OD binded to AD or just AD?

[tahoskier]

I'm new to networking MACs so I apologize for the noobie questions. We have an existing AD network. Until recently we had two MACs binded to AD. We recently added 10 more. I have 8 macs that will be used for iOS development. We purchased a MAC mini server running Lion Server. I would like to setup a common storage repository for coding. While I'm at it I would like to create a Time Machine backup for all the MACs. We have setup our Open Directory environment and if I were to create a user in OD, I can log a client in as that user. If I import AD users in OD, I cannot login to a client with any of the imported AD users. Also the OD user that was setup cannot login to the client unless it is on the network. It doesn't create a local profile on the client.

So questions that I have are:

Is this the right setup, OD binded to AD on the server? And client binded to OD? If so, how do I setup a local profile for the user on the client.

How can I log into the client as an AD member.

If I binded the client to AD then I can log in as an AD user. There is also a setting to create an offline profile for the AD user.

I would really like to use some of the management that OD has to offer but I do need to log in as an AD user.

 

[MisterMe]

It's Mac, not MAC. Mac is short for Macintosh, Apple's current line of laptop and desktop computers. MAC is an acronym for Media Access Control, the hardware address of network devices. There is a huge difference between the two. The two terms are sometimes used in the same sentence. For example: Every Mac has a MAC address.

 

[tahoskier]

It's Mac, not MAC. Mac is short for Macintosh, Apple's current line of laptop and desktop computers. MAC is an acronym for Media Access Control, the hardware address of network devices. There is a huge difference between the two. The two terms are sometimes used in the same sentence. For example: Every Mac has a MAC address.

Sorry.

 

[rwwest7]

I'm new to networking MACs so I apologize for the noobie questions. We have an existing AD network. Until recently we had two MACs binded to AD. We recently added 10 more. I have 8 macs that will be used for iOS development. We purchased a MAC mini server running Lion Server. I would like to setup a common storage repository for coding. While I'm at it I would like to create a Time Machine backup for all the MACs. We have setup our Open Directory environment and if I were to create a user in OD, I can log a client in as that user. If I import AD users in OD, I cannot login to a client with any of the imported AD users. Also the OD user that was setup cannot login to the client unless it is on the network. It doesn't create a local profile on the client.

So questions that I have are:

Is this the right setup, OD binded to AD on the server? And client binded to OD? If so, how do I setup a local profile for the user on the client.

How can I log into the client as an AD member.

If I binded the client to AD then I can log in as an AD user. There is also a setting to create an offline profile for the AD user.

I would really like to use some of the management that OD has to offer but I do need to log in as an AD user.

I was never able to get that working. We just bind the clients to AD, works much better than the golden triangle of death. Look into the Casper suite if you want to manage your MACs rolleyes: ) over the network. It works great. Only having 8 MACs rolleyes: ) you can easily create local accounts for the 8 users on the Mini Server to access shares.

 

[mrbrown]

It's Mac, not MAC. Mac is short for Macintosh, Apple's current line of laptop and desktop computers. MAC is an acronym for Media Access Control, the hardware address of network devices. There is a huge difference between the two. The two terms are sometimes used in the same sentence. For example: Every Mac has a MAC address.

That really doesn't help anyone nor does it provide anything substantive towards answering the poster's question.

 

[cbott]

We bind our Lion Server and the Mac workstations to AD. This lets us log in as AD users and create a local user. Binding the Lion Server also lets us assign permissions to AFP shares as well as our Time Machine server to certain AD users.

We don't have anyone too versed in OD so this seemed like the best option for now. My suggestion in your situation would be to just use AD and assign permissions through the Server App.

Hope this helps a little.

 

[Yebubbleman]

That really doesn't help anyone nor does it provide anything substantive towards answering the poster's question.

While this is true, it's still a good distinction to make that may help the poster avoid further unintended confusion.

 

[Mattie Num Nums]

I'm new to networking MACs so I apologize for the noobie questions. We have an existing AD network. Until recently we had two MACs binded to AD. We recently added 10 more. I have 8 macs that will be used for iOS development. We purchased a MAC mini server running Lion Server. I would like to setup a common storage repository for coding. While I'm at it I would like to create a Time Machine backup for all the MACs. We have setup our Open Directory environment and if I were to create a user in OD, I can log a client in as that user. If I import AD users in OD, I cannot login to a client with any of the imported AD users. Also the OD user that was setup cannot login to the client unless it is on the network. It doesn't create a local profile on the client.

So questions that I have are:

Is this the right setup, OD binded to AD on the server? And client binded to OD? If so, how do I setup a local profile for the user on the client.

How can I log into the client as an AD member.

If I binded the client to AD then I can log in as an AD user. There is also a setting to create an offline profile for the AD user.

I would really like to use some of the management that OD has to offer but I do need to log in as an AD user.

You may be over complicating things by doing an AD/OD replication. What does your environment look like in general? How many PC's, what Exchange version, etc. Exchange and AD can do almost everything you need without the headaches of managing an AD/OD situation.

 

[it365]

We bind our Lion Server and the Mac workstations to AD. This lets us log in as AD users and create a local user. Binding the Lion Server also lets us assign permissions to AFP shares as well as our Time Machine server to certain AD users.

We don't have anyone too versed in OD so this seemed like the best option for now. My suggestion in your situation would be to just use AD and assign permissions through the Server App.

Hope this helps a little.

Hello there,could I kindly ask something?
Do your macs connect to the lion server (via network account server settings) and then able to access home folders of windows users, that appear say in workgroup manager as it's binded to active directory?

 

[cbott]

Hello there,could I kindly ask something?
Do your macs connect to the lion server (via network account server settings) and then able to access home folders of windows users, that appear say in workgroup manager as it's binded to active directory?

We aren't using network home folders for Windows or Macs. We can log in as a network user on any of our Macs but it creates a local home folder. We then use Time Machine Server to back up the Macs (and therefore the home folders).

All of our users have a SMB share on the network (and our Macs can access those) as well as an AFP share on the Lion Server for a select group of people to access.

 

[devorebo]

I am responsible for thousands of computers for a school district. I am luckily in a position to also be responsible for Active Directory. I modified the Active Directory schema to support mac computers 3 years ago, and it is awesome. It took several weeks of testing, but I eventually put it into my production AD.

I used to run Open Directory from 10.2 up to 10.5, and it is very unstable. My OD database would get corrupt several times a semester and would have to completely rebuild it. If there is anything of major dependance on a directory system, do NOT use OD.

I've modified the schema on a 2003 server, and when I upgraded my AD 2008 r2 it migrated without any issues. Very reliable.

Apple has released a white paper here.
http://www.seminars.apple.com/contactme/pdf/L407117A_ADSchema_wp_FF.pdf

 

[Truffy]

The past particple of bind is bound, not binded.

 

[marc7654]

'cbot' and 'devorebo' have two answers you should seriously consider. For your environment I'd recommend the simpler solution of setting your Lion Server up as just a Mac file server for your Time Machine etc. No need to run an OD on your server.

First create the machine account in AD for your server then also setup forward and reverse DNS for the servers static IP. Lion doesn't do DDNS right in many AD environments and your Mac probably turned on it's own DNS server because of that. DNS is critical and should be run outside your Mac unless you want your Mac to run all your DNS but that's getting complicated.

Now rebuild the server. Because you have OD running and possibly some other things like DNS you want to just start clean, it's faster. Don't let it do any kind of auto setup of OD or binding to AD just enter the proper IP and DNS name.

Now get updates etc. Then bind your server to OD. Use the Server App not Directory Access. Look under the Manage menu for the option to join a domain. I forget exactly what it says. This assistant will walk you through the binding process and get your server connected to your AD so that users can user their AD credentials to connect to the server. No need to import users form the AD.

Now you can set setup share points and add users from your OD to those shares. If you also bind your Macs to AD you can get single sing on because everything is now using Kerberos for authentication.

You can even turn on the Profile Manager and use it as a Mobile Device Management system for your iOS devices. It will let you use users use AD credentials to login to the service and manager their devices or your Admins can do it.

 

[Les Kern]

It's Mac, not MAC. Mac is short for Macintosh, Apple's current line of laptop and desktop computers. MAC is an acronym for Media Access Control, the hardware address of network devices. There is a huge difference between the two. The two terms are sometimes used in the same sentence. For example: Every Mac has a MAC address.

Every Mac has a MAC address. should be in quotes sayeth the grammar police police.

----------

The past particple of bind is bound, not binded.

Most people I know say boundeded, binderlated, bindederated or bow-wow-eye-en-ded.