Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

how do i manage my mac clients with active directory on a lion osx server?

so i have the following:


Lion server running 10.7.2

Windows Server 2008r2 (managing DNS, DHCP, AD...)


i want to be able to use my Active Directory username/passwords for authentication on client computers. i also want to be able to restrict some features like Users & Groups and be able to host printers on this server.


how do i go about doing that?

Mac Pro, Mac OS X (10.7.2), Server

Posted on Dec 2, 2011 2:50 PM

Reply
Question marked as Best reply

Posted on Dec 3, 2011 5:42 PM

Bind your Mac systems to AD. That simple act will likely give you 90% of what you are looking for. You do this through System Preferences > Accounts > Login Options (or alternately throught Directory Utility or dsconfigad).


Now this will give you authentication and authorization from the AD domain plus group memberships and single sign on to Kerberos services (file services, Exchange, etc). Binding to AD will not allow you to do group policy. If you are looking to do managed client, then you have a number of options.


They include AD Schema Mod (only do this if you absolutely must), 3rd party tools like Centrify (as they give you Windows tools to manage Macs), or OS X Server and the use of the "magic triangle."


The triangle is the binding of Mac workstations to both AD and OS X Server. All authentication and authorization comes from AD and then management comes from OD using native Apple tools. This way you don't annoy anyone in the AD team by asking them to modify the environment.


This is a wise choice to bind the systems. If makes Macs first class citizens (well, almost).

23 replies
Question marked as Best reply

Dec 3, 2011 5:42 PM in response to Beandip408

Bind your Mac systems to AD. That simple act will likely give you 90% of what you are looking for. You do this through System Preferences > Accounts > Login Options (or alternately throught Directory Utility or dsconfigad).


Now this will give you authentication and authorization from the AD domain plus group memberships and single sign on to Kerberos services (file services, Exchange, etc). Binding to AD will not allow you to do group policy. If you are looking to do managed client, then you have a number of options.


They include AD Schema Mod (only do this if you absolutely must), 3rd party tools like Centrify (as they give you Windows tools to manage Macs), or OS X Server and the use of the "magic triangle."


The triangle is the binding of Mac workstations to both AD and OS X Server. All authentication and authorization comes from AD and then management comes from OD using native Apple tools. This way you don't annoy anyone in the AD team by asking them to modify the environment.


This is a wise choice to bind the systems. If makes Macs first class citizens (well, almost).

Dec 6, 2011 1:47 PM in response to Strontium90

okay i am wanting to do the magic triangle and have bound the server to AD and have this Server as an OD Master. but when i go into Workgroup Manager >> Authenticated to Active Directory/MYDOMAIN/All Domains >> Users >> (select a user) >> Preferences >> (make some change and click Apply Now)

i get the following error:

Error while saving record "testuser":

An invailid attribute type was provided.

(com.apple.OpenDirectory:4200)


is this not because of my schema? and if not what is wrong in OD?

Jul 18, 2012 7:36 AM in response to Beandip408

oh no , what 's that, how i can do that ?


And tell me i have make a magic triangle, and my lion server when i am in the applications Admin Serveur in the section Open Directory is very very very long


I want know if i don't need disable DNS service in the Lion server, i have DNS in the 2008 server ?



Hi please maybe you have email address ?


Thanks

Jul 18, 2012 7:40 AM in response to Malik-O

In order to store UNIX attributes in Active Directory, the schema must be extended. To extend the schema, first install Active Directory (add the Active Directory Domain Services role to an installed server, then use the Active Directory Installation Wizard to setup Active Directory) and then add the “Identity Management for UNIX” role service (this can be done in Server Manager).


if your Windows server is running the DNS, then disable it on your Lion Server.

Jul 18, 2012 8:02 AM in response to Malik-O

heres what you need to do to setup a lion server:


Setting up a new Lion OS X Server

  1. Change the Shared name
    1. apple >> System Preferences >> Sharing
    2. enter a name like: server-mac
  2. Give a Static Address

    apple >> System Preferences >> Network

  3. Download Lion OS X Server app from the app store (not through itunes)
  4. Download Server Admin Tools for Lion (this can be found via google)
  5. install both and run apple >> Software Update

Binding

apple >> System Preferences >> Users & Groups

  1. Unlock the padlock
  2. Click Open Login Options
  3. Click Join
  4. Click Directory Utility
    1. Double click Active Directory
    2. for domain, enter: DOMAIN.LOCAL
    3. Click the triangle next to Show Advanced Options
      1. Click User Experience
        1. User uploaded fileCreate mobile account at login
          1. Remove: require confirmation box
        2. Remove: Use UNC path box
        3. User uploaded file Default user shell: /bin/bash
      2. Click Administrative
        1. User uploaded file Prefer this domain server: ADserver.domain.local
        2. User uploaded file Allow administration by (leave defaults)
        3. Remove: Allow authentication from any domain in the forest
      3. Click ok

Create Open Directory Masteropen Server Admin

Connect to server-mac.local (or enter the static address)

  1. Highlight the local server and click Settings
  2. Click Services
    1. User uploaded fileOpen Directory
    2. Click Open Directory under server-mac.local (or static address)
    3. Click General
    4. Under Role, click Change
    5. Select Remain connected and setup as Open Directory Master
    6. Create user called: Diradmin

Changing Login Options

  1. apple >> System Preferences >> Users & Groups
  2. Click Login Options
  3. Under: Display login window as, select Name and password radio button
  4. User uploaded fileAllow network users to log in at login window
    1. Select: Options
    2. Select: Only these network users radio button
    3. Click +
    4. Under Network Users:

      select those who you want to be able to log into this server

Adjust the Date and Time

Click the time in the upper right corner

  1. Click Open Date & Time Preferences...
  2. Click Date & Time tab
  3. User uploaded file Set date and time automatically: ntpserver.domain.local





Add a Mac Client to the Open Directory


Go to System Preferences >> Users & Groups

  1. Unlock the padlock
  2. Click Login Options
  3. Click Join
    1. Type in the ip address of the mac server
    2. Press ok
    3. It will tell you "This server provides SSL certificates. Do you want to trust the certificates.... Choose Trust.
    4. Server does not provide a secure SSL connection. Do you want to continue? Choose Continue
  4. Should be done!! Woot!!

Decide who can get onto the box.

2. Go to System Preferences >> Users & Groups

  1. Unlock the padlock
  2. Click Login Options / Options / Choose "Only these network users:" Then choose the individuals from the open directory that you want to allow access to.




Binding a Client Mac to Active Directory and Open Directory

apple >> System Preferences >> Users & Groups

  1. Unlock the padlock
  2. Click Login Options
  3. Click Join
    1. Enter in the Mac server name or ip address
    2. dont enter any credentials if asked (bind anonymously)
    3. Press ok
  4. Click Join
    1. Double click Active Directory
    2. for domain, enter: DOMAIN.LOCAL
    3. Click the triangle next to Show Advanced Options
      1. Click User Experience
        1. User uploaded fileCreate mobile account at login
          1. Remove: require confirmation box
        2. Remove: Use UNC path box
        3. User uploaded file Default user shell: /bin/bash
      2. Click Administrative
        1. User uploaded file Prefer this domain server: adserver.domain.local
        2. User uploaded file Allow administration by (leave defaults)
        3. Remove: Allow authentication from any domain in the forest
      3. Click ok

how do i manage my mac clients with active directory on a lion osx server?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.