[MacTUG] FYI: Changes to our Active Directory and Macs...

Erick Engelke erick at engmail.uwaterloo.ca
Wed Mar 31 10:52:02 EDT 2010 

Thanks

Erick Engelke                                           erick at uwaterloo.ca
Director                                                          PHY-3013
Engineering Computing                                (519) 885-1211 x35893
University of Waterloo                  http://www.eng.uwaterloo.ca/~erick


On Wed, 31 Mar 2010, Steve Hellyer wrote:

> Hi Erick,
>
> While there seem to be agreement to not do this at this time. I am sure down the road this will be the way to go. Perhaps best after dust settles on integrating faculties into new central AD.
>
> This white paper talk about how to add addition schema extension so Mac Lab Administrators can have policy control over clients.
> http://images.apple.com/business/solutions/it/docs/Modifying_the_Active_Directory_Schema.pdf
>
> Also Best practices on Mac connecting to AD.
> http://images.apple.com/business/solutions/it/docs/Best_Practices_Active_Directory.pdf
>
> Critical pieces I encounter...
>
> -Mac OS X needs to point to AD server for NTP to keep clock in sync
> -Mac OS X need to point to AD servers for DNS.
> -AD DNS need to have both forward and reverse entries for all records
>
> Specifically for Mac AD clients look for following to bind and discover directory system. (But with your domain) AD along with MS DNS service should create these automatically.
> _ldap._tcp.mydomain.com
> _kerberos._tcp.mydomain.com
> _kpasswd._tcp.mydomain.com
> _gc._tcp.mydomain.com
>
> If you have firewall running make sure your not blocking ports the Mac use to talk to AD server. Mac OS X doesn't actually talk to AD using MS AD protocols rather they rely on the LDAP AD provides plus Kerberos.
>
> 389	TCP	Lightweight Directory Access Protocol (LDAP)
> 636	TCP	Secure LDAP (SSL)
> 88	TCP	Kerberos
> 749	TCP/UDP	Kerberos 5 admin/changepw
>
> Hope this helps and look forward to help where I can.
>
> Steve
>
> On 2010-03-30, at 12:09 PM, Erick Engelke wrote:
>
>>
>> On Tue, 30 Mar 2010, Matthew Oliver wrote:
>>
>>> I'd love to be involved in testing the new AD.
>>> I should be able to make a couple client machines available to test on.
>>>
>>
>> Sure Mathew.  I'll let you know when we actually have something to test.
>>
>> Erick
>> _______________________________________________
>> MacTUG mailing list
>> MacTUG at lists.uwaterloo.ca
>> https://lists.uwaterloo.ca/mailman/listinfo/mactug
>
> -------------------------------------------------------
> Steve Hellyer
> Pre-Sales Systems Engineer
> Education Division (Higher Education)
> Apple Canada Inc.
> 7495 Birchmount Rd.
> Markham, Ontario, Canada
> L3R 5G2
>
> PH: (905)513-5647
> Mailto: phasetwo at apple.com
>
> Training Websites
> http://training.apple.com/
> http://www.witzapplecertifiedtraining.com/
>
> AppleCare Online Support
> http://www.apple.com/ca/support/
>
> AppleCare Technical Phone Support
> tel:1-800-263-3394  (basic up and running support for individual consumers)
>
> AppleCare Enterprise Level Support
> http://www.apple.com/ca/support/products/macosxserver_sw_supt.html
>
> AppleCare Service Locations (Canada)
> http://www.apple.ca/buy/locator/
> Select Service Locations from pull down menu
>
>

More information about the MacTUG mailing list