Windows AD and Mac OD Test

Our order of new Mac hardware arrived last week, so that meant we had enough gear to bring to live a small sandbox to test the roll out of what Mac calls the Magic Triangle.  This magical setup includes Windows’ Active Directory, Mac’s Open Directory and our Mac Client machines.

We started our OSX and Windows domain integration project in a test environment, with the expectations that we would mess something up and want to start over.  Since we are learning to be OD admins (and yes the concept is the same but the presentation and logic is very different from working with AD), we elected to do our first run in an environment that we can completely bomb and not cause harm to the core network.

The test network consisted of:

- A Sonicwall SOHO Router

- Dell 755 workstation running VMWare Server (Functioning as our PDC)

- A Power PC Mac Mini as our Open Directory Server

- A Intel Mac Mini as our Client Machine.

Jeremie performed a P2V of our Domain controller using Vmware’s converter and copied this to a new Dell 755 that had not yet been deployed.  Since our PDC (or in w2k3 terms DC1) is also our DHCP server and DNS server we quickly had a total replication of our production domain online in just under an hour and a half.

For the Mac side of this sandbox we have a PPC Mac Mini and two Intel Mac Minis.  The PPC will eventually become our production OD Server and the Intel minis will go into production as client machines.

We used a hybrid of two guides to perform the installation:

http://www.bombich.com/mactips/activedir.html (Courtesy of Hezekiah Barns)
http://www.afp548.com/filemgmt/visit.php?lid=69 (Courtesy of Chris Green)

Both documents required some customization since they are assuming you are working in a new environment, but this was easy to understand.  The process in the documentation is fairly straight forward.

Both Documents recommend creating a Binder Account for AD, we elected not to delegate this from an Administrator login and it worked fine.  From everything we can gather the account used to Bind to AD is simply used for just Binding and isn’t used any in the future.  If this isn’t the case, please correct me.

A few things we learned in the binding process, Bind to AD first then to OD.  This lists the Directories in the appropriate Search Policy Directory Services.  You can bind to OD first, but you will just have to change the order later.

After installing OSX Server we had issues with the accessing Server via the Server Admin console since it was not appearing in our Windows DNS.  This can be resolved by going to Preferences>Sharing>Edit> and Checking the Global DNS box and entering the domain.org as the host.  In our case no user credentials were required. Correction 6/10/2008: In our case credentials were required to authenticate to the DNS server.  We used an account we have configured for continued upkeep of the network.