Setting up the primary OSX Server

I know I am going to forget to detail some steps such as setting up Kerberos but this still touches on a lot of the big steps that just aren't documented anywhere.

***Before you do anything, make sure ALL your Mac servers are named correctly and have proper static entries in your DNS server. part of this also involves correcting a "bug" in the setup process on OSX Server. When you install OSX Server 10.3 and it gets to the step of naming the computer, you get the following screen:

There is a problem with the information presented here. For the Host Name it gives two examples of what to type in that field. The problem is that the Host name is NOT supposed to be in the format server.example.com or www.example.edu. The CORRECT format is just server or www . If you follow the directions on the screen, your server's computer name will be incorrect and some services may not work correctly and the whole goal of having AD users with Mac home folders will definitely fail.I spent the past month trying to figure out why my production servers weren't working right when my test server worked just fine. Apparently when I did my test server, I put in the Host Name correctly. It appears that you can take the Computer Name and Rendezvous Name fields at face value.... but don't quote me on that. I always just keep them all the same for simplicity.

OK so how do you fix this if you already made this mistake? You need to edit the /etc/hostconfig file. You will see one of the first few lines will say something like HOSTNAME=server.example.com All you have to do is erase the .example.com portion of the line out so it only says HOSTNAME=server, save the file, and reboot. Of course I do want to clarify that where I have said "server" or "www" you would put in the name of your particular server that you are doing this to.

The primary OSX server is the one that will act as the Open Directory master that will store the MCX settings and any Mac-only accounts you may want to create. I don't think we will have a need to create any Mac-only accounts but I am glad that the option exists if the need does arise.

Step one: Server Admin

**update 7/30/04**

While technically the information below isn't wrong, it isn't actually correct either. For the purposes of just storing the AD user homefolders and not much else, the step about setting the Windows (smb) service to be a Domain Member ends up being totally unnecessary. You can leave it as Standalone. BUT you still need to make sure you turn off the Master Browser settings unless you specifically need that, and you do still need to check the box to enable virtual share points. It is still good information to remember... especially the fact that making it a Domain Member here can overwrite the computer account created via the AD plugin.

So in the end, all you really need to do is use the AD plugin to join the computer to AD, leave SMB as a standalone, and start the Windows service.

These steps assume you have already setup all the Mac-specific settings such as AFP and Open Directory Master role.

The first thing is to join your Mac server to the Active Directory domain. You may be tempted to do this via Directory Access AD plugin. This will work but other aspects of this will break. The Directory Access AD plugin will be used but it comes later.

In Server Admin click on the Windows service, Settings, General. Change the Role to Domain Member and fill in the boxes to reflect your specific setup. It will prompt you to authenticate so you can join that computer to Active Directory - login with an AD account that has rights to join a machine to the domain - I just used our AD admin account. This creates a computer account in AD - so does the AD plugin but if you were to do the AD plugin first and THEN this step, it would override the computer account information and really screw things up.

Save the settings then click on Advanced. Since our AD domain controllers act as our WINS servers and do all the workgroup and domain browsers we MUST turn these options OFF on the OSX Server unless you really wanna tick off your Windows administrators. I'm not 100% about this next one but it is only logical that it is required for us. Make sure the Virtual Share points is ENABLED. Because of the way the windows roaming profiles work, it needs to mount SOMETHING as the home folder. By default the Profile path and home folder are the same but as you will see later, they don't have to be.

Save the changes and don't forget to START the Windows Service!

*** One thing you need to do is edit the /etc/smb.conf file so the Windows services work properly in your AD integration. When you open that file look through the [global] section for any of the following lines they might be scattered in that section. If see them there, modify them. If they dont exist, add them.