New to supporting mac... best AD alternative?

[Spyrule]

Hello guys,

Long time AD admin, that is now in charge of a small business with 8 Mac's most running El Capitan.

We don't have a huge infrastructure: NAS (Synology), LB4M Gig Switch, Firewall, ESXi 5.5. <~~ currently the ONLY VM running on here is our current Windows 2008 AD Server. I have some plans to move AD to a physical box, if it worth keeping AD.

I'm totally comfortable with the Windows AD environment however, I seem to be having issues with maintaining support within OSX.

We don't explicitly NEED Windows AD, but I thought this would be the best method to maintain access permissions between each OSX User and our NAS's folder structure. Turns out, its not quite working the way I envisioned.

So, I'm picking brains here on what might be a less risky, or a best practices way of maintaining access for OSX machines.

Some of the problems that I've repeatedly had:
- User's suddenly losing read/write access to their own desktop, documents, application randomly.
- Some macs completely lose internet access until a reboot is performed.
- Sudden loss of permissions to print to a networked printer (Xerox)

If there is a better way, or if there is an easy way to get away from AD, or a best practices for AD > OSX connectivity, I'm all ears. I like suggestions.

Thanks in advance,

Spyrule

 

[satcomer]

Hello guys,

Long time AD admin, that is now in charge of a small business with 8 Mac's most running El Capitan.

We don't have a huge infrastructure: NAS (Synology), LB4M Gig Switch, Firewall, ESXi 5.5. <~~ currently the ONLY VM running on here is our current Windows 2008 AD Server. I have some plans to move AD to a physical box, if it worth keeping AD.

I'm totally comfortable with the Windows AD environment however, I seem to be having issues with maintaining support within OSX.

We don't explicitly NEED Windows AD, but I thought this would be the best method to maintain access permissions between each OSX User and our NAS's folder structure. Turns out, its not quite working the way I envisioned.

So, I'm picking brains here on what might be a less risky, or a best practices way of maintaining access for OSX machines.

Some of the problems that I've repeatedly had:
- User's suddenly losing read/write access to their own desktop, documents, application randomly.
- Some macs completely lose internet access until a reboot is performed.
- Sudden loss of permissions to print to a networked printer (Xerox)

If there is a better way, or if there is an easy way to get away from AD, or a best practices for AD > OSX connectivity, I'm all ears. I like suggestions.

Thanks in advance,

Spyrule

When we had a server 2008s2 in out office we had to put in a Time Server in the Server and then point the Time Settings to the server IP in the OS X machines! That fixed our problem right away with Mac OS X 9.5.x machines staying on while sleeping then waking up staying connected to the Domain so YMMV!

 

[Spyrule]

Do you mean an NTP server?

 

[chrfr]

Do you mean an NTP server?

If this was a network time issue, logins would fail; you wouldn't see permissions issues.
If your users are using the same computer all the time, trying to make network homes or portable home directories work is probably not worth the trouble. If you're using the latter, that functionality is dead in Sierra so you'll need to make the change away from those sooner than later.
AD is perfectly appropriate for managing accounts on the server and permissions for files there as well.
This is a bit dated but may still be helpful for you: http://training.apple.com/pdf/Best_Practices_for_Integrating_OS_X_with_Active_Directory.pdf

The inability to access the internet or a network printer sounds like you have network issues that have nothing to do with AD. DNS issues, perhaps? If your domain is a .local domain, you have a mess on your hands.

 

[Spyrule]

If this was a network time issue, logins would fail; you wouldn't see permissions issues.
If your users are using the same computer all the time, trying to make network homes or portable home directories work is probably not worth the trouble. If you're using the latter, that functionality is dead in Sierra so you'll need to make the change away from those sooner than later.
AD is perfectly appropriate for managing accounts on the server and permissions for files there as well.
This is a bit dated but may still be helpful for you: http://training.apple.com/pdf/Best_Practices_for_Integrating_OS_X_with_Active_Directory.pdf

The inability to access the internet or a network printer sounds like you have network issues that have nothing to do with AD. DNS issues, perhaps? If your domain is a .local domain, you have a mess on your hands.

Luckily, no my domain is a .net domain, so I've avoided that whole mess. I don't suspect it was a time sync issue, as yes, as you mention, I'd be having a lot of other problems. I'm trying to troubleshoot the machine that keeps dropping its internet as a localized problem, however, the desktop permissions issues have occurred now on 3 separate machines over several months, so I'm a bit stumped. I'm not even sure where to start looking for the cause of that. I'm tempted to write a Cron job that runs every hour that checks and resets the permissions... but that's sorta fishing with a battleship approach.

I'll read through that article and see if I can gleam any useful tidbits.

Thanks in advance

 

[chrfr]

Luckily, no my domain is a .net domain, so I've avoided that whole mess. I don't suspect it was a time sync issue, as yes, as you mention, I'd be having a lot of other problems. I'm trying to troubleshoot the machine that keeps dropping its internet as a localized problem, however, the desktop permissions issues have occurred now on 3 separate machines over several months, so I'm a bit stumped. I'm not even sure where to start looking for the cause of that. I'm tempted to write a Cron job that runs every hour that checks and resets the permissions... but that's sorta fishing with a battleship approach.

I'll read through that article and see if I can gleam any useful tidbits.

Thanks in advance

How do you have the home folders set up? Are the users using network homes, where their home folder lives purely on the server?

 

[Spyrule]

No, Since we are pretty small, for now, each users folder resides on their local workstation. I literally use AD to authenticate logins and validate folder permission access on our NAS, that's pretty much it.

 

[chrfr]

No, Since we are pretty small, for now, each users folder resides on their local workstation. I literally use AD to authenticate logins and validate folder permission access on our NAS, that's pretty much it.

Ok, that's a pretty standard setup and you shouldn't be having the home folder permissions issues- I use exactly this configuration with a set of about 800 users. Apple's terminology is called a "mobile account" for this, which may help your research. Apple rolls AD fixes into OS updates pretty regularly and it seems like 10.12.4 is pretty solid on the network. You might want to try an upgrade in a test environment. I don't have time at the moment to offer more in-depth troubleshooting but will check back on the thread later.

 

[satcomer]

Do you mean an NTP server?

Yes that is Network Time Protocol! It has to with time drift and Microsoft Kerberos between older Microsoft to Unix NTP protocol setups! Setting up an active Time server in Server2008s2 would fix the Domain problems Mac OS X had with older Microsoft Servers!

 

[chrfr]

Yes that is Network Time Protocol! It has to with time drift and Microsoft Kerberos between older Microsoft to Unix NTP protocol setups! Setting up an active Time server in Server2008s2 would fix the Domain problems Mac OS X had with older Microsoft Servers!

Again, if time were a problem then logins would be failing. This isn't the fix here.

 

[satcomer]

Again, if time were a problem then logins would be failing. This isn't the fix here.

It helps when the Mac is sleeping for evening then a worker comes back in to log back into his mac so the domain account will be verified from the 2008s2 server. Like I said before the NTP server is not activated in Server 2008s2 by default and has to be started! Sense the OS X machine is using and open standard looking for a NTP server and then dirt in Kerberos in the 2008s2 server. This way the Mac will stay in Kerberos if the Server 2008s2 server has the NTP server running (hint: is not on by default and many IT so-called experts miss that fact)!

 

[belvdr]

It helps when the Mac is sleeping for evening then a worker comes back in to log back into his mac so the domain account will be verified from the 2008s2 server. Like I said before the NTP server is not activated in Server 2008s2 by default and has to be started! Sense the OS X machine is using and open standard looking for a NTP server and then dirt in Kerberos in the 2008s2 server. This way the Mac will stay in Kerberos if the Server 2008s2 server has the NTP server running (hint: is not on by default and many IT so-called experts miss that fact)!

Great but how does this affect file permissions or Internet access?

Also why do call it 2008s2?

 

[satcomer]

Great but how does this affect file permissions or Internet access?

Also why do call it 2008s2?

Microsoft Server 2008R2 (my bad calling it s2)!

 

[Geeky Chimp]

So just to throw a different option in, Apples macOS Server (was OS X Server) includes Open Directory. Would your NAS authenticate with that as an LDAP server rather than AD. Would also mean you don't need that Windows Server hanging around. Or, does your NAS have an LDAP server package so it could be your authentication server?

Also, with regard to NTP, I'd point the windows server to apples time server rather than all your clients to your windows server.

 

[Flint Ironstag]

I like Geeky Chimp's solution.

You could also use the golden triangle:

https://discussions.apple.com/thread/3956281?start=0&tstart=0

 

[ZMacintosh]

My inquiry would be why AD at all? Do you have a lot of windows devices too or is it purely for account management on the Mac segment?

There is the option of MacOS Server, which to be quite honest about...may not be the best set-up, but you can just use open directory and manage network accounts there and have their profiles stored on a server.

Or utilize MDM, if you're not going to store account profiles anywhere (data, etc) you can utilize something like Jamf Now for a marginal price and let that handle your password policies, the accounts would be local but that wouldn't really matter it seems like in your environment.

Just some suggestions.

 

[Spyrule]

Yes that is Network Time Protocol! It has to with time drift and Microsoft Kerberos between older Microsoft to Unix NTP protocol setups! Setting up an active Time server in Server2008s2 would fix the Domain problems Mac OS X had with older Microsoft Servers!

Just to clarify here, when you activate an AD server, Windows automatically activates the Windows NTP server, the only thing that most admins change is the NTP source from microsofts time server to pool.ntp.org servers (I always do this, and have done this in 10+ different corporate networks and its never been a problem). However, if NTP wasn't running at all, NO account authentication would work, since the time desync would be so far off, that it wouldn't validate against itself.
[doublepost=1495556934][/doublepost]

So just to throw a different option in, Apples macOS Server (was OS X Server) includes Open Directory. Would your NAS authenticate with that as an LDAP server rather than AD. Would also mean you don't need that Windows Server hanging around. Or, does your NAS have an LDAP server package so it could be your authentication server?

Also, with regard to NTP, I'd point the windows server to apples time server rather than all your clients to your windows server.

For a windows AD, you cannot point the primary Windows AD server away from itself for time-sync, you CAN set the NTP server running on the same box to sync against the OSX Server.

As for OSX Server itself, All of my OSX boxes are running as workstations, and I really don't want a network central device to be reliant on a workstation/osx server for authentication/access. Sure I could hackintosh the current windows server, but then I'm doing something illegal, vs doing something that has been done a million times (I know my setup isn't something radically different then quite a lot of setup, plus OSX Server user profile manager is absolutely terrible. I had it setup first, and it was nothing but problems (I couldn't get a lot of permissions to sync correctly between my NAS and the workstations against OSX Servers user profile).

 

[satcomer]

Just to clarify here, when you activate an AD server, Windows automatically activates the Windows NTP server, the only thing that most admins change is the NTP source from microsofts time server to pool.ntp.org servers (I always do this, and have done this in 10+ different corporate networks and its never been a problem). However, if NTP wasn't running at all, NO account authentication would work, since the time desync would be so far off, that it wouldn't validate against itself.
[doublepost=1495556934][/doublepost]

For a windows AD, you cannot point the primary Windows AD server away from itself for time-sync, you CAN set the NTP server running on the same box to sync against the OSX Server.

As for OSX Server itself, All of my OSX boxes are running as workstations, and I really don't want a network central device to be reliant on a workstation/osx server for authentication/access. Sure I could hackintosh the current windows server, but then I'm doing something illegal, vs doing something that has been done a million times (I know my setup isn't something radically different then quite a lot of setup, plus OSX Server user profile manager is absolutely terrible. I had it setup first, and it was nothing but problems (I couldn't get a lot of permissions to sync correctly between my NAS and the workstations against OSX Servers user profile).

The 2008Server took time but didn't activate the NTP server! So with 2008 Microsoft Server you have to manually turn it on! Then with OS X Machine point the Date & Time NTP and use the Server IP Address! This way when a user logs out on an OS X Mac another Domain user can use their Domain account and still log in after waking that Mac from sleep.

If the NTP server on 2008 is not activated the OS X Mac will loose connection almost every time the Mac sleeps!

 

[Spyrule]

If you are just talking about a regular installation of 2008R2 yes, the NTP server is not installed/activated by default. If your installing AD and that server is the authoritative AD server for the domain, then the NTP server is AUTOMATICALLY installed and activated, since AD uses it to synchronize its own communication between AD and DNS record scrubbing. Again, the only thing that typically needs to be done, is to change the time SOURCE for the NTP server.

But, I'll digress on this entire point, since its highly unlikely that NTP is my problem. My machines arn't losing sync, they are losing permissions on their OWN OSX accounts that ARE NOT stored on the NAS, but locally. Only the username/password is authenticated against the AD server (and the user IS able to log in with NO errors), only after a period of time, the user suddenly loses access to their own desktop, documents and even application folder. I have to manually re-assign permission to those folders, and suddenly everything keeps working again (and continues to do so for months, even after repeat reboots and sleep cycles.... so.. really, NTP is a HIGHLY unlikely culprit).

 

[Geeky Chimp]

plus OSX Server user profile manager is absolutely terrible.

Not sure which issues you were having but we have Profile Manager setup on a fairly significant number of Mac mini servers running macOS Server at different locations and have never had any issues with it.

 

[hvfsl]

I have seen similar issues before when DNS and DHCP isn't setup properly on the Windows box (if DHCP isn't running on your Windows box, then that is half your problem). In DHCP on the server, make sure the DNS section only has the IP of the server in there (lots of people like to put things like Google's DNS as a backup DNS in here, never do that as it will cause problems with computers connecting to the domain).

Then go to DNS Manager and make sure you have some forwarders entered in there (google's 8.8.8.8 is fine):

Once you have done that, go round all the computers and make sure they are all set to automatically obtain DHCP IP in network settings.