Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Yosemite + Server 4.1 + Active Directory (2008R2)

K

Kr15

macrumors newbie
Original poster
Feb 13, 2014
28
16
London
Ladies and gents,

I would appreciate some input or thoughts on this topic.

So... Quick brief.
We had an Open Directory running on 10.6 Servers which was (still is) utterly rubbish.
Also because it's impossible to upgrade 10.6 OD to something more reliable and up to date we have made a decision to rethink all the process in total.

Decision was made to go with Active Directory instead (also because we are moving to Office 365 at some point).

So now I'm preparing new environment but have some tricky oddities.

Setup:
I've installed 2008R2 Windows server (I know it's quite old but we had licence for 2008R2 + I'm not keen seeing 2012 MS Server (aka Windows 8 Server) as our main AD server, it's not stabile enough yet)

Latest Xserve running Yosemite + Server app 4.1 (I know, it's old... But this is the last machine made by Apple which I'm ready to call a Server + I need FC HBA to get our storage attached)

And Xserve is bound to AD.

Issues:
Groups. When group is used in file sharing - all fine, AD group members are able to connect to the shares etc. But for example I've set up protected website to be accessed by particular group and guess what - it doesn't work. Tried different sites, no success. Tried reinstalling OS X Server - same. Tried spare Mini Server - nope.
Also, sometimes when I open a group the members section is empty but still users can connect to the shares from within the group.

Is it AD issue? Yosemite bug? Or I should do good old "golden triangle" setup (I would prefer not to, I'm just not looking forward managing 2x directory services...)?

Thanks.


Regards,
Kr15
 
satcomer

satcomer

Suspended
Feb 19, 2008
9,115
1,977
The Finger Lakes Region
I gave up relying on directories when sharing files! In work we went to a NAS system setup with VLAN users folders on the NAS instead. For home use I suggest getting a smart NAS like a Synology NAS.
 
Last edited:
S

sonamo

macrumors member
Jan 23, 2014
65
30
California
Kr15 said:
Ladies and gents,

I would appreciate some input or thoughts on this topic.

So... Quick brief.
We had an Open Directory running on 10.6 Servers which was (still is) utterly rubbish.
Also because it's impossible to upgrade 10.6 OD to something more reliable and up to date we have made a decision to rethink all the process in total.

Decision was made to go with Active Directory instead (also because we are moving to Office 365 at some point).

So now I'm preparing new environment but have some tricky oddities.

Setup:
I've installed 2008R2 Windows server (I know it's quite old but we had licence for 2008R2 + I'm not keen seeing 2012 MS Server (aka Windows 8 Server) as our main AD server, it's not stabile enough yet)

Latest Xserve running Yosemite + Server app 4.1 (I know, it's old... But this is the last machine made by Apple which I'm ready to call a Server + I need FC HBA to get our storage attached)

And Xserve is bound to AD.

Issues:
Groups. When group is used in file sharing - all fine, AD group members are able to connect to the shares etc. But for example I've set up protected website to be accessed by particular group and guess what - it doesn't work. Tried different sites, no success. Tried reinstalling OS X Server - same. Tried spare Mini Server - nope.
Also, sometimes when I open a group the members section is empty but still users can connect to the shares from within the group.

Is it AD issue? Yosemite bug? Or I should do good old "golden triangle" setup (I would prefer not to, I'm just not looking forward managing 2x directory services...)?

Thanks.


Regards,
Kr15
Click to expand...

Not sure, but you would probably benefit from doing a clean install of both Windows Server 2008 R2 and OS X 10.10 on independent machines that aren't in production. That will give you the definite answer to your question.

I agree with the previous post. We switched to a Synology for about 50 users last year and haven't had any problems with it. I had one at home before we got one here and that one works great too. I am Apple Certified for OS X Server 10.8 to 10.10 and think it makes a pretty lousy file server.
 
Last edited:
Cybrex

Cybrex

Contributor
Aug 12, 2015
10
8
Iowa
Kr15 said:
Ladies and gents,

I would appreciate some input or thoughts on this topic.

So... Quick brief.
We had an Open Directory running on 10.6 Servers which was (still is) utterly rubbish.
Also because it's impossible to upgrade 10.6 OD to something more reliable and up to date we have made a decision to rethink all the process in total.

Decision was made to go with Active Directory instead (also because we are moving to Office 365 at some point).

So now I'm preparing new environment but have some tricky oddities.

Setup:
I've installed 2008R2 Windows server (I know it's quite old but we had licence for 2008R2 + I'm not keen seeing 2012 MS Server (aka Windows 8 Server) as our main AD server, it's not stabile enough yet)

Latest Xserve running Yosemite + Server app 4.1 (I know, it's old... But this is the last machine made by Apple which I'm ready to call a Server + I need FC HBA to get our storage attached)

And Xserve is bound to AD.

Issues:
Groups. When group is used in file sharing - all fine, AD group members are able to connect to the shares etc. But for example I've set up protected website to be accessed by particular group and guess what - it doesn't work. Tried different sites, no success. Tried reinstalling OS X Server - same. Tried spare Mini Server - nope.
Also, sometimes when I open a group the members section is empty but still users can connect to the shares from within the group.

Is it AD issue? Yosemite bug? Or I should do good old "golden triangle" setup (I would prefer not to, I'm just not looking forward managing 2x directory services...)?

Thanks.


Regards,
Kr15
Click to expand...

You will need to use the Golden Triangle, but it won't be as terrible as you fear...

All of the authentication for OS X Server services (such as the Websites service, Profile Manager (aka, another website), file sharing, mail, etc.) is processed by Open Directory or the local user directory. But you need to use Open Directory in order to relay requests to/authenticate against AD.

You should not need to replicate your Active Directory users and groups inside Open Directory. Simply set up your X Serve as an OD master, and then bind the Xserve to your AD domain. Your Xserve should then be able to process login requests for AD users, even if the AD user object does not exist inside OD.

When configuring permissions to OS X Server services, you should be able to see AD users and groups in the permissions sheets in the GUI.
 
  • Like
Reactions: hobowankenobi
H

hobowankenobi

macrumors 68020
Aug 27, 2015
2,125
935
on the land line mr. smith.
Cybaru said:
You will need to use the Golden Triangle, but it won't be as terrible as you fear...

All of the authentication for OS X Server services (such as the Websites service, Profile Manager (aka, another website), file sharing, mail, etc.) is processed by Open Directory or the local user directory. But you need to use Open Directory in order to relay requests to/authenticate against AD.

You should not need to replicate your Active Directory users and groups inside Open Directory. Simply set up your X Serve as an OD master, and then bind the Xserve to your AD domain. Your Xserve should then be able to process login requests for AD users, even if the AD user object does not exist inside OD.

When configuring permissions to OS X Server services, you should be able to see AD users and groups in the permissions sheets in the GUI.
Click to expand...

Been doing this with 10.9, and 10.10, with no issues.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom