Win Server 2012 R2 in .local vs OSX server 10.11.5

Question

Win Server 2012 R2 in .local vs OSX server 10.11.5

Hello Again,

At the school I work with, we have a Windows Server 2012 R2 in its early stage of implementation, testing a dozen accounts only and only 20 first Win 7 computers linked to it yet.

It's summer, no one in the school but me.

There are 100 more school win 7 desktops and laptops to join to the Windows server this summer.

The server has been set as dot local TLD (like "example.local") and resides on a 192.168.0 /24 subnet. It does DNS but *not* DHCP, but that can be changed.

It will be used as an account, printer and file server mainly.

We have another subnet in 192.168.4 /24 for the computer Lab and I think we might create a few more soon enough for cameras, although we are all in the same building, all behind the same firewall/content filter.

We do not intend to serve anything outside the school/community as we are way up north under limited satellite telecom for now. Forget wired Internet for another decade or so.

Now, I'd like to put an OS X 10.11.5 server tied to the Windows server.

1) Is it worth to restart the Windows server install from scratch with an extension other than dot local because it might conflict with bonjour, certificates (self signed or not), etc....?

2) If so, what other naming strategy do you suggest?

FB

Mac mini, OS X Server, Yosemite Server, ACTC

Posted on Jul 1, 2016 5:56 AM

Reply

Answer 1

Leopardus

Level 4

1,303 points

Jul 1, 2016 11:05 AM in response to estrois.me.com

Hi again FB.

The first step that I would recommend is obviously the plan. By that I mean to plan iteratively as if your school will be on the internet. As it will be behind a firewall, NAT etc, set it up such as if somewhere in the not too distant feature, you will be making the decision, or that the decision will be made for the school to have internet exposure. Thus, in the plan have that feature 'Fully Qualified Domain Name' already there for your Server. In that sense, I would build the whole network around that, and start to implement and deploy.

Keep your plan up to date, means that as changes occur that will our could have an implication, document that in your plan and play out the scenarios at least on your planning pad in whatever form that may be, electronic or pen and paper. I use an iPad and an app called Paper 53 which allows me to do just about anything. I make prints and keep them on file.

Have your network setup in such a way that you can have expansion, thus it must be dynamic with ample room for growth in capacity. But I presume that you have done that already.

As full access and bandwidth might be a problem, use the caching service from the very beginning to lessen the burden.

Of course, there's more to it. There are excellent resources available on the Web and on the iBookstore. The three books by Reid Bondonis on Server are very good.

But yes, as it turns out I would start the Windows Server from scratch.

HTH

Leo

Reply

Answer 2

Morphire

Level 1

20 points

Jul 1, 2016 11:05 AM in response to estrois.me.com

Work from a registered QDN and make your AD domain a sub off that. If example.edu is your registered domain, your ad would be something like ad.example.edu. This is recommended by Microsoft as well as many other top resources you'd find from searching the web. Ideally you will want an additional Domain Controller to provide backup too. Definitely do DNS on the domain controller(s) and, if you have two, then point the primary DNS for each controller to the other controller with 127.0.0.1 as the secondary dns on each controller. Set up the DHCP for HA as well using 2012 r2. It's a very robust solution now and the HA feature is simple and doesn't require complexities like clustering.

Long story short I'd nuke what you have done so far. Develop a plan and build it out accordingly. Consider your OUs and mimic the structure of your group policy and security policy more so than the physical structure of the building or the org chart. Some will overlap but not all and a plan will help you see that up front and guide you to a flexible configuration.

Reply

Answer 3

Jul 1, 2016 10:57 AM in response to Morphire

Hello Morph, thanks a million.

Many, many Canadian thanks you you all for helping here. (It's Canada Day today, July 1st).

Thanks to @Leo too, I already purchased and read Mr. Budondis (and others too) ebooks since OS X server 10.7 and web searched quite extensively. I'm just new to Win servers.

@Morphire, That was pretty much what I read in Best Practices, We have an example.ca (we're canadian) domain name parked. Readings stated to name the intranet windows server, for example, be ad.example.ca. Good to hear the same from you.

The .local was not my idea. I was opposed to it, tried to have the discussion going with my upstream IT but things got done in a hurry.

I have the right to change it. It"s the first time Windows server is in my hands, I know Apple Servers but Windows server is a giant beast.

I got all my 20 computer and 15 users on folder redirection with roaming and no offline users or computers done yet, No local accounts beside Admin type.

In the short term, we do not wish to expose much to the Internet although we do have an Internet static IP to the Firewall/content filtering device. As a matter of fact, we have a total of 4 public IPs for the school, 3 unused for now. The only thing, we are under relatively slow satellite (many northern remote communities pooled downstream, and our school and community pooled on our only channel's 2Mbps upstream). Better than Dial-Up though.

My upstream IT will mostly support me for AD, File and Print services on the windows side. Now, I want collaborative feature for our staff (email, calendar and messaging, some Wikis and blogs as we have 15 iPads and the vast majority of people have Apple personal devices) , I won't get an Exchange server nor Azure services. I heard Windows 7 clients are not DAV friendly. (CalDAV, WebDAV etc) and that is over a 100 Win 7 desktops and laptops.

I was happy to see Web calendaring becoming Explorer and Windows Firefox and Windows Chrome compliant but I still have the Outlook or Web equivalent issue.

=

3) Would the 'IntrAnet" user login identities be user@example.ca OR user@ad.example.ca? I'd vote for the first one.

4) I'd nuke the server, but do I have to reimage the 20 clients done so far completely or can I just unbind from this domain and rebind them to the new one and reput the user files in their new user folders manually?

5) Can IntrAnet Win 7 work stations and users be happy having Win Server 2012 R2 doing AD, File and print server, while Mail, Calendar and Messaging be handled by OS X 10.11.5? If so, which what please. Or alternatives?

6) Anyone has a resource for a setup like ours?

FB

Reply

Answer 4

Jul 4, 2016 3:11 AM in response to estrois.me.com

Do not use .local as your Active Directory domain. The .local domain is actually reserved for use by Bonjour i.e. multi-cast DNS. If you do use .local for Active Directory you will have no end of problems. This will mean starting again but from your description you have barely started anyway so please fix this problem before proceeding further.

I believe even Microsoft have released this error as I believe Windows Server 2016 finally no longer auto-suggests the .local domain.

Using an officially registered domain is a common better approach, and perhaps using .private is another option. You obviously need to make absolutely sure you don't pick a domain that is genuinely used by someone else.

Reply

Answer 5

Jul 5, 2016 9:47 PM in response to John Lockwood

**** John,

Thanks for confirming questions 1 and 2 about wiping the .local. Using our "example.ca" is on high on the To Do list.

We are still left with questions 3 to 6 if we used example.ca with server 2012 R2 as ad.example.ca

If you can help here too, I'd appreciate. (Questions slightly modified).

==

3) Would the 'IntrAnet" user login identities be user@example.ca OR user@ad.example.ca?

4) Do I have to reimage the 20 clients done so far completely or can I just unbind from this domain and rebind them to the new one, create users and put the user files in their new user folders manually?

5) Can IntrAnet Win 7 work stations and users be happy having Win Server 2012 R2 doing AD, File and print server, while Mail, Calendar and Messaging be handled by OS X 10.11.5? If so, which what please. Or alternatives?

6) Anyone has a resource for a setup like ours?

Reply

Answer 6

Jul 6, 2016 2:52 AM in response to estrois.me.com

I am not an Active Directory expert but I believe the answer to 3 would be user@example.ca however while it is possible to use an email address as a login name it is probably a lot more common to just use the user name. I did find the following Microsoft support article which even though it was for Windows Server 2003 will I believe still apply. https://support.microsoft.com/en-gb/kb/929272

Yes unbinding, recreating the Active Directory domain and then rebinding should be fine.

A Windows 2012 server will do SMB file sharing which Macs can access although by itself they will not be able to use Spotlight searching on such a Windows Server. Currently the only way to get Spotlight support on a Windows Server would be to buy and install Acronis Access Connect. If you are going to use a Windows Server for Calendar, Mail and Contacts this would be in the form of a Microsoft Exchange Server which both Macs, Windows and iOS devices can access. If you use an Apple Mac running Server.app for Mail, Calendar and Contacts then this would be in the form of IMAP, CalDav, and CardDav. Macs and iOS can access all three of those but Outlook for Windows as standard can only access IMAP and not CalDav and CardDav. You could use Mozilla Thunderbird with a plugin on Windows, and I believe they may be a plugin for Outlook for Windows as well. However a better choice if you want to use a Mac as a server would be to buy and use Kerio Connect.

Ironic as it may seem an MS Exchange server actually is the best solution in terms of supporting Macs and Windows although obviously it will cost a vast amount more and is a lot more work to setup.

Reply