The AD-OD Sandbox: A Quickstart Guide For Setting Up Active Directory and Open Directory in Your Test Environment
The AD-OD Sandbox: A Quickstart Guide For Setting Up Active Directory and Open Directory in Your Test Environment
The AD-OD Sandbox: A Quickstart Guide For Setting Up Active Directory and Open Directory in Your Test Environment
A quickstart guide for setting up Active Directory and Open Directory in your test environment
Mac OS X 10.5 Leopard Edition
1.4
Page 1
The Sandbox........................................................................................................... 3 Installation of Windows Server 2003.................................................................. 4 Setting up Active Directory.................................................................................. 5 Check DNS using nslookup................................................................................... 9 File sharing on Windows Server 2003............................................................... 10 User creation in Active Directory....................................................................... 14 Testing file services connections....................................................................... 15 Specifying an account for the binding process............................................... 16 Binding Mac OS X 10.5 to Active Directory...................................................... 18 Import Users into Active Directory.................................................................... 19 Active Directory group membership................................................................ 22 Bringing Open Directory into the mix.............................................................. 24 Now, the easy way (optional)............................................................................. 27 Binding the client to both directories............................................................... 27 Managed Client for Mac OS X (MCX) and AD together.................................. 28 Hosting the home folders on the Open Directory server.............................. 30
Page 2
The Sandbox
The reason this document was built is to bring the pieces of the puzzle together in a simple and step-by-step fashion. There are plenty of online articles, whitepapers, and listserve archives that talk about Active Directory and Open Directory integration, but there wasnt one document that graphically walked people through the steps of setting up Active Directory from scratch and then tying Mac OS X and Mac OS X Server into that. Hopefully this document will help people get a sandbox environment up and running in less than a few hours and eliminate frustrating snags and confusing steps that are missing from most guides out there today. What this document is not intended for is for setting up Active Directory and Open Directory in any production environment. The advanced guides found on Apples website, as well as afp548.com and macenterprise.org fill in those gaps very well. Where this guide can really help you is to simply get familiar with the two directories, set up user accounts and learn how the integration works. Once your comfortable, then apply what youve learned to your production environment after a great deal of testing. What this setup consists of is a Windows 2003 Server, a Mac OS X Server and a Mac OS X client. DHCP services can be provided by a router or either of the two servers used in this document. DHCP setup knowledge is assumed, so that service will be up to you to configure for your sandbox. When configuring, use a range thats within the 10.0.1.1/24 range, such as 10.0.1.10 through 10.0.1.20 (or up to 253 if you wish). The software versions used, at the time this document was written, are: Windows Server 2003 R2 Enterprise Edition (with SP2 and all patches applied) Used for Active Directory, DNS and File Services Mac OS X Server 10.5.2 Used for Open Directory and File Services Mac OS X 10.5.2
Page 3
When installation is finished, reboot and log in to the server. Run Windows update to ensure that you have SP2 and all other patches installed (not all are necessary, such as IE 7). To take advantage of the included files to import DNS entries and user accounts, you will need to install the Support Tools. On your Windows Server 2003 Disc 1, navigate to :\SUPPORT \TOOLS and launch SUPTOOLS.MSI to install.
Page 4
Page 5
6. Naming the new domain is a critical step to ensure that your AD server resolves as you expect. With a desired fully qualified domain name of ad.apple.edu for this server, you must set this as apple.edu, as shown below and click Next. The fact that it asks for the Full DNS name can be a bit misleading.
7. A common assumption for the Domain NetBIOS name is AD, but youve already used AD for your computer name. You can enter whatever you like here. This document is using FOREST.
Page 6
8. Choose the default locations for the database, log and SYSVOL data.
Page 7
9. At this point, DNS wants to come along for the ride. Choose the middle option at this step so that DNS is installed along with Active Directory. Based on your computer and domain names that you previously set, this will do the right thing (for now).
10. Default permissions (compatible with Windows 2000 and newer) should be used.
Page 8
11. Type in a restore password and click Next. 12. Confirm your settings and finish. Upon completion, restart the AD server.
4. Edit this file to meet your needs by right-clicking on it and selecting Edit. Be sure that the path to your support tools location is correct, and notice to change the Administrator name if you chose something different. Youll see that this .bat file puts in forward and reverse records for ad.apple.edu (10.0.1.5) and od.apple.edu (10.0.1.6). It also creates records for hosts 10.0.1.10-20 as host10.apple.edu, host11.apple.edu, etc.. Edit this script to meet your needs 5. When the script has the right information on it, close and save it. 6. Double-click on the dns.bat file to run it. It will put in the records you define. 7. Go back to the command prompt and press the up arrow to show the last command. 8. Press return and see that DNS resolves successfully.
Page 9
10. If your requests arent resolving correctly, visit http://tinyurl.com/ysqqb7 for an excellent document that covers DNS setup in details for Windows 2003 Server.
5. Let the server restart upon completion. 6. Using the Manage Your Server application, you now see the File Server as an active role. Click on the link to Add shared folders.
Page 10
7. You can browse to or just put in the path C:\homes. If that folder isnt there, it will ask to create it for you. 8. The next step is to name the sharepoint. Name the folder homes$. The reason for doing this is because the trailing dollar sign keeps the sharepoint hidden from file server browsing. Users can get to the sharepoint if they know the name of it, but they cannot browse to find it. Since its fairly common for Windows Server admins to do this, this document will as well.
9. Set the permissions so that Administrators have full access and other users have read and write access.
Page 11
11. If you leave the default permissions alone, your first AD authentication attempt from Mac OS X will be successful, but you wont be able to write to the H: drive for any particular user. Follow these steps after creating that new homes$ sharepoint to avoid any headaches. 12. In the Manage Your Server application, click on Manage this File Server to open the File Server Management application. 13. Right-click on your new homes$ sharepoint and select Properties. 14. Click on the Securities tab, and then the Advanced button.
15. Uncheck the Allow inheritable permissions... checkbox and click Copy when the dialog box pops up.
Page 12
16. Highlight the last entry of Special permissions for the Users group and click Remove. 17. Highlight the new last entry of Read & Execute for the Users group and click Edit. 18. Change the Apply onto field to This folder only. Taking this step will prevent users from viewing the contents of other users home directories.
19. Click the Apply and then the OK button. 20. Click the OK button again to finish the changes.
Page 13
3. Select the Action menu and choose New -> User. 4. Create a user with first name Student and last name Ten. Username should be student10 and password should be Apple12.
5. Once finished, right-click on the new Student Ten account and choose Properties.
Page 14
6. Click on Profile and point their home directory to H: and \\ad.apple.edu\homes$ \student10. This screen shot doesnt show the 10 on the end of the path, but its there. Be sure to put the full path.
7. Click Apply.
12. Launch Terminal and type host 10.0.1.5 and confirm that it resolves to ad.apple.edu. 13. Type host ad and confirm that it resolves to 10.0.1.5. 14. In the Finder, press cmd-k to Connect to Server and type smb://ad.apple.edu/homes$/ student10. A window will open showing the empty sharepoint. You should see the folder you made when connected via your XP client. Create a new folder and name it Made in Mac OS X. Youve successfully connected to Windows file sharing from Mac OS X 10.5 and Windows XP at this point.
Page 15
Page 16
9. Choose Only the following objects in the folder followed by Computer objects. Click Next.
10. Check Full Control and all boxes will automatically check as well.
Page 17
11. Click Next, then Finish. 12. You can now use the account binder with the password Apple12 when binding clients to the AD domain.
5. Logout and the log back in as student10. 6. Youll see that authentication is successful, you have a forced local home directory on the startup disk, and your network home location is mounted for you automatically via SMB.
Page 18
7. These are the results you see when simply binding and authenticating to AD and using the default settings in Directory Utility. While youve been given a local home directory in / Users on the Macintosh HD, your H: drive in AD is conveniently brought to you in the Dock. 8. If you create a folder and it immediately disappears, logout and then log back in again. There is a GUI glitch of some sort where logging in when the home directory location is empty can cause this to happen. When logging in a second time, folder creation sticks and you can immediately see your results. When importing users in the next section, the vb script well use eliminates this issue by pre-populating each user home directory with a Documents folder.
7. This is simply a comma-delimited file that breaks down the last name, first name username and password of each user being imported.
Page 19
8. Right-click on the import.vbs file and select Edit. Here are the contents of the file.
'CSV FORMAT lastName,firstName,userName,password Option Explicit Const ForReading = 1 Dim objDomain, objUser, fso, tsInputFile, strLine, arrInput, homeServer, homeShare Dim fldUserHomedir, wshShell homeServer="ad.apple.edu" homeShare="homes$" Set objDomain = GetObject("LDAP://CN=Users,dc=apple,dc=edu") Set fso = CreateObject("Scripting.FileSystemObject") '************************************************************ 'Open the text file as a text stream for reading. 'Don't create a file if users-to-create.txt doesn't exist '************************************************************ Set tsInputFile = fso.OpenTextFile("import.csv", ForReading, False) While Not tsInputFile.AtEndOfStream
strLine = tsInputFile.ReadLine
arrInput = Split(strLine, ",")
Set objUser = objDomain.Create("user","cn=" & arrInput(1) & " " & arrInput(0)) objUser.Put "sAMAccountName", arrInput(2) objUser.Put "userPrincipalName", arrInput(2) & "@apple.edu" '************************************************************ 'Write the newly created object out from the property cache 'Read all the properties for the object, including 'the ones set by the system on creation '************************************************************ objUser.SetInfo objUser.GetInfo objUser.SetPassword arrInput(3) '************************************************************ 'Set the properties '************************************************************ objUser.AccountDisabled = False objUser.givenName = arrInput(1) objUser.sn = arrInput(0) objUser.IsAccountLocked = False objUser.PasswordRequired = True objUser.DisplayName = arrInput(1) & " " & arrInput(0) '************************************************************ 'Set the drive that you'll map to '************************************************************ objUser.HomeDirectory = "\\" & homeServer &"\" & homeShare& "\" & arrInput(2) objUser.Put "homeDrive", "H:" objUser.SetInfo
Page 20
'************************************************************ 'Create a home directory for the imported users 'and populate each home directory with a Documents folder '************************************************************ If Not fso.FolderExists("\\" & homeServer &"\" & homeShare& "\" & arrInput(2)) Then Set fldUserHomedir = fso.CreateFolder("\\" & homeServer &"\" & homeShare& "\" & arrInput(2)) fso.CreateFolder("\\" & homeServer &"\" & homeShare& "\" & arrInput(2) & "\Documents") End If Wend '************************************************************ 'Set full rights for the user to the home directory and 'propagate those rights through the contents of each home directory '************************************************************ Set wshShell = WScript.CreateObject("Wscript.Shell") wshShell.Run "cacls \\" & homeServer & "\" & homeShare & "\" & arrInput(2) _ & " /T /e /g " & arrInput(2) & ":F", 1, True '************************************************************ 'Stop referencing this user '************************************************************ Set objUser = Nothing
9. You can see what each section accomplishes in this script. It calls the csv file you have and imports users into AD. Then, it sets their profile and maps to the proper home directory. Finally, it populates each home directory with a Documents folder and propagates the permissions. 10. Double-click the import.vbs file to run that script. 11. Login as student20 with the password Apple12 from the Mac OS X client as soon as the script completes (it shouldnt take more than 3-5 seconds). 12. Authentication, home directory mapping and file permissions should all check out.
Page 21
3. Click on the New Group button or .use the Action menu to create a new group.
4. Name the group ad_students with the default settings unchanged, as shown below. Click OK.
Page 22
6. Select the Members tab and click on the Add button. 7. In the Object names to select window, type student and click on the Check Names button. 8. Use the control-a keys to select all of the student users you imported earlier and click OK. 9. Click OK again.
Page 23
Page 24
5. Choose Open Directory Master. 6. On the following pane, you must confirm a Directory Administrator account and password. Feel free to leave the diradmin account as it is set by default, and choose a password.
8. The final pane confirms the settings. Click on the Close button. 9. You now have an ODM working as a Kerberos key distribution center (KDC). In Server Admin, youll see in the Open Directory overview that all is running as expected.
10. Now that youve set up the ODM so that we can manage Macs in our Active Directory environment, we need to stop Kerberos on the ODM and join the Kerberos realm of the AD server. 11. Open Terminal and type the following command and press return.
sudo sso_util remove -k -a sadmin -p password -r OD.APPLE.EDU (replace password with your own password used for the sadmin account)
Page 25
12. Once completed, you can go back to Server Admin and refresh the overview page. Youll see that Kerberos is stopped.
13. Launch Directory Utility and click on the plus sign to add a new Directory Server. Change the directory type to Active Directory and fill in the blanks as shown below. You can use the binder account for this step, just like when you bound a client workstation to AD earlier.
14. It will show that the AD and OD servers are responding normally. Quit Directory Utility.
15. Return to Terminal and type the following command to join the AD kerberos realm.
sudo dsconfigad -enablesso
Page 26
6. Log out. 7. Login as the student10 user with the password Apple12. 8. Youve logged in with an AD account while bound to OD as well. So what?! you say?
Page 27
5. Use the pull-down menu in the side bar to switch the directory to /Active Directory/All Domains. 6. Select the groups tab to show AD groups.
Page 28
7. Drag the ad_students group into the Members window of your new od_managed group.
8. Click Save. 9. With the od_managed group still highlighted, click on the Preferences button.Select the Dock preference since thats what well manage.
10. Click on the Dock Display tab and set it however you wish. So that I can easily tell my management is working, I always move the dock to the left side.
Page 29
12. Logout of your Mac OS X client and then back in as any of the student10-20 users. What you see is an AD account, mapped to their home on a Windows server with MCX policies enforced.
Page 30
4. Click on the Share Points button and disable each of the three default shares by using the Unshare button on the far right. You have to click the Save button after each one.
6. Click on New Folder to create one at the root of one of your server hard drives. 7. Call the folder homes and click the Create button.
8. Select the new folder and share it using the Share button. 9. The sharing options are shown in front of you. Click the Enable Automount button. 10. When prompted, choose the LDAP directory, AFP and User home folders options.
Page 31
11. When prompted, type in your diradmin credentials and click OK. 12. Click Save. 13. Move to your AD server. 14. In the Active Directory Users and Computers application, select your student10 account. 15. Right-click on it and choose Properties. 16. Click on the Profile tab and check the Home folder box. 17. Select the Connect button and set the H: drive to \\od.apple.edu\homes\%username%. The screen shot doesnt show the trailing %, but its there.
18. Ignore any errors or warnings that may pop up when you click Apply. 19. Move to your Mac OS X client and open Directory Utility. 20. Unlock the padlock in the lower left-hand corner and authenticate. 21. Click on the Show Advanced Settings button. 22. Click on Services and then double-click on the Active Directory plugin. 23. Click on the triangle next to Show Advanced Options and match the settings as shown below.
24. Force local home... should be unchecked, and the network protocol should be changed from the smb protocol to the afp protocol.
Page 32
25. Logout of the Mac OS X client and log back in as student10. You may need to wait a few seconds for network accounts to become available again or possibly even reboot the client. 26. We now have a managed dock, an AFP-based network home directory hosted on an Xserve, all while AD is handling the authentication.
There are literally hundreds of directions that this document could go, from nesting AD groups within OD, to extending the AD schema, to using Centrify for policies. This document was simply created to help you get a test environment up and running quickly in order to understand the initial setup and go through a few common practices. Special thanks got to Jeff Walling and Jeff Ochsner for helping me verify the steps and processes. Mike Bombich also gets credit since he wrote the dns.bat file that I barely modified for this document. A real big thanks goes to Matt Riley for cooking up the AD import script and helping me with the permissions details. Comments and corrections for this document can be sent to me at carson@mac.com.
Page 33