC) the one I started I did from scratch and have just set it up as an open directory master but I can switch that.  The issue though is going to be I am pretty sure that the majority of their user accounts is on their MAC server currently.


Hopefully this didn't muddy the waters more...
0
 

Author Comment

by:dnetsol
ID: 35128608
So I have set the test bed up where OD it pulling its Data from AD, OD is not a PDC, and AD is doing the DNS, DHCP etc.
My biggest issue for what the client needs is that now I can not administer any of the preferences in Workgroup Manager for the people using MACs.
This functionality of being able to administer the settings for MAC Users, Groups and workstations via Work group manager is crucial.

Does anyone know how to make this work while still replicating the AD and OD to each other?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 11

Expert Comment

by:gmbaxter
ID: 35130325
This its usually achieved by making the OD server a member of the domain and nesting AD groups into OD groups which you can then apply managed preferences to.
0
 

Author Comment

by:dnetsol
ID: 35131148
Can I get some help on how to do that then?
I'll try to figure it out but I am not 100% sure on how to make it happen.
0
 
LVL 11

Accepted Solution

by:
gmbaxter earned 2000 total points
ID: 35132535
Setup your domain controller to host AD and DNS.
Your OD server should be in standalone mode - not an open directory master, with AD as its DNS server.
Check DNS has A and PTR records for the OD server
Check OD server can resolve AD and vice-versa
Join the OD server into the AD domain using the AD plugin in directory utility in the /System/Library/Core Services
open terminal and type: sudo dsconfigad -enableSSO (this will join the OD server into AD's kerberos realm)
Reboot the OD server
Open Server Admin, and add open directory as a service in server admin
Select change role
Select remain connected and setup open directory master
Ignore error about kerberos being unavailable - you are using AD for kerberos
Reboot server
Open Server Admin, select Open Directory > Overview
You should have:

Open Directory is: Open Directory Master

LDAP Server is: Running
Password Server is: Running
Kerberos is: Stopped

Kerberos Realm: YOUR.AD.DOMAIN

Now create an AD group with some users in, eg Finance Users
Open Workgroup Manager and authenticate as the directory administrator
Create a similar group in OD, eg Finance User Management Group
Select the group
Select "Members"
Select +
In the slide out pane where it says "Directory:", click the drop down arrow and select Active Directory.
Add your AD group.

You now have a magic/golden triangle AD-OD setup.


0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question