Clarification on Golden/Magic Triangle

Question

Level 1

7 points

Clarification on Golden/Magic Triangle

Is there a difference between a "Golden Triangle" and a "Magic Triangle"?

If so, what is it?

My understanding is they are both the same, but some places on the interwebz seem to state they are different things.

Additionally, there seems to be no real articles on setting this up, or any recognition by Apple that these are an accepted configuration.

My understanding is simply that the triangle means you bind your clients to both OD and and AD, and your OD server is also bound to AD.

This configuration seems to be used to authenticate with AD users, but get WGM/MCX policies delivered from OD.

With the advent of Profile Manager, I'm not sure I see the advantage of binding clients to OD as well.

Can someone explain what the modern/current generation benefits are to be had still setting up a "triangle" configuration.

Please feel free to direct me to other resources, there is so much "noise" when trying to search for real answers.

thank you.

Posted on Jul 11, 2014 2:28 PM

Reply

Answer 1

Best reply

piperspace

Level 2

305 points

Jul 11, 2014 4:12 PM in response to BJH75

No difference. Same thing.

Right. There is minimal explicit guidance from Apple. You may notice Apple is not an enterprise focussed vendor.

In fairness there is this reference:

http://training.apple.com/pdf/wp_integrating_active_directory_mav.pdf

We are still using WorkGroup Manager with Mavericks Server. It works as well as it ever did. Kind of flaky. Backup often. Teach yourself how to restore the LDAP database when it gets corrupted.

As far as I can tell - in terms of managing Macs - Profile Manager is just a replacement for WorkGroup Manager. At some point we may look at it for managing iPads. But for future student desktops ChromeBoxes are looking pretty nice.

Reply

Answer 2

BJH75 Author

Level 1

7 points

Jul 12, 2014 4:31 AM in response to piperspace

Thanks Piper, much appreciated.

That document mentions nothing about binding to OD as well - which I assume it wouldn't since it is really talking about integrating Macs and not integrating "OS X Server."

To user WGM with macs and OD, are you required to extend your AD schema for the MCX extensions, or does the binding of your clients to OD accomplish this?

Can I ask you what version of clients and OD you are using and if you followed any main previous documentation to get you most of the way?

Reply

Answer 3

Jul 12, 2014 7:26 AM in response to BJH75

It talks about policy management options starting on page 9. One option it mentions is to use OSX Server Profile Manager. Enrolling a Mac client with Profile Manager has the same effect as binding it and using Workgroup Manager. Managed preference settings flow to the client. A previous version of the same document mentioned Workgroup Manager and binding (which still works).

No AD schema changes. That's the primary advantage of golden (aka magic) triangle. Authentication comes from AD. Managed preferences come from OSX Server. The latter can be offline occasionally and users can still get things done.

Our OSX Server is at 10.9.3. Mac Clients are at 10.7.x going to Mavericks soon we hope.

Its been a while since we set this up but as I recall I relied mostly on a tutorial found on the AFP458 site. Here is a link to a more recent tutorial with Profile Manager. http://krypted.com/tag/mountain-lion-server/page/2/

Its very important to get your OSX Server set up with DNS clean with static IP before configuring OD. Do not assume, like I did, that you can use a temporary computer name for the server and then change it after you activate OD. OD is easily confused. Also, its important to bind OSX Server to AD before configuring OD. This should convince OSX Server to turn its own Kerberos service off and rely on AD.

Reply