Snow Leopard and Active Directory
Recently, I had a discussion with an IT team, struggling with managing over 100 desktops. Currently, they don’t use any centralized directory for authentication and access. While it surprised me, they had some reasons why.
In the discussion, I recommended moving in this direction. One of their hurdles is that they manage a multi-platform desktop environment. I decided to look at two different scenarios, and do some preliminary tests:
- Connecting Mac and Windows clients to an OS X Open Directory
- Connecting Mac and Winows clients to a Windows 2008 Active Directory
My focus was on cross-platform management, Windows to Open Directory, or OS X to Active Directory. After a brief amount of research, it became clear that the first scenario is not an option right now, as Apple’s Domain setup doesn’t support Windows 7 clients. The second scenario, however, does support both platforms. There are a few minor issues to be aware of.
Here is the basic setup process I went through for connecting OS X Snow Leopard (10.6) clients to Active Directory (Windows 2008 R2):
Go to System/Library/CoreServices, and click Directory Utility:
Enter your domain name (forest name is the same in this instance), and create a Computer ID (call it what you want). Click on the “Create mobile account at login”. This basically caches Active Directory credentials locally, so if the user takes their machine somewhere outside of the network, they can still login.
Click “Administrative”, and enter a preferred domain server. This is not necessary, because it can search for domain controllers at login, but this improves speed. You can also decide which Active Directory users or groups can have admin access on the machine.
Click “Bind” (These image show “unbind” because I already did it). It will ask for domain admin credentials, which I entered, and this machine became part of Active Directory. From this point on, any Active Directory user can login to this machine (No need to create local accounts).
From here, I decided to go one step further, and auto-mount the user home folder from the server. This can be done for any network share.
I created an automator application, that runs a shell script that looks like this:
It pulls the $USER information from the system, and is whichever user is logged in, in this case Shannon. I named the Automator application “Mount!”, and stored it in my documents folder.
I added this to my login through the login options section of Accounts (although, if you want to do it for all users, there is another place we would put this application).
Now, whenever this user logs into this machine, using the Active Directory account, it auto mounts the network folder as well.
Some things that are important to note:
- When setting up the AD Binding, choose create mobile account at login. This basically caches permissions, and creates a local home folder, allowing machine logins when not on the AD network.
- While I run my networks DNS i provided at the gateway, I forward all DNS requests about this internal domain to the domain controller. I did this due to the unique DNS setup Windows does for it’s AD domain. For me, this solved issues related to the “Network Account Server” showing unavailable in the login Preference Pane.
