Modifying Active Directory Schema

Hi Gordon,
that's also what I first thought - but when I watched the presentation from Timothy Perfitt at http://seminars.apple.com/seminarsonline/modifying/apple/index.html?s=301 I noticed his + (add users/groups) got active after providing the admin credentials (see presentation movie @16:50 timecode).

Would be very nice if it is possible - otherwise we probably have to live with that 😉

Hi, I was wondering if there is somewhere I can find the apple schema other than on a 10.6 server? I currently don't have access to a 10.6 server. I would like to extend my schema and manage my small group of macs (5) with the rest of my active directory structure (400+ PCs). Also currently my Domain Controllers are Windows Server 2003 R1, if i bring a Windows Server 2008 R2 domain controller online will that resolve the needed Domain controller level?

Thanks,
Chris

@cabrower: I don't know anyplace other than an OS X Server to get the Apple schema in a form that AD Schema Analyzer can work with them, but 10.5 should be sufficient if you can find someone with a leftover license (there's not much difference between 10.5 and 10.6)...

As for the Windows Server version, as I understand it the important thing is the AD schema changes Microsoft made between 2003 R1 and R2. I'm not sure, but I suspect you'd need to update all of your domain controllers to R2 and then raise the domain functional level -- definitely the sort of thing you'd want to confirm in a test environment before inflicting it on your production servers.

Hi Gordon thanks for the response. I was able to do enough searching of the internet and someone was kind enough/smart enough to post the already modified version of the schema. I am not sure why apple wouldn't do the same. Here is what i found. It is ready for a copy and paste:


http://serverfault.com/questions/114959/active-directory-and-apples-workgroup-ma nager

Message was edited by: cabrower

The LDIF in that serverfault entry has some kinda strange things in it. It has the apple-user-homeurl attribute listed, which (according to Apple's PDF) it shouldn't have. It also has the ipHostNumber and macAddress attributes, which should already be there (they were added in the R2 update to Windows Server 2003). And it has several possSuperiors's listed by OID rather than name (which I think I've seen cause problems). And it has apple-configuration set up as an auxiliaryClass of the AD Configuration class, which does not match the Apple PDF (and if I understand it, conflicts with the way apple-configuration is used).

So I wouldn't especially trust that serverfault entry...

Attribute apple-user-homeurl is bothering me. I can not make clear if this if why I'm not able to mount an AFP home folder.

The White Paper [Modifying the Active Directory Schema to Support Mac Systems|http://images.apple.com/business/solutions/it/docs/Modifying the_Active_DirectorySchema.pdf] does not mention this attribute. Knowledge base article [TA21377|http://support.apple.com/kb/TA21377] does mention apple-user-homeurl although this article could be outdated.

The attribute should contain the URL to the user's home folder. It seems that it's not required when only NFSHomeDirectory is set and you make use of NFS.

Any ideas?

Is it possible to create computer groups within WGM? I'm able to apply managed preferences to individual users and computers but cannot create computer groups within WGM. Reading through the logs I've found this:

2010-10-15 14:09:41 EDT - T[0xB0081000] - Active Directory: Using existing connection for flaglerschools.com - flagler.flaglerschools.com. user bingc@FLAGLERSCHOOLS.COM cache MEMORY:YVKESUz
2010-10-15 14:09:41 EDT - T[0xB0081000] - Active Directory: Attempting to Create Record Type dsRecTypeStandard:ComputerLists Name Untitled_1
2010-10-15 14:09:41 EDT - T[0xB0081000] - Active Directory: Add record CN=Untitled_1,CN=Mac OS X,DC=flaglerschools,DC=com with FAILED - LDAP Error 19

2008 R2 with 10.6.4

Hi Mike, I have been trying to do the same thing. I can apply preferences to either a specific user/computer but not a user group or computer group which is rather ridiculous...

Gordon, what is the recommended way to obtain the schema if I don't have a OS X Server available? I already applied the schema I found at the servervault website :-/

Im hoping there isn't much damage done by that... I know you can't remove schema once it's in place...

The LDIF worked okay for me!