Monday, October 31, 2011

Managing Macs in Active Directory

In one of the communities I'm involved in we had some discussions recently about managing Macs in Active Directory.  Some are adamant that it must be done, while others (me included) don't see the value.

It takes a lot of effort to manage Macs in AD, and it's hard to find benefits that make the effort worthwhile.  In a recent roundtable I asked what the benefits were, and the only response was password management, reinforcing my position that it's not worth the effort.

We already automount network volumes for Mac users, and we require that Mac users use the same username and password on their Mac that they use on the network (we set them up-- or reset them-- that way).

What do you think?  Are there benefits beyond password management?  Is password management enough to make it worthwhile?


BearsFan34 said...

Setting up our Macs in AD required about 3 minutes of "effort." Not only are password changes out of my hands thankfully, but also those Mac users who wish to sync folders or their entire home folder can do so with another 2 minutes of setup.

No need for specific OUs or anything needed. They're lumped in with other Windows machines. I've been doing this since 10.5.8, and have had little to no issues.

Scott Wilder said...

BearsFan34: is your domain a domain.local or have you changed it to something else?

Anonymous said...

I'm with BearsFan34 on this. As a part of setting up a Mac for a user, it was bound to our .local AD Domain using the tools already in Snow Leopard/Lion. We also set our users up with Mobile Profiles so that we could Sync their Documents and Desktop folders to a network share for backup purposes (ala Windows Roaming Profiles).

Just like adding a Windows machine to the domain, we added Macs to the domain as a part of our deployment process.

Scott Wilder said...

Would really be great if you could post a screencast of the process. Because the rest of us are obviously doing something wrong that's easily fixable.

Nick Nicholaou said...

You guys make it sound so easy! I'd be happy to put the screencast in this blog post...

Matthew Dillon said...

We were adding Macs to our .local domain in Snowleopard, but have yet to accomplish the task in Lion. Today I had to deploy a Macbook Air with Lion without being bound to our domain due to lack of snowleopard support on the mba.

I really do not want to change our .local domain for just a few Apple computers, but I'm still contemplating.

BearsFan34 said...

I have yet to try to bind a Lion Mac on 10.7.2 to our domain. I had trouble with brand new, "Lion installed out-of-the-box" Macs & binding; I will probably have a chance this week to attempt a 10.7.2 binding to AD; but I have yet to encounter a 10.5.x Leopard, 10.6.x Snow Leopard or a Mac that was upgraded to Lion from 10.5 or 10.6 that would NOT bind to AD. It's great for inventory, aforementioned password changes, and for those that choose to sync folders. After binding I also drop a few network shares into the startup items list, and it works great.

I see no reason NOT to bind Macs to AD, unless the domain, for some unknown reason, "doesn't like" a .local domain. Where I work we *do* have a .local domain, and have had no issues binding.

@JeremyGood said...

We now join them to AD when we deploy them. Password management and the ability to log into any Mac with a network account are big ++. Moving users with a local name of firstInitial+LastName was a problem but I made a guide here on my blog that works great (shameless plug)

Anonymous said...

We are a Windows shop when I first started with no Macs. After about a year when we got our first video editor we got our first Mac. I was already predisposed to believe that Macs and PCs don't play well together. It was known that Microsoft just was not interested in playing nice with Macs and Linux, and Samba at that time was just getting to v2 (and learning to play with Active Directory), and Windows just made the jump to a version of Active Directory that was not compatible with Samba.

Our Mac environment grew, and when I obtained my first Mac in order to learn more how Macs work. I believe at that time Leopard came out. I was able to join the domain quickly with no problems and I was well on my way to strategize how to connect all the Macs to the domain. A week later my Mac would no longer connect to the domain, and I had to rebuild my profile cause I wasn't going to keep an account that was basically in no man's land. Forget moving any Mac onto the ADS. Occasionally I would try and try again especially when upgrades came along but my domain never ever wanted to play nice with Macs even though the schema was added. Snow Leopard was no help either. I think at that time I upgraded to 2008 and whatever Exchange was at the time.

I was hoping that Lion would play better in hopes that Samba was growing into version 3, and Apple would have new software and new aims to integrate better into the Enterprise. Then bye bye Xserve, bye bye a full feature Samba implementation in Lion, and now maybe bye bye Mac Pros.

As far as I understand it at the moment Apple did not implement the full version of Samba because of a license they did not like. I believe that the Samba team will do a great job of integrating with newer versions of Windows.

Did Apple move their focus from integrating with Windows? I am guessing you have to keep your ADS at 2003 levels or open up some security. Maybe the guys who have it working can tell if you do. My ADS is not complicated but it is using the recommended signing and encryption and is in 2008 mode. Is that is why my Lion won't integrate with ADS 2008 in 2008 mode?

Will the Apple far farther from the ADS?

It seems that it is not important to connect to ADS or Windows server. I think Apple is more interested in interesting ideas such as AirDrop, or iCloud, or some easier way of sharing things that does not include a file server and SMB. I think this is their mentality.

My Mac users could not care if they connected to the server or not but they share files using public folders on their Macs, Airdrop, flash drives, email, and cloud services. I don't think any of my Mac users would want to connect to a domain and most of them work out of the office being a multisite church. Only my video guys need to connect to a file server, and I am replacing my Windows with a Mac server.

Immediately I have to figure out if I want to keep seperate passwords for my Windows domain and my Mac file server. I need Windows really for Exchange, and SQL. I need a Mac AFP server cause Mac to Mac file transfers rock with HD video files.

Exchange can be just like Gmail. And I cannot be fighting problems with ADS and Macs with a subpar samba implementation, so far no good tools or logs on the Macs to figure out what is mysteriously wrong, much less Microsoft is no help so far. My next step is to leverage my TechNet ID and see if MS can help out.

And my users are extremely happy using two passwords already ... and always entering a password for the file server, and Outlook / Mac Mail, or Entourage.

Plus isn't it always more secure not to connect to a domain / workgroup, which I always remember in my earliest IT days hearing those grizzled veterans of Windows 3.11 or NT days.

Matt McConnell said...

We are a 100% Apple shop (on our desktops / laptops) and currently run a Snow Leopard server (running OD) bound to our AD environment. All other servers; file, app, etc... are Microsoft. We bind all Apple and Windows machines to AD and have had a great experience. Frankly, it is so seamless, I wonder at time why others are so (seemingly) resistant to it.

To clarify a bit about our environment... we DO NOT use .local but instead .intra // we are a Google Apps shop (for now) // All users have mobile Home Directories (ala Roaming Profiles) that sync back to a Windows File share // We use an iChat server // Our Lion Machines bind more effectively than Snow Leopard // our Lion server goes into production Wednesday 11/2

Two quick items to note....
1. I would be more than happy to spend time with anybody who wants to chat about our integration.
2. We have leaned on the guys at The Mac Experience ( who have been a fantastic resource! They are a SHARP bunch of guys, who really know their stuff. They seem to take what on the surface appears complicated and simplify it greatly! This summer Jason Snyder was a guest on the CITRT TalkShoe chat... I think in August. I recommend listening to it.

twitter - @mmcconnell

hezetation said...

We have been dual binding Macs to AD & OD since 10.5 but with Lion this will have to change. Lion got worse from 7.1 to 7.2 with dual binding to an SL server and I believe in large part this is because Apple really wants to see the dual bind scenario go away.

Since 10.5 they have actually been encouraging AD domains to use schema extension to support Macs. This comes with some added benefits such as being able to customize user specific policies instead of just groups or machine policies but you likely still need a snow leopard server to provide AFP shares, software updates, net boot tools, or any other Apple proprietary services.

With Lion server you can either bind a machine to Lion server & then push profiles or manage it by e-mailing them policies that are domain agnostic. Apple did this in large part to quell concerns over AD schema extension (it's fine, it won't hurt anything) and to provide a way for organizations to provide domain policy type settings to personal Macs or iOS devices. Our organization will be moving away from dual binds towards AD schema extension.

If you are looking for info on doing this Apple provides some on their enterprise documentation but it essentially is the same for extending AD to support Unix/Linux environments, which there is lots of documentation out there for doing so. I don't have a good full walkthrough but if anyone does I think it would be the best tool for how to integrate Macs fully in an AD environment.

On a side note, if you go with a simple bind & then set up everything locally be warned, If your Mac users log into windows machines you are likely to end up with all sorts of home folder sync goofiness. Vista & Win 7 like to rename home folders to "Documents" and this can create all sorts of havoc. I highly recommend for users who will be logging into both Windows & Mac to not sync their home directory, it's really just more hassle than it's worth. Most of the time your Mac users will have way more data on their drive than you care to sync anyway, if they need access to data across computers instead just give them a group folder they can connect to from anywhere.

Anonymous said...

In continuing with my Mac Active Directory issues, I built for fun a new virtual Windows 2008 R2 Server with a new ADS at 2003 Domain functional level. I connected my Mac OSX Lion server using the dsconfigad tool (it took 30 seconds) and was able to connect to the domain with no issues.

I am going through the old ADS and its different group policies I have to see if there is a difference there or in the ADS setup.

I was 100% positive that Lion was going to connect with the test environment with those settings.

Next is to upgrade the domain functional levels, and figure out where in my 6 year old AD the problem is. My current problem is that AD will not let my Mac change the computer password in AD.

Is it a domain functional level problem or something else.