can and how do i setup a golden triangle like this?

Question

Level 1

39 points

can and how do i setup a golden triangle like this?

I work for a midsized church, we just decided to replace all of our old windows xp machines with macs. I am going to be integrating 12 machines in the next 3 weeks into the windows domain we already have since we have still 24 windows 7 machines. We are running Windows 2008 r2 with the SBS snap-in. I need to integrate a mac server so I can properly manage the Apple machines we will be putting on out network. I will need the OSX server’s open directory to get its info for user authentication and network user shares from the active directory in the windows server. The window machine will function as a print server, file server and email/exchange server for the next year or so till I phase out the rest of the windows pc’s. Right now I need the OSX server to manage the Apple machines, be able to push updates to the mac computers so I don't have to individually update them every time the software needs to be updated. Does this make sense? Is this even possible? How can I go about doing it?

MacBook Air, OS X Mavericks (10.9)

Posted on Jan 6, 2014 5:54 PM

Reply

Answer 1

Jan 6, 2014 10:49 PM in response to jessatd75

First off - you bind Mac clients directly to Windows AD to get user authentication and network user shares. OS X server is not in the middle of those functions. It is not hierarchical.

Golden triangle is the practice of binding Mac clients simultaneously to BOTH a Mac OSX server and Windows AD. This is usually done to standardize various desktop settings/preferences on Macs. It is similar to the GPO mechanism on Windows. You may or may not want to do that for just 12-36 Macs. I would suggest holding off on it until late in your migration because set up of the OSX server is complex.

A Mac server can be very useful for building and deploying software "images" onto your client Macs. OSX server has a service called NetBoot that supports installation of images to client hardware over your LAN. There is also the Apple System Image Utility for making images. "Mac OS X Deployment" by Kevin White is a good reference on this topic.

Good luck with your migration!

Reply

Answer 2

jessatd75 Author

Level 1

39 points

Jan 7, 2014 4:46 PM in response to piperspace

The biggest things management wise that I was wanting the mac server for was to hopefully be able to push updates to the machines. I do not want users to be able to install software on their own. To allow them to update their computers themselves i would have to make every user a network wide admin and that just isn't an option. I am part time systems admin and also the productions manager(sound, lighting and video) I am also a full time student. So go to all the machines periodically and me running updates also is counter productive and time prohibitive.

Reply

Answer 3

Jan 7, 2014 4:57 PM in response to jessatd75

Yeah - that's a problem.

We had a similar headache with Apple Update popping up while students were using Macs in school labs. Students are not permitted to run it - so it was an annoying distraction.

Our fix was to implement the Software Update Service on a Mac OSX server. We also implemented Golden Triangle so that we could set a preference pointing all our Mac clients at our local SUS. With local SUS you get to approve each update. We very rarely approve any so our students are no longer distracted (by Apple Update).

Reply

Answer 4

jessatd75 Author

Level 1

39 points

Jan 7, 2014 9:17 PM in response to piperspace

i know you said its complicated but can you describe how you went about doing this? it sounds like what you had setup is exactly what I'm looking for. Despite my lack of knowledge when it comes to setting up a golden triangle i am actually pretty technologically astute. I am very familiar with windows networks(ive taken 3 classes on windows server since I'm a CS major) i simply don't like windows machines nor does most of the current staff especially taking windows 8 into consideration so we decided to go to macs. So with some explanation it could save me an extended amount of time hunting and testing for all the right settings to make all this work the way i need it to.

Reply

Answer 5

Jan 8, 2014 9:36 AM in response to jessatd75

Setting up Apple Software Update Service (SUS) on Mac OS X Server is easy. Just use Server Manager and enable the service. It will download updates from Apple and store them locally.

Here is a reference that explains how to configure client Macs to use your local SUS.

http://support.apple.com/kb/ht4069

Note that you do not actually need Golden Traingle just to set this one preference. You can visit each Mac once to set it. Or you can use Apple Remote Desktop (ARD) to send the necessary commands to your Macs remotely. ARD is a good tool. Recommended.

The complicated thing about Golden Triangle is getting your Mac OS X Server to use the Windows Kerberos security service rather than its own Kerberos. That plus the fact that Mac OS X Server is apt to break if you change its IP address or if you re-organize your DNS. Oh and Golden Triangle requires that you run Apple's Open Directory service. OD has a tendency to corrupt itself - so be sure to back it up frequently. Finally, most references on this topic will mention WorkGroup Manager. That utility has been deprecated by Apple. The new utility is called Profile Manager. Below is the best published reference I know of on this topic. Sorry I cannot give you step by step instructions.

Apple Training Series: Mac OS X Directory Services v10.6: A Guide to Configuring Directory Services on Mac OS X and Mac OS X Server v10.6 Snow Leopard

Reply