Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: pknz4
pknz4 Author
User level: Level 1
11 points

Possible AD/OD integration

Is it possible to bind Open Directory to Active Directory and have Windows user accounts in AD and Mac user Accounts in OD?

Mac OS X (10.5)

Posted on Oct 4, 2009 6:21 PM

Reply
7 replies
User profile for user: Andbrowny
Andbrowny
User level: Level 4
1,614 points

Oct 4, 2009 6:34 PM in response to pknz4

Hi PKNZ,You can quite easily bind OS X Server to an Active Directory Domain and share resources and users but I'm not sure why you would want to segregate the users, doesn't that defeat the purpose?
Maybe if you describe what you want to achieve you may get further.

I have seen dual directory systems set up and users exist in one or both directories, but usually it is not pretty either to set up or to admin.

BTW Welcome to discussions.

Cheers
Reply
User profile for user: pknz4
pknz4 Author
User level: Level 1
11 points

Oct 4, 2009 6:58 PM in response to Andbrowny

Thanks for the welcome.


All users exist in Open Directory, the Windows users in Open Directory are duplicated into Active Directory so they can access Windows servers on AD and Mac servers on OD. (AD and OD are not bound).

I would like to bind Open Directory to Active Directory so that the Windows users only exist in Active Directory (no duplication) and can access the Mac servers on Open Directory.

Message was edited by: PKNZ
Reply
User profile for user: Andbrowny
Andbrowny
User level: Level 4
1,614 points

Oct 4, 2009 7:09 PM in response to pknz4

Hmm, seems more like you're looking at a cross realm trust setup rather than binding the domains.
Last line of this article says "Clients should choose the Open Directory realm at the Windows login screen, and log in with their Open Directory password. The tgt from the Open Directory Realm will allow them to access resources in the Active Directory domain." Is that what you're looking at?

Then again I could have missed the boat completely....

Cheers
Reply
User profile for user: Andbrowny
Andbrowny
User level: Level 4
1,614 points

Oct 5, 2009 1:21 PM in response to don montalvo

Hi Don, the Magic Triangle (dual directory) setup you are referring to is usually used to manage OSX machines and groups through the OD and have all the user info from AD, except augmented records. If I'm not mistaken, the OP is wanting OD/OSX users and Windows/AD users stored in the respective directories/domains without having the windows users in OD.

Cheers
Reply
User profile for user: pknz4
pknz4 Author
User level: Level 1
11 points

Oct 5, 2009 1:21 PM in response to don montalvo

I read through Apple's +Best Practices: Integrating Mac OS X with Active Directory+

The 'magic triangle' they suggest mentions that

"Another solution is to configure a secondary LDAP directory using Mac OS X Server and Apple’s Open Directory. In this scenario, clients still use AD for user authentication, while Open Directory supplies managed preferences only."

I would like for the Mac users to only exist in Open Directory and the Windows users to only exist in Active Directory, but as they are bound, the Windows users in Active Directory filter down into the bound Open Directory.
Reply

Possible AD/OD integration

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up