You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: PlayNetwork
PlayNetwork Author
User level: Level 1
0 points

Does anyone have a good "Golden triangle" Setup guide???

I would love a good guide to help me through implementation of a "Golden Triangle" on our systems. I have a robust AD environment and can easily setup the servers and workstations to our AD, but fail when it comes to getting the OD setup correct and all the systems talking. We are running Lion on our XServe and all MBPs. I'm pretty much a Mac novice with a few training classes under my belt.


Any help would be great!


Thanks!


MP

Xserve, Mac OS X (10.7)

Posted on Aug 22, 2011 11:04 AM

Reply
8 replies
User profile for user: PlayNetwork
PlayNetwork Author
User level: Level 1
0 points

Aug 23, 2011 2:35 PM in response to ben@cogs.com

Basically I put it like this... The AD is the King, The OD is Queen and the Mac workstation are the princes....


The Mac server and the Mac workstations both authenticate to the AD. Then once the King and queen are talking nicely the Mac workstations need to bind to the OD alsk. Then they Create a "Triangle" which allows single sign in and passed Keberos. Kinda hard to explain with out a whiteboard.


I have not been to that site. I'll check it out thanks!

Reply
User profile for user: °Bernz°
°Bernz°
User level: Level 1
84 points

Sep 20, 2011 2:12 PM in response to PlayNetwork

Hi,


Have you seen this link? This is a good start.


http://docs.info.apple.com/article.html?path=ServerAdmin/10.6/en/odfd7c23d9.html


I've been trying to make it run for a couple of days on 10.7.1, but I'm still running into issues. The Augmented Records in Workgroup Manager do not function as expected. Instead of using Augmented Records, I've managed propagating Mac preferences by creating a Group in Workgroup Manager, then by assigning my AD users to this group and setting preferences to this group.


This seems to work okay, but I haven't been able to set up home directories correctly. I keep getting an error that it can't be found, so I must force the AD connector to create a local directory (which is not what I want).


If someone could share instructions on managing the home directories correctly with the Magic Triangle, I would appreciate it!

Reply
User profile for user: TheForge
TheForge
User level: Level 1
0 points

Sep 30, 2011 5:56 AM in response to °Bernz°

We are experiencing the same issues with new Lion 10.7.1 clients. We have a triangular system with a Windows 2008 AD PDC and an XServe running Server OS 10.6.8. All Leopard and Snow Leopard clients bind fine, with user authentication and home area paths coming from AD and machine preferences from Workgroup Manager. However we have all sorts of problems with Lion clients. After extensive experimentation over the past few days we currently have Lion clients bound to AD on the Windows 2008 server and authenticating with network home directories as desired and dictated from the AD server. The stability of this set up is yet to be tested.


It seems the following steps solved our AD binding issues but this may be only for the quirks of our setup and not a generic solution.


i. Ensure clocks are synced between AD Server, OSX Server and Lion clients.

ii. Ensure the Workgroup in System Preferences/Network/Advanced/WINS is set to your AD domain.

iii. Ensure the IP address of the AD Server appears in the WINS Server box.

iv. Ensure both the DNS server and a FQDN appear in the System Preferences/Network/Advanced/DNS tab.

v. Connect to your AD in Directory Access with the fully qualified domain name, ensuring that 'Use UNC Path from AD to derive Network home location' is checked in the Advanced settings and 'Allow authentication from any domain' is checked in the authentication tab.. I also had to check the 'Prefer this domain server' and add the FQDN of the PDC server itself.


However, despite our Xserve server being listed in Directory Access in the LDAP tab, the augmented records still do not function as expected and the Lion clients do not appear in the Open Directory computers list. As a result there is no management of preferences such as dock apps etc on Lion clients. I shall try the suggestion above as a work around but feel thias is a laborious way to achieve a fairly fundamental requirment for enterprise networks. Any other ideas in creating a fully functioning magic triangle with Lion clients would be welcomed!

Reply
User profile for user: Beandip408
Beandip408
User level: Level 1
0 points

Jan 4, 2012 5:01 PM in response to PlayNetwork

this is how i did it recently:


  1. Change the Shared name
    1. >> System Preferences >> Sharing
    2. enter a name like: server-mac
  2. Give a Static Address

    >> System Preferences >> Network

  3. Download Lion OS X Server app from the app store
  4. Download Server Admin Tools for Lion (this can be found via google and usually installed on client machine)
  5. install both and run >> Software Update


Binding

>> System Preferences >> Users & Groups

  1. Unlock the padlock
  2. Click Login Options
  3. Click Join
  4. Click Directory Utility
    1. Double click Active Directory
    2. for domain, enter: DOMAIN.COM
    3. Click the triangle next to Show Advanced Options
      1. Click User Experience
        1. User uploaded fileCreate mobile account at login
          1. Remove: require confirmation box
        2. Remove: Use UNC path box
        3. User uploaded file Default user shell: /bin/bash
      2. Click Administrative
        1. User uploaded file Prefer this domain server: servername.domain.com
        2. User uploaded file Allow administration by (leave defaults)
        3. Remove: Allow authentication from any domain in the forest
      3. Click ok

Create Open Directory Master (Server Admin app)


Connect to server-mac.local (or enter the static address)

  1. Highlight the local server and click Settings
  2. Click Services
    1. User uploaded fileOpen Directory
    2. Click Open Directory under server-mac.local (or static address)
    3. Click General
    4. Under Role, click Change
    5. Select Remain connected and setup as Open Directory Master
    6. Create user called: Diradmin

Changing Login Options

  1. >> System Preferences >> Users & Groups
  2. Click Login Options
  3. Under: Display login window as, select Name and password radio button
  4. User uploaded fileAllow network users to log in at login window
    1. Select: Options
    2. Select: Only these network users radio button
    3. Click +
    4. Under Network Users:

      select those who you want to be able to log into this server

Adjust the Date and Time

Click the time in the upper right corner

  1. Click Open Date & Time Preferences...
  2. Click Date & Time
  3. User uploaded file Set date and time automatically: ntp.domain.com


Bind a client:

******** make sure you did this in that EXACT order or it will not work ********

>> System Preferences >> Users & Groups

  1. Unlock the padlock
  2. Click Login Options
  3. Click Join
    1. Enter in the Mac server name or ip address
    2. dont enter any credentials if asked (bind anonymously)
    3. Press ok
  4. Click Join
    1. Double click Active Directory
    2. for domain, enter: DOMAIN.COM
    3. Click the triangle next to Show Advanced Options
      1. Click User Experience
        1. User uploaded fileCreate mobile account at login
          1. Remove: require confirmation box
        2. Remove: Use UNC path box
        3. User uploaded file Default user shell: /bin/bash
      2. Click Administrative
        1. User uploaded file Prefer this domain server: servername.domain.com
        2. User uploaded file Allow administration by (leave defaults)
        3. Remove: Allow authentication from any domain in the forest
      3. Click ok
Reply

Does anyone have a good "Golden triangle" Setup guide???

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up