OS X Integration into AD Domain
Results 1 to 8 of 8

Thread: OS X Integration into AD Domain

  1. #1
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    659

    Lightbulb OS X Integration into AD Domain

    Hi all,

    One of my clients is a Kindegarten-Year 12 private school and Apple have sold the executive staff on a 1to1 Macbook program. I want to gather the thoughts and opinions of you good folk regarding the integration of OS X into the AD domain and any interesting stories and past experiences are welcome

    Firstly, let me give you some information to work with. As part of the service contract with the school I am onsite 30+ hours per week so there is no concern over the time scope. The school has 2 iMac labs with a total of around 30 iMacs and we have 2 year 4 classes as pilots for the 1to1 program. The iMac labs are bound to Open Directory on an OS X Server and this is to achieve some user control/lock down via workgroup manager - although this has been very inconsistent. The iMacs are also bound to AD for AD user authentication. This seems work well and it is very rare a user cannot authenticate on the iMacs.

    The 1to1 Macbooks connect to the network via a wireless network across the school which users PEAP and Radius authentication with AD, however the users log on to the Macbook with local OS X accounts. This means once the user has logged on, you must authenticate with AD to connect to the wireless. This works OK also.

    In 2 years the estimated number of 1to1 Macbooks will be in excess of 300 plus the 20 iMacs which may be implemented into the classrooms themselves replacing the teachers PC. The PC currently provides all network access to the teachers within the class including running software for the Interactive Whiteboards and other educational tools.

    With such a large network (16 servers, 700 workstations plus the Apples) almost all software and workstation administration is done via Group Policy. My biggest concern is how are we going to manage so many cross platform machines and integrate them successfully into AD. Even single sign on seems difficult to accomplish.

    Domain is 2003 R2 / 2008 and over the next 12-18 months it will be solely 2008 (with a little luck). Soooo.... any thoughts, comments, previous nightmares you can each bring to the party?

    I am more than happy to answer specific questions or provide further information - I guess the big question is, will this work or should we be shutting the 1to1 program down before it becomes the majority appliance for students and teachers? Apple sold the executive staff with some flashy approaches and ultimately empty promises on the success of rolling Macbooks out into the school.

    Look forward to a cooled and heated discussion


    CTO
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  2. #2
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    659
    bump
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  3. #3
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    659
    bump - no input at all guys?

    Actually it seems I dont see General Chit Chat in the home forum view.
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Moved from GCC...............this is certainly a computer related post that covers a number of aspects like hardware, OS, networks, security...........?

    I guess the big question is, will this work or should we be shutting the 1to1 program down before it becomes the majority appliance for students and teachers? Apple sold the executive staff with some flashy approaches and ultimately empty promises on the success of rolling Macbooks out into the school.
    Yes!............Apple must not be permitted to buy their way into education systems.

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    659
    Thanks John good to hear from you - and I fully agree.

    I am in the middle of a document covering Mac Vs PC 1to1 so I will post it here for you guys to have a look as I do with most of my original work Stay tuned and hopefully you will all enjoy the comparison.


    CTO
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  6. #6
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,188
    We have integrated our Open and Active Directory environments. We use AD for all authentication, and GPOs for managing the PCs, while using OD to manage the Macs. It is working pretty well so far, although on occasion a Mac will unbind itself... and we have some issues with forcing password resets/expirations. We still haven't quite nailed down printing, as it asks for authentication anytime they try to print through the Windows print server, but we can push printers out to the Macs using the printer's IP.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  7. #7
    Senior Member
    Join Date
    Jul 2002
    Posts
    744
    Quote Originally Posted by westin View Post
    We... although on occasion a Mac will unbind itself... and we have some issues with forcing password resets/expirations. We still haven't quite nailed down printing, as it asks for authentication anytime they try to print through the Windows print server, but we can push printers out to the Macs using the printer's IP.

    I'm no guru, but that sounds like me strugglin' with xp, vista and 7 trying to all access an HPfailprinter through network...if u go strictly mac, ur'e pretty much golden, especially with the eventual growth u assume, op. don't expect anyone to learn much, tho.
    Every now and then, one of you won't annoy me.

  8. #8
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    659
    Thanks guys - am enjoying the feedback

    Currently the Mac labs are bound to OD and AD, as well as the OD server (X server) being bound to AD. Search path for iMacs (clients) is AD then OD.

    Authentication, mapping and user storage is done via windows services, using applescript to do most of the mapping of network drives. Running to two environments side by side is essentially the current situation, except I have had too many inconsistencies with OD/workgroup manager and the policies they are meant to apply/restrict access to preferences etc. It is very flaky.

    Besides that the X Server has no function, and due to the nature of the workgroup manager "policies" if the server were to crash tomorrow or be unplugged there would be zero impact.

    CTO
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 01:51 PM
  2. Simplified Domain Controller Hardening, Part 1
    By 576869746568617 in forum The Security Tutorials Forum
    Replies: 1
    Last Post: July 8th, 2006, 04:57 PM
  3. Cached Domain Credentials and Rainbow Tables
    By sec_ware in forum Microsoft Security Discussions
    Replies: 3
    Last Post: April 14th, 2006, 01:45 PM
  4. Domain Needs Spring Cleaning..
    By fraggin in forum Operating Systems
    Replies: 3
    Last Post: March 29th, 2005, 02:53 PM
  5. requirements for a .ca website?
    By Krimlin in forum Miscellaneous Security Discussions
    Replies: 3
    Last Post: June 16th, 2003, 08:26 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •