Enterprise computing with OS X: Panther server and Active Directory

In previous columns, I've written about how to use Panther server as a Primary Domain Controller and host both Macintosh and PC clients. This is an excellent solution for small offices looking to support a mixed-client environment with limited resources, for large installations using mostly Mac clients or for any installation that doesn't have a PC server in place.

Before going further I'd like to say a bit about enterprise computing and the education market. I've worked in Fortune 100 firms and currently work at a large college in New York. We have 40,000 students, 3,000 faculty, 2,000 administrators and staff, plus untold adjunct professors who come and go each semester. Much of our labor is seasonal (which creates another rights/access management issue), and our resources are limited. Our computing needs are very much on the level of many Fortune 500 companies.

For the majority of enterprise IT shops, Windows is the primary operating system flavor, and even in shops that have numerous Linux/Unix servers, Windows Active Directory is their choice for directory and Domain Name System (DNS) services. AD scales easily to 50,000-plus users and doesn't suffer latency or response degradation at this level of use.

Over the past few weeks, I've taken a close look at Apple's Open Directory (OD) and Microsoft's AD, and here's what I found: If you have fewer than 10,000 users, the difference in response from either is negligible and you can be comfortable that OD is rock-solid and secure. It is also easier to manage in a simple setup, and with its Unix underpinnings, you can do extensive customization if you choose. But be aware that the Workgroup Manager GUI just stops working at 19,999 users.

While AD is much more complex at the onset, once the learning curve flattens you'll find that you have all the tools you need. The only downside is that it requires you to use the Microsoft DNS that is part of AD. It is true that Microsoft states that the Microsoft DNS component is not required, but AD still requires a DNS server that supports dynamic updates (unlike many other directory services which do not require a dynamic update component). No other DNS product will integrate easily, is guaranteed to work through update patches and will be supported by Microsoft in the event of a troubleshooting issue.

So for all but the truly intrepid, Microsoft DNS and AD are tied and to fully implement AD you either need to create a separate domain or turn over your company DNS to AD. Having said that, I think that the combo is great. Because manually updating DNS is a pain, I chose to use AD in my student network environment here at Hunter College.

I have been working on a project to deliver streaming video and music to registered students via computer clients and cell phones. After much evaluation, I chose to do this using QuickTime Streaming Server on Panther OS X (the details of which will be covered in a future column).

The stumbling block in this project was authentication: How do I authenticate a user on my QuickTime server when all of the users exist in an AD catalog?

Here's what to do: Use the two interfaces on an Xserve, and set up one to function as an Apache server. Then create an Apache realm, and bind that realm to the AD groups. Pass the authentication to the QuickTime server on the other NIC using the Web application, and presto, the students are being authenticated against the AD.

Sound simple enough? But wait, the step that says bind the Apache realm to the AD group -- how is that done? This is the magic in Panther's AD plug-in, and I am going to show you how to do it step by step.

First and foremost, you must have a properly set-up DNS in your environment, and your Xserve (or other Panther box) must have a registered name. Next, set up your machine as a member of a directory services environment in the Server Admin.

Enterprise computing with OS X: Panther server and Active Directory

Then open the Directory Access application and set up the AD plug-in. This application is located in the /Applications/Utilities/Directory Access folder.

Authenticate as the server administrator, and then check the AD box. Then click configure. Here is where you need to enter the AD forest and domain information. In my case, we have a flat domain structure, so they are the same. I suggest checking the "authenticate in multiple domains" option unless you have a specific server you want to authenticate against. If you want to manage the Panther server using an AD account, check the groups you want to allow to administrate the machine.

Be sure not to create the machine name in AD prior to doing the bind, and be sure to put the computer name of the OS X server, not the AD server. If you put the AD server name in computer ID, you will put two entries in the AD server for the same name and kill the entire system.

Unlike what you would expect, AD servers don't forward the requests from your server to each other; they simply redirect your server. Keep this in mind when opening firewall ports between your Xserve and the AD cluster.

Enterprise computing with OS X: Panther server and Active Directory

Click bind (shown here as unbind since my system was already bound) and the following dialog comes up. Put the name of an administrator account that has rights to add the machine to the domain and to browse the users. You don't need to use Windows naming domain\username; the plug-in will add that for you.

Enterprise computing with OS X: Panther server and Active Directory

Click bind and the server will step through the process. Assuming all traffic is passing properly, you will get this error message

Enterprise computing with OS X: Panther server and Active Directory

Hit bind again immediately, and the process will step through and complete. I don't know why this happens but it always does and it always works on the second or third attempt, though the machine account is always created on the first. I believe it is the two-step authentication that Windows does (machine first, then user).

Close the AD plug-in and then choose the authentication chicklet. Click custom and add the AD server node to your authentication path. Do the same for contacts and restart.

Enterprise computing with OS X: Panther server and Active Directory

On restart, log in and open the Workgroup Manager application, select the pulldown menu on the world icon and select the AD path. Then click the lock on the right side and authenticate using the same name you used to bind the server. All of the users and groups should be visible. One caveat: There is a 1,000-user per page display limit built into AD.

To alter that limit (and display all of your users up to the 19,999 WGM limit), go to the AD Master and do the following:

1. Open ADSI Edit and navigate to Expand the Configuration Container>Expand Services>Expand Windows NT>Expand Directory Service>Expand Query-Policies;

2. Pull up properties on "Default Query Policy";

3. Select "IDAPAdminLimits";

4. Set "MaxPageSize" to the number of records you want returned.

Enterprise computing with OS X: Panther server and Active Directory

(Note: These names in the above photo are not real, and the ID numbers shown are Windows SIDs.)

This should help in getting your Panther machines properly integrated in your enterprise environment.

Did I miss something, have a correction or observation? Send your questions, comments and curses to y.Kossovsky@ieee.org.

Looking for more Macintosh news? Be sure to sign up for Computerworld's biweekly Macintosh newsletter.

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon