Migrate Active Directory to Open Directory

Try the first link on the More Like This list below.

I try to stay away from the guts of AD but AFAIK you won't be able to transfer the passwords from AD to OD. The way I dealt with this was to set up a webpage hosted on the new server that authenticated users using AD and then allowed them to reset their OD password. The only trouble I had was from users with six-character passwords who found that devising one that had at least eight characters was a challenge. 😢

C.

I will chime in again (I am the original poster on the referenced link). Much like cdhw, I've been through this and it "can" be done. But I must challenge, "Why?"

Clearly I am a fan of OS X Server. I have strong beliefs in its abilities and know its strengths and weaknesses. If you are an all Mac shop (except for existing Windows servers) I can understand the desire to move off AD and on to OD. It is cheaper (by a huge margin), generally easier to maintain, can scale using replicas and locales, and is not as prone to exploit. But if you have any Windows workstations on your network, you really better understand what you are getting into. Also, how are your ancillary services integrated? Mail? Web apps? The Apple side of the fence may have some areas that are inferior.

First the cross platform question. Hands down, there is nothing better than an OS X Server to manage and all Apple devices network. For $30 you can manage a fleet of Macs and iOS devices to great success. And if you outgrow the OS X Server there are the big boys like JAMF which still require and can integrate into your OD. But the minute you start talking about Windows workstations, the utility of OS X Server falls apart. Without extensive 3rd party hacking you can not integrate or manage Windows workstations on an OD environment. And as much as I love OS X Server, I loathe OS X Server's mail implementation. So if you are thinking you are going to replace AD and Exchange with OS X Server, you are likely in for a long period of pain and suffering.

If you have already performed a service analysis and found OS X Server to be the best solution, I say go for it. If you have not, make a list of everything the Windows server is doing for you for all supported platforms. Then see if OS X Server can satisfy the needs of the fleet.

This is not to discourage you. I am all for more OS X Servers. But I don't want you painting yourself into a corner.

Reid

Apple Consultants Network

Author "El Capitan Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Author "El Capitan Server – Control & Collaboration" :: Exclusively available in Apple's iBooks Store

Author of Yosemite Server and Mavericks Server books

I appreciate what you are saying. I am a network admin and manage a 150 user Windows 2008 Active Directory network. I am just so frustrated with the never ending strange AD bugs and general server security concerns. I am looking for a more secure and easy to manage system. Somewhat like BishBashB0sh, I would like to get rid on my 2 Windows Domain controllers and go to one Mac OS X server device if its possible. We dont have a mail server in house anymore (we switched to Exchange online or Office 365 mail), but we do have a Microsoft SQL server onsite. I really dont care about most active directory features and benefits. I could care less if the server is doing anything but authenticating a log on to the network. So is it possible for me to dump the windows domain controllers and migrate all my windows users to an "OS X network"? Or am I just digging a grave for myself with such an idea?

Sadly, you are digging a grave. Here is the general landscape:

Mac Domain Controller(s): OS X Server + Open Directory = OS X and iOS fully supported, all working in harmony including management via Profile Manager, single sign on with Kerberos support. Windows workstations can not participate in OD, not since 10.6.8 Server (and that was NT style domains) and there is no way to do group policy out side of AD (more later).

Widows domain controller(s): Windows Server + Active Directory = OS X and Windows workstations, all mostly working in harmony - Macs can only get user/group/authentication and password policy. No Mac management unless you add a third party MDM. Windows workstations receive policy via standard group policy. This is generally not a big deal as OS X can be managed through user template, ARD, or and MDM and in most cases with AD (users are standard accounts) that management is really not needed beyond initial settings and global settings baked into the image.

As much as I want to be the promoter of OS X Server, it really falls flat once you want to integrate Windows devices. But that is not Apple's goal. Apple's goal is to make a server for all Mac shops. In that role, it can excel.

Ok, all that being said, there is a way. But it is a bit daunting for most. You can roll your own SAMBA installation and create an AD style DC. This will let you attach both Mac and Windows devices. This is a lot of work and you need a good skill set to pull this off. As much as Windows Server remains a brute, it is still easier to deploy and manage one because there is plenty of help available.

Also, if in the statement:

I could care less if the server is doing anything but authenticating a log on to the network.

You mean that you want to embrace an environment without bound devices, then yes, OS X Server may be able to satisfy your needs. In this case, you create local accounts on the Windows workstations and then require a domain login for file sharing. Ah, but once again, you have no management of the windows devices. This is more in line with a BYOD approach. You decide to thinly manage the workstations, effectively letting the user be the admin and you focus on the core of the environment. OD will be the central repository of users/groups/password/password policy and all devices (or just the windows devices) will be nodes that authenticate to services on demand.

Hope that helps.

Reid

Apple Consultants Network

"El Capitan Server – Foundation Services"

"El Capitan Server – Control & Collaboration"

"El Capitan Server – Advanced Services"

:: Exclusively available in Apple's iBooks Store

Hi Reid,

Thanks for the detailed information and run down. I really appreciate it. What I want to do is exactly what you said... "You mean that you want to embrace an environment without bound devices". All I really want is a simple network, that has authentication, nothing else. I want to make sure users can access resources on network shares and thats pretty much it for the most part. The one thing I have no idea of how to do is how to migrate the users from my Windows server to the Mac OS X server. I don't want to recreate profiles on each local machine. Is there a way to do this? Thanks in advance.

"Upgrading Existing Server(s)"

"There is no action in IT filled with more terror than upgrading a stable and predictable production server."

Ha 😉. Sprayed my coffee all over the screen laughing, enjoying your book. 😁

"There is no action in IT filled with more terror than upgrading a stable and predictable production server."... Yeah, truth for sure! 😐

Univention Corporate Server is an Active Directory replacement product. The base system is free, even for commercial use. It includes an Active Directory takeover app, that migrates everything out of a working AD environment, into UCS. Shut down AD, and the users continue operating as if nothing has changed. There are sticky points on naming to get it kicked off, but the transition is smooth.

Another (paid) option is JumpCloud, the first DaaS (Directory as a Service) offering that is a complete replacement for AD, free for the first 10 users, and $6.87/user/month for the next 10, and each one thereafter. AFAIK, JumpCloud does NOT offer a migration tool, so that product remains illusive.

Move DNS and SHCP into your perimeter router where the firewall reside, move to one of the latest excellent NAS offering, and their awesome storage management software (FreeNAS, Synology, QNAP - QNAP probably the best for the Mac environment), and you have left MS Server on the obsolete shelf.