**update 7/30/04** see the previous page for updated details about no longer needing to make the computer a "Domain Member".
Launch Directory Access and configure the Active Directory plugin. Input your AD forest and domain - for us they are one in the same. Click on Bind and once again authenticate as a privileged AD user (in our case Admin). You will get a message asking you if you want to join the computer account that already exists with that name. Click the AFFIRMATIVE. This will just use the computer account that already exists (that was created during the previous step). If you did this step first and then tried to join as a Domain Member in Server Admin, that would actually override the information that was already there and your server would not be able to read the information in AD. I did this 5 times before I figured out that's what was going on!
As for the Advanced Options, this may vary depending on your domain's setup. For us keeping all the defaults appears to work just fine for us. In fact, when I checked the box for "Prefer this domain server" and input our primary domain server, it worked but there was absolutely no failover. We disconnected the primary domain server to see if the macs would fall back to the secondary but they did not. Disasterous results. So if you have more than one AD domain server keep this box unchecked and it will fallback to the secondary if necessary. Leaving the Map UID attribute box unchecked also works for us. When I checked it, I guessed and put in "uniqueID". The Macs didn't know what to use for the UID since apparently the uniqueID attribute doesn't exist on our server. What attribute did it end up actually using when I unchecked the box? I dunno, but the numbers are unique and they work. So I'm not going to press the issue. :) I didn't ttinker with any of the other settings, so I can't tell you what the results will be if you misconfigure it. All I can suggest is leave it with the defaults and see if it works. if so, GREAT! If not, then you have more work ahead of you that is beyond my understanding.
After you successfully join the domain, click OK and make sure the Active Directory plugin is checked on the main Directory Access window. Then click on the Authentication tab.
Since all our users will be found in AD I want that to be the first place the system looks to authenticate them so I made sure that was listed first. Since there will be very few - if any - Mac-only accounts I listed LDAP as the second custom authentication point. This is also necessary so the server can see itself when you are configuring groups and MCX settings in WGM.
Apply the settings.
Reboot the server for good measure.
| Previous page | Next page in the process |