Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Jason Millen
Jason Millen Author
User level: Level 1
0 points

Modifying Active Directory Schema

http://seminars.apple.com/seminarsonline/modifying/apple/index.html?s=301

I've watched the video a dozen or more times and have read through the pdf as well.

But I'm getting 41 attributes and 10 classes not the 36 attributes and 10 classes they talk about in the video and pdf (i've tried this 3 times).

I have frozen the video a few times and the selections on that do not match the pdf???

Windows 2008 R2 AD, 10.6 OD.

I have used Windows XP Mode from Windows 7 to run the ADAM AD Schema Analyzer.

Can anyone fill me in on what i might be missing from the video or pdf? Is there some changes with 2008 R2 and 10.6?

Cheers

Jason

Mac Mini, Mac OS X (10.6.3)

Posted on Apr 22, 2010 6:48 AM

Reply
Question marked as Best reply
User profile for user: Gordon Davisson
Gordon Davisson
User level: Level 3
520 points

Posted on Apr 26, 2010 2:15 PM

Here are the 36 attributes I got when I tried it: 


$ grep "^# Attribute: " Apple-Schema-Extensions.ldf
# Attribute: apple-category
# Attribute: apple-computeralias
# Attribute: apple-computer-list-groups
# Attribute: apple-computers
# Attribute: apple-data-stamp
# Attribute: apple-dns-domain
# Attribute: apple-dnsname
# Attribute: apple-dns-nameserver
# Attribute: apple-group-homeowner
# Attribute: apple-group-homeurl
# Attribute: apple-imhandle
# Attribute: apple-keyword
# Attribute: apple-mcxflags
# Attribute: apple-mcxsettings
# Attribute: apple-neighborhoodalias
# Attribute: apple-networkview
# Attribute: apple-nodepathxml
# Attribute: apple-service-location
# Attribute: apple-service-port
# Attribute: apple-service-type
# Attribute: apple-service-url
# Attribute: apple-user-authenticationhint
# Attribute: apple-user-class
# Attribute: apple-user-homequota
# Attribute: apple-user-homesoftquota
# Attribute: apple-user-mailattribute
# Attribute: apple-user-picture
# Attribute: apple-user-printattribute
# Attribute: apple-webloguri
# Attribute: apple-xmlplist
# Attribute: apple-mountDirectory
# Attribute: mountDumpFrequency
# Attribute: mountOption
# Attribute: mountPassNo
# Attribute: mountType
# Attribute: ttl

What did you get in addition to the above? Also, which ADAM tools were you using? When I did this, I didn't use XP mode (at least as far as I know - I'm not very Windows savvy). What I did was add the "Active Directory Lightweight Directory Services" role on the server, then run WindowsADAMADSchemaAnalyzer from the Command Prompt.

I dunno if they're relevant, but here are some potential gotchas I found:
• The settings for apple-computer-list at the top of page 7 are wrong (they list apple-computer-list-group twice), as is the following text (it lists apple-generateduid twice); you should follow the list at the bottom of page 7 instead.
• The UI in AD Schema Analyzer is very confusing. Each class has two boxes next to it: one to hide (minus sign) or show (plus sign) related attributes, and another to exclude (blank) or include (heavy plus) it in the export. Related attributes have one box, which can implicitly include (plus on gray background) or explicitly exclude (heavy X) it from the export. You have to click to select the classes to include, and then under each of those, click to exclude the attributes that you don't want. (Did you maybe get the attribute selection backward?)
• The white paper and videos are written for Mac OS X v10.5; I don't know what (if anything) should be changed for 10.6, but I expect they're close enough it'll work as is.
• If you cut-and-paste any of the LDIF from the white paper (e.g. the auxiliaryClass and possSuperiors stuff) from the PDF, you may wind up with spaces at the beginning and end of each pasted line; these must be removed, or you'll get import errors. Also, make sure the LDIF file has DOS-style line endings (CR+LF), not Unix style (LF only).
• The white paper describes changing the objectClassCategory of some of the objectClasses to 3; depending on which version of the ADAM tools generated the LDIF, you may also need to set the rest of them to 1 (for some reason, it can export them with an objectClassCategory of 0, which is invalid).
• The white paper doesn't detail indexing the macAddress attribute, which is a good idea to speed computer record lookups; the relevant LDIF snippet is: 


# Index the macAddress attribute for faster searches
dn: CN=macAddress,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 1
-
View in context
25 replies
User profile for user: dalimsoftware
dalimsoftware
User level: Level 1
0 points

Aug 24, 2010 9:40 AM in response to Gordon Davisson

Hi Gordon,
that's also what I first thought - but when I watched the presentation from Timothy Perfitt at http://seminars.apple.com/seminarsonline/modifying/apple/index.html?s=301 I noticed his + (add users/groups) got active after providing the admin credentials (see presentation movie @16:50 timecode).

Would be very nice if it is possible - otherwise we probably have to live with that 😉
Reply
User profile for user: cabrower
cabrower
User level: Level 1
0 points

Aug 27, 2010 3:20 PM in response to dalimsoftware

Hi, I was wondering if there is somewhere I can find the apple schema other than on a 10.6 server? I currently don't have access to a 10.6 server. I would like to extend my schema and manage my small group of macs (5) with the rest of my active directory structure (400+ PCs). Also currently my Domain Controllers are Windows Server 2003 R1, if i bring a Windows Server 2008 R2 domain controller online will that resolve the needed Domain controller level?

Thanks,
Chris
Reply
User profile for user: Gordon Davisson
Gordon Davisson
User level: Level 3
520 points

Aug 30, 2010 2:40 PM in response to cabrower

@cabrower: I don't know anyplace other than an OS X Server to get the Apple schema in a form that AD Schema Analyzer can work with them, but 10.5 should be sufficient if you can find someone with a leftover license (there's not much difference between 10.5 and 10.6)...

As for the Windows Server version, as I understand it the important thing is the AD schema changes Microsoft made between 2003 R1 and R2. I'm not sure, but I suspect you'd need to update all of your domain controllers to R2 and then raise the domain functional level -- definitely the sort of thing you'd want to confirm in a test environment before inflicting it on your production servers.
Reply
User profile for user: cabrower
cabrower
User level: Level 1
0 points

Aug 30, 2010 3:51 PM in response to Jason Millen

Hi Gordon thanks for the response. I was able to do enough searching of the internet and someone was kind enough/smart enough to post the already modified version of the schema. I am not sure why apple wouldn't do the same. Here is what i found. It is ready for a copy and paste:


http://serverfault.com/questions/114959/active-directory-and-apples-workgroup-ma nager

Message was edited by: cabrower
Reply
User profile for user: Gordon Davisson
Gordon Davisson
User level: Level 3
520 points

Sep 3, 2010 7:13 PM in response to cabrower

The LDIF in that serverfault entry has some kinda strange things in it. It has the apple-user-homeurl attribute listed, which (according to Apple's PDF) it shouldn't have. It also has the ipHostNumber and macAddress attributes, which should already be there (they were added in the R2 update to Windows Server 2003). And it has several possSuperiors's listed by OID rather than name (which I think I've seen cause problems). And it has apple-configuration set up as an auxiliaryClass of the AD Configuration class, which does not match the Apple PDF (and if I understand it, conflicts with the way apple-configuration is used).

So I wouldn't especially trust that serverfault entry...
Reply
User profile for user: Martin van Diemen
Martin van Diemen
User level: Level 1
5 points

Oct 27, 2010 3:46 AM in response to Gordon Davisson

Attribute apple-user-homeurl is bothering me. I can not make clear if this if why I'm not able to mount an AFP home folder.

The White Paper [Modifying the Active Directory Schema to Support Mac Systems|http://images.apple.com/business/solutions/it/docs/Modifying the_Active_DirectorySchema.pdf] does not mention this attribute. Knowledge base article [TA21377|http://support.apple.com/kb/TA21377] does mention apple-user-homeurl although this article could be outdated.

The attribute should contain the URL to the user's home folder. It seems that it's not required when only NFSHomeDirectory is set and you make use of NFS.

Any ideas?
Reply
User profile for user: mike.pinto
mike.pinto
User level: Level 1
0 points

Nov 1, 2010 7:57 AM in response to Martin van Diemen

Is it possible to create computer groups within WGM? I'm able to apply managed preferences to individual users and computers but cannot create computer groups within WGM. Reading through the logs I've found this:

2010-10-15 14:09:41 EDT - T[0xB0081000] - Active Directory: Using existing connection for flaglerschools.com - flagler.flaglerschools.com. user bingc@FLAGLERSCHOOLS.COM cache MEMORY:YVKESUz
2010-10-15 14:09:41 EDT - T[0xB0081000] - Active Directory: Attempting to Create Record Type dsRecTypeStandard:ComputerLists Name Untitled_1
2010-10-15 14:09:41 EDT - T[0xB0081000] - Active Directory: Add record CN=Untitled_1,CN=Mac OS X,DC=flaglerschools,DC=com with FAILED - LDAP Error 19

2008 R2 with 10.6.4
Reply

Modifying Active Directory Schema

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up