Skip navigation

Lion server bind to Windows AD server...

12865 Views 42 Replies Latest reply: Jul 23, 2012 5:49 AM by Alfista_SK RSS
  • Sinerg1 Calculating status...
    Currently Being Moderated
    Jun 22, 2012 1:16 AM (in response to furby)

    Brilliant furby!


    The server was initially setup for a previous colleague who has left and has never been touched since, it was setup to LDAP at first and still currently is.  The only server running was the Software Update but since I've had a play around I've configured the Profile Manager but for some reason I couldnt pull users out of LDAP. 


    However we do have AD also and ideally prefer to be binded to this, it just seems very strange that it doesnt want to bind.


    On Server Admin;-

    Available Servers (1)

    > server.local

    • DNS is activated
    • Netboot is disabled
    • Open Directory Is activated
    • Software update is activated


    I tried changing the Role on Open Directory as you previously mentioned but this never worked either.



  • furby Calculating status...
    Currently Being Moderated
    Jun 22, 2012 5:09 AM (in response to Sinerg1)

    Just want to say I feel both your pain, this stuff still drives me to despair.


    Could you be a bit more specific about what you mean by:

    Sinerg1 wrote:I couldnt pull users out of LDAP.




    if you've got profile manager setup this should be easy and Alfist_SK if you don't, the link I put before was pretty good and what I used.




    1.On the machine you want to bind login and go to the devices page .




    2. Go to the profiles tab and install the Trust Profile for youdomain.

    3. Then click on Devices tab and click on Enroll.

    Screen Shot 2012-06-22 at 10.15.35.png

    4. Install the profile.

    If this works you should see it listed under devices in your profile manager. (http://servername.domain.whatever/profilemanager


    5 Click on the devices and the go it edit

    Screen Shot 2012-06-22 at 10.14.06.png

    6.Go to the Mac OSX payload section and the Directory.

    7. Fill in the info with whatever details are right for you.

    Screen Shot 2012-06-22 at 10.13.51.png

    8. Click Ok and then Save...


    The settings should push out, you will see the progress in the active tasks. If not, on the profie page there is an option to Download.


    Restart the machine and see if it's bound.


    I'm sort of glossing over the root of these problems but if either of you want to give this a try as workaround then we could get to tacklig them.

  • Sinerg1 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Jun 22, 2012 9:21 PM (in response to furby)



    ill be without internet for a week so ill post once i return as I think im a step before profile manager.  Although i configured it and I can enroll devices, its more of the user authentication i wish to aquire.



  • furby Level 1 Level 1 (25 points)
    Currently Being Moderated
    Jun 25, 2012 1:48 AM (in response to Sinerg1)

    I'll be curious how you get on, will be interesting if it works.


    I found doing it the other way around AD first and then OD worked, but there's multiples way to get to that stage so you're not really a step before. Yes, I also use my AD for authentication (and it is in fact the only part that seems to be reliable), that's where I'm hopefully guiding you toward.


    I put the whole process down, albeit a bit succinct, but go from step 5 and create that directory payload.


    I should really write/video this all down at some point.

  • Sinerg1 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Jul 4, 2012 4:57 AM (in response to Alfista_SK)

    Hi Furby,


    So I installed the certificate on the iPad and now tried to enroll the device.  It asked to install the Device Enrollment cert, clicking on install, a pop up appears to say "Unverified Profile, The authenticity of "Device Enrollment"... etc INSTALL NOW. 


    After clicking on INSTALL NOW it twirls for a bit and then I get a message saying "A network error has occured. Could not connect to the server."


    Any idea what this is?

  • furby Level 1 Level 1 (25 points)
    Currently Being Moderated
    Jul 5, 2012 2:11 AM (in response to Alfista_SK)

    Now, you're really asking. Though that's more my level of expertise I don't think this is the forum for that discussion. There are plenty of great guides to installing Win Server out there which I'm sure you can find.


    @Sinerg1I thought you were trying to enroll your server? Are you using the local network (wifi)? Can you check your DNS server for the IP of the Lion server, does it have the correct entry (or possibly multuple entries?). On the lion server does the Windows DNS server show up in the Network preferences?


    You could always do it manually with the iPhone configuration utility.

    In the Profile Manger, click on the little PLUS symbol on the bottom left to create a new enrolment profile and then download it.

  • furby Level 1 Level 1 (25 points)
    Currently Being Moderated
    Jul 11, 2012 2:13 AM (in response to Alfista_SK)

    Glad you got it fugured out. If you do need more help with windows I'm sure we could sort something out.

    No idea why Directory Utility didn't work, it's all a bit of a dark art getting this to work.


    Now, I'll confess right off that I've never really got the user account stuff to work properly so maybe I'm not the best person to answer this. But,


    The "Show All Records' Tab is greyed out for me also but I'm not sure that you need it anyway. So I say don't worry about that. You also don't actually need an augmented record to be able to log in.


    When you say you can't log in, what actually happens? Does one of the boxes turn blue? Does it go to log in and just flash grey/white?


    When you startup the client machine do you get the Network Account message?

    Screen Shot 2012-07-11 at 10.10.45.png


    I susupect it's just a permissions issue on the Windows. Give an account Full permissions on the windows Profile folder and give it a try.

  • furby Level 1 Level 1 (25 points)
    Currently Being Moderated
    Jul 11, 2012 4:31 AM (in response to Alfista_SK)

    The permissions on the users Home Folder. I don't have it set for this user but that folder. Make sure the account has the correct share and security permissions.





    That's ok with the green dot. You don't see it at the login screen, the red dot just dissapears when the machine is ready to be logged in (can take a few minutes so be patient). You should be able to log in with the mac client. When you restart the machine do you get the red dot?


    You don't need to do the Integrating Mac OX Lion Server Profile manager with... steps. Just use the server admin account when accessing the My Devices page. I currently just manage the Devices from Profile Manager rather than users/groups becasue well, I have no idea how to make it work for AD groups

  • furby Level 1 Level 1 (25 points)
    Currently Being Moderated
    Jul 11, 2012 5:12 AM (in response to Alfista_SK)

    Strange. As long as you're logging into the AD it shoudln't make a difference if they are augmented or not.

    Go to the Local Directory


    View..Show System Records



    I don't know if you need to give users permission to access the profile manager as well.

    Screen Shot 2012-07-11 at 12.39.17 copy.png


More Like This

  • Retrieving data ...

Bookmarked By (1)


  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.