Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: ubojam
ubojam Author
User level: Level 1
0 points

Push settings to AD users does not work / OD users works well

Hi,

I still have problems to push settings to users from Microsoft ActiveDirectory with Profile Manager. I can't see an error message...



What I did so far:



- Domain-Name (I can't rename): dudel.local

- Mac mini with Mavericks 10.9 and Server 3.0.1, IP 172.30.200.1/16, norad.dudel.local

- iMac with Mavericks 10.9, IP 172.30.220.19/16, a220019.dudel.local

- 2 Windows DNS Server on server daedalus.dudel.local (172.30.200.9) and prometheus.dudel.local (172.30.200.15)

- 3 Windows Domain Controller on server daedalus.dudel.local (172.30.200.9), prometheus.dudel.local (172.30.200.15) and aurora.dudel.local (172.30.200.16)

- Windows Domain Controller daedalus.dudel.local (172.30.200.9) acts as ntp server

- Opened and forwarded ports tcp/2195, tcp/2196, tcp/5223 and tcp/1640 to 172.30.200.1 (norad.dudel.local). Since the web interface of profile manager is only accessable from inside, I do not forward tcp/80 and tcp/443 from outside.



Mac mini:



1. After a clean install of Mavericks and Server 3, I set LocalHostName, ComputerName and HostName:



scutil --set HostName norad.dudel.local

scutil --set ComputerName norad.dudel.local

scutil --set LocalHostName norad



2. Set in preferrences date/time server to 172.30.200.9 (daedalus.dudel.local)



3. With Server 3 I requested a APNS certificate



4. Checked DNS A and PTR with "changeip -checkhostname". changeip reports "success, there is nothing to change".



5. Activated/Setup OpenDirectory with the standard self-signed certificate in Server 3



6. Activated Web Server in Server 3



7. Configured Profile Manager (http://krypted.com/iphone/setting-up-profile-manager-in-lion-server/)



8. Bound norad.dudel.local (172.30.200.1) to ActiveDirectory:



dsconfigad -add dudel.local -username administrator -password secret



9. Installed Workgroup Manager for Mavericks to set permission for users from ActiveDirectory (http://krypted.com/mac-security/integrating-mac-os-x-lion-servers-profile-manage r-with-active-directory/). After adding AD user 'marcus' to group com.apple.access_devicemanagement, I can add settings to the user with Profile Manager on https://norad.dudel.local/profilemanager

For testing I set the magnifying effect for the dock.



iMac:



1. After a cleant install of Mavericks I set LocalHostName, ComputerName and HostName:



scutil --set HostName norad.dudel.local

scutil --set ComputerName norad.dudel.local

scutil --set LocalHostName norad



2. Set in preferrences date/time server to 172.30.200.9 (daedalus.dudel.local)



3. Bound to OpenDirectory norad.dudel.local



4. Bound norad.dudel.local (172.30.200.1) to ActiveDirectory:



dsconfigad -add dudel.local -username administrator -password secret



3. With the local user 'admin' I accessed https://norad.dudel.local/mydevices and installed the "Trust Profile for DUDEL" and then registered the device. In Profile Manager the device is there, after clicking to "Devices" on the left pane. The Device is associated to user 'admin'. I changed it, by clicking in Profile Manager on "Users/marcus" and then added the device with the plus-sign on the right pane.






After logging in with user 'marcus' on the iMac, there is no setting pushed to the user. The setting I did is still "pending". Logging of and loggin in as user 'admin' makes it happen... the pending task is successful... But now, the setting to the Dock is now at the user 'admin' and not at user 'marcus'


This only happens to AD users. I tried an OD user. All settings are applied successful to the specified OD user....


What am I doing wrong?



Kind regards,

Marcus

OS X Mavericks (10.9)

Posted on Dec 16, 2013 12:12 PM

Reply
6 replies
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
116,577 points

Dec 16, 2013 1:59 PM in response to ubojam

With that .local top-level domain usage, the DNS services here are misconfigured.


DNS is fundamental to network encryption, distributed authentication and digital certificates.


Do I know for certain if the faulty DNS here is causing this specific problem? No.


But I do know it causes all sorts of weird problems.


I'd fix DNS first, and by migrating Active Directory and the rest into a registered domain.

Reply
User profile for user: ubojam
ubojam Author
User level: Level 1
0 points

Dec 17, 2013 1:01 AM in response to MrHoffman


Yes, DNS is is fundamental for networks, even for Windows networks. The DNS is working well for the existing Windows network and there are no problems in distributing certificates etc.


There are more than 150 users and 180 devices on the network without DNS problems.


I don't know how to discover a DNS problem... Windows works well.


DNS resolves fine... dig does it for "a" records and "ptr" records. nslookup resolves, too.


When the problem is a faulty DNS, why does the usage of users/devices from OD work with Profile Manager?


Renaming and/or migrating the ActiveDirectory is not possible. First, I want to be sure that there is a faulty DNS.

The .local TLD is not optimal for Bonjour/mDNS but I can't believe that there is no workaround

Reply

Push settings to AD users does not work / OD users works well

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up