Mac OS X Server 10.5 Open Directory Integration with Active Directory

AD/OD ThumbWell, I’ve been swamped with work for the last 10 months and haven’t even come close to having a chance to sit down and write any well thought out blog entries.  I was compelled though a couple weeks ago to write a new entry about the coolest new feature that I stumbled across in Apple’s still relatively new OS X 10.5.2 Server.

I have written posts in the past about the flaws in Apple’s Open Directory and my preference in Active Directory, but it finally looks like Apple may understand the importance of integrating their product with Active Directory.  Integrating Active Directory into Open Directory is now so easy you could probably do it with your eyes closed (well, that may be a stretch, but you could probably do it in under 5 minutes).

I’ll leave out painfulness of describing all of the past challenges involved in 10.4 Active Directory integration, but in short, it was horrific most of the time. The last 10.4.11 server that I tried to join to Active Directory (just join, not even integrate) failed to login ever again.  I’m sure that I could have troubleshooted the problem and fixed it, but it was easier for me to just transition the server to 10.5.

This time around, Apple has made a conscious effort to keep things simple.  Granted, all of the same processes still happen in the background that happened manually before, but at least now they happen in a supported and automated fashion. Below is the new process for AD-OD integration assuming that you have a fresh install of 10.5 Server in advanced mode (or freshly demoted to OD Standalone) and a healthy DNS configuration:

  1. Make sure your server is an OD Standalone Server.
  2. Open the Directory Utility and join the Active Directory (use the FQDN of your AD domain)
  3. Open Server Admin and promote your server to an OD Master.
  4. … wait… there is no 4?!?!?

That’s right, only 3 steps.  You will now notice that your server says under the OD overview that Kerberos is stopped and if you investigate further you will be able to see that you server is now properly joined to the AD Kerberos REALM and that all services have been “kerberized” via dsconfigad which was silently ran in

Be Sociable, Share!

10 thoughts on “Mac OS X Server 10.5 Open Directory Integration with Active Directory”

  1. Brand new X-Serve running 10.5.2 Server. Active Directory running on Windows Server 2003. Not a problem getting OS-X Server to see the Active Directory. However when you set up a share points and give users Full Control I came across a small problem. When logged in using Windows XP Professional as a user with full control you can Create folders within the Network Share but you cannot modify them. Also when Logged on using OS-X 10.5.2 the Share was available but surely once you have joined the AD, it shouldn’t keep asking for your password. After a spending an hour on the phone to Apple Technical Support in the United States it became clear that the issue would not be resolved until OS-X Server 10.5.3 is released. To try and get a server up and running we set up a PowerMac G5 with 10.4.11 Sever which unlike 10.5 has a small button ‘Join Kerberos’ which saves afew clicks. Unfortunatly, although the server ran as it should it kept freezing after 15 minutes or so as the 4Gig 4Port PCIE Fibre Card from the Intel X-Serve wouldn’t work in the Quad G5, although it has PCIE slots and seems to work up to the point it asks the Mac if it’s Intel or not.

  2. I just wanted to add that Apple’s Active Directory and Open Directory support is still very buggy. 10.5.3 is now available and has fixed many of the bugs that affect 10.5.2, but it is still not perfect. If I get the time soon, I’ll write another post that talks about the 10.5.3 AD/OD limitations. Word of advice though, don’t even play with AD/OD integration in a production environment unless you just have a couple of users that need it who can afford some downtime.

  3. Just another update… I have decided as of 10.5.4 that Apple’s AD plugin is in no way ready for production use. I have been having problems joining servers to my Windows Server 2008 AD while others have no problems and I’m also having issues with workstations and laptops not caching passwords. The problem with laptops not caching passwords is that when they come out of a sleep state or if you have to log on without a direct connection to the server, you’re out of luck.

  4. I have me new mac server and I am trying to join it to the AD and get Kerberos up and running and it is giving me hiccups because:

    A) it need reverse lookup (which I could solve by firing up my own DNS server fro just that purpose (but I won’t) and
    B) apparently Kerberos won’t work in a .local domain. Is there a reason we aren’t ***.****.com or something

  5. Aaron, we’ve got a client who are requesting this functionality but having done some searching around and finding this post, I’m unsure as to what the current state of play is. Are there any updates on your post last year?

    Many thanks,

    Mike

  6. @Mike, It works but just know that it is still buggy. You’re going to run into problems, but as long as you go forward knowing that, you should come out of the whole project with a working configuration. Just keep going at it until you get it right.

  7. Is there a way to do this the other way around? Can you join Windows Server to OD instead? It seems logical that you should be able to do this.

  8. Just a bump, I’m in need of doing this in reverse. I need to bind Windows Server 2008 to an already existing OS/X Open Directory system to properly authenticate our wireless arrays via RADIUS in the AD.

    Anyone still listening?

  9. Any new info you can add to this blog entry after several years?

    I played around with Snow Leopard and had lots of issues with laptop non caching passwords that we are looking at the Open Directory route to see if that integrates better with our AD 2008 server system.

Leave a Reply