Well, I’ve been swamped with work for the last 10 months and haven’t even come close to having a chance to sit down and write any well thought out blog entries. I was compelled though a couple weeks ago to write a new entry about the coolest new feature that I stumbled across in Apple’s still relatively new OS X 10.5.2 Server.
I have written posts in the past about the flaws in Apple’s Open Directory and my preference in Active Directory, but it finally looks like Apple may understand the importance of integrating their product with Active Directory. Integrating Active Directory into Open Directory is now so easy you could probably do it with your eyes closed (well, that may be a stretch, but you could probably do it in under 5 minutes).
I’ll leave out painfulness of describing all of the past challenges involved in 10.4 Active Directory integration, but in short, it was horrific most of the time. The last 10.4.11 server that I tried to join to Active Directory (just join, not even integrate) failed to login ever again. I’m sure that I could have troubleshooted the problem and fixed it, but it was easier for me to just transition the server to 10.5.
This time around, Apple has made a conscious effort to keep things simple. Granted, all of the same processes still happen in the background that happened manually before, but at least now they happen in a supported and automated fashion. Below is the new process for AD-OD integration assuming that you have a fresh install of 10.5 Server in advanced mode (or freshly demoted to OD Standalone) and a healthy DNS configuration:
- Make sure your server is an OD Standalone Server.
- Open the Directory Utility and join the Active Directory (use the FQDN of your AD domain)
- Open Server Admin and promote your server to an OD Master.
- … wait… there is no 4?!?!?
That’s right, only 3 steps. You will now notice that your server says under the OD overview that Kerberos is stopped and if you investigate further you will be able to see that you server is now properly joined to the AD Kerberos REALM and that all services have been “kerberized” via dsconfigad which was silently ran in