New Mac srvr in AD env. How to sync AD-OD

[adam9c1]

Our Mavericks OD server died and we had no backup.

Base Yosemite and Server App installed.
Static IP set.

We created OD master.
When we try to connect a client to it we receive:
Invalid credentials supplied
Please enter valid credentials that allow access to the directory specified.
using default diradmin account

-------------------------
We tried it with the Mac bounded to AD first and without.
Any ideas?
During OD creation there were no options how to set anything up. Simply click to create.

When we have the server bound to AD and we look at the LDAP Log we see lots of
Could not locate user record from cn=youname it dc=younameit dc=youname it

 

[DJLC]

Not sure if this'll help at all...

I set up our Xserve this summer with a fresh install of Mavs Server and decided to finally attempt the "Magic Triangle" in our environment. It was easier than I expected! As I recall, I bound the Xserve to AD before creating the OD Master. I'm not sure exactly how this works in Mavs and on, and I wasn't able to find any documentation at the time.

In my environment, all users are now on the AD server. OD pulls them for authentication to Profile Manager and AFP / SMB. I don't have any other services enabled at the moment.

 

[adam9c1]

I got this to work.
Ran scutil, then I made the OD user password much longer.


I have made enrollment profile and am testing profiles pushed to computer groups.
Some stuff works and others do not.

One thing I may have as a bug is about printer sharing.
Do I need to install the printer manually on the client?
On the server I have Printer Sharing checked, and installed one printer. I see that square but no way to checkmark it.

 

[DJLC]

Profile Manager is very touchy for us. Certain settings within a profile are just "broken," and setting them causes the profile to fail when it gets pushed to devices.

The Printing section of profiles, however, has worked for me. Printer installed on Xserve, shared in System Prefs, then added to the profile and pushed out.

Generally, if you set something and the profile starts failing, delete the setting and try again. For example, when I set Dashboard restrictions, I have to enable the restriction, save, push, then specify which widgets to allow, save, push again. If I enable and specify in one step, it fails.

 

[adam9c1]

I've installed two printers (one directly to IP, one via OD object)
I can push the printers via profile manager

however when I (attempt to) print I see a message that the printer is locked and need to login with admin credentials.

I spoke with our network admin, who built the last server and he said he did not have to setup any kerboros between AD-OD.

 

[DJLC]

I've installed two printers (one directly to IP, one via OD object)
I can push the printers via profile manager

however when I (attempt to) print I see a message that the printer is locked and need to login with admin credentials.

I spoke with our network admin, who built the last server and he said he did not have to setup any kerboros between AD-OD.

This might be the same as an issue we see: by default an OS X non-admin user is not a member of the PrintAdministrators group. Thus they are unable to pause / resume a printer or delete jobs. I created a small shell script that I push out via ARD to add the current logged-in user to the PrintAdministrators group.

 

[adam9c1]

Our Sr. Network Admin has things so locked down ARD does not work correctly.

I can remote into a machine but even running a (partial) system report fails (times out / never runs).

 

[chrfr]

Our Sr. Network Admin has things so locked down ARD does not work correctly.

I can remote into a machine but even running a (partial) system report fails (times out / never runs).

I'm not sure that's a network configuration issue rather than bugs in ARD. The chances I can get a successful system report off a client on an unrestricted network are pretty low.

 

[DJLC]

Indeed; ARD is a mess. The most recent update has made things a little better, but still...

An alternative I have for that is I also wrapped my printing permissions shell script in a .app bundle. Students / users can run that app to give themselves permission.

I'll see if I can dig that up if you're interested? Friend of mine at Apple helped me make it work.

 

[adam9c1]

I have a clean install of 10.10 + Server
I have a clean install of 10.10 Client
No extra apps.

Added the one machine to ARD group.
I can remote view screen but not run a report.

I do not think it's a ARD bug.

 

[chrfr]

I have a clean install of 10.10 + Server
I have a clean install of 10.10 Client
No extra apps.

Added the one machine to ARD group.
I can remote view screen but not run a report.

I do not think it's a ARD bug.

Start with Remote Desktop 3.8, if you're using an older version. You'll only see this update if you have a machine with ARD installed that is running 10.10.2. Once you have the update, you'll be able to install it on 10.9 or later.
Again, it might be an ARD problem.
ARD just needs ports 3283, 5900, and perhaps 5988. If 3283 isn't open you won't be able to get reports or do much other than view clients.

 

[adam9c1]

Thanks for the ports.
I'll give them to our other network admin.

OS 10.10.2 (14C109)
ARD 3.8 (380A95)