OS X Server 10.7.5 Active Directory

Similar Messages

• Choosing Server for SharePoint, Exchange, Active Directory, SQL

  Hello
  We want to migrate from work-group type network and setup an interoffice mail server and ,  ... with SharePoint, Exchange, outlook. There are less than 40 clients. I prefer to minimize the number of servers. Is it possible to use one system for some
  of this servers:
  1. SharePoint
  2. Exchange Server
  3. SQL Server
  4. Active Directory DC
  Thank you

  You could combine #1 and #3, but none of the other services. Or you could look at just getting a Domain Controller and using Office 365.
  I'd recommend you have more than one Domain Controller for redundancy.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Integrating Final Cut Server 1.5 with Active Directory

  Following the directions in the Final Cut Server Setup Guide and I am running into errors. Fun with Final Cut Server. Fun with Kerberos.
  Final Cut Server v.1.5 is running on an Intel Xserve running 10.5.6 Server, joined to AD. Active Directory is running on a Windows Server 2008 setup.
  I dropped the ini files on the domain controllers, as directed by Apple KB (http://support.apple.com/kb/HT3688) and I ran the commands directed in the setup guide.
  The adprincadd command should be run literally, of course, but there's a mistake straight-away when it should read "./adprincadd.pl", the ".pl" is missing. Also it says "fcsvr/fqdn of fcsvr", so naturally I replaced the fqdn, but the "fcsvr" prefixed threw me off. It gave me errors until I opened Kerberos.app and notcied that the kerb ticket was in ldap/, then the command worked for me. At least no errors, until I checked the ticket and it said I had no permissions and that the keytab entry was invalid. Wheeee.
  1. First I tried:
  (some info redacted)
  node09:sbin root# ./adprincadd.pl -dc dc01.example.com. fcs.example.com.
  Getting kerberos principal for computer account
  Kerberos principal is ---
  Getting computer id...---
  Getting AD Domain...---
  Base DN is dc=example,dc=com
  getting kerb ticket using [email protected] got ticket
  SASL-bind to dc01.example.com. successful
  Computer record is at CN=---,CN=Computers,DC=example,DC=com
  Checking to see if ---.--.---. exists...000020B5: AtrErr: DSID-031529F7, #1:
  0: 000020B5: DSID-031529F7, problem 1005 (CONSTRAINTATTTYPE), data 0, Att 90303 (servicePrincipalName)
  at ./adprincadd.pl line 165
  2. Then I noticed the /ldap in Kerberos.app and changed the adprinadd command:
  Everything ran well, with no errors...
  Finding kvno...2
  Reading /etc/krb5.keytab...done.
  Creating new keytab file...done.
  Writing out temporary keytab...done.
  Making backup of old keytab and moving new keytab into place...done.
  Operation Completed. You can verify with "kinit <ad user>; kvno -k /etc/krb5.keytab ldap/---.example.com"
  3. Verifying with kinit gave me the keytab errors:
  kinit matx; kvno -k /etc/krb5.keytab ldap/fcs.example.com
  Please enter the password for [email protected]:
  ldap/[email protected]: kvno = 2, keytab entry invalid
  kvno: Permission denied while decrypting ticket for 'ldap/[email protected]'
  Thoughts?

  Hello, I'm having issues with the client login after AD integration. I followed the steps from http://support.apple.com/kb/HT3818 and the Terminal output reported a success.
  I'm able to add AD groups in Final Cut Server Group Permissions. However, when I try logging in on the FCServer client using credentials associated with AD group I've added, I'm getting an error message from the client stating:
  "Please re-enter the username and password or contact the server administrator. Please note that the username and password are case-sensitive."
  The FQDN is correct in the Server field of the client.
  I'm able to log into the client using locally created user accounts that I've created on the server so I know the client is communicating correctly.
  The only thing I can find in the Console for the client machine is this:
  11/25/09 10:50:12 AM /Users/*/Desktop/Final Cut Server.app/Contents/MacOS/Final Cut Server[1773] Warning: accessing obsolete X509Anchors.
  In the server Console, this is a suspect message: /Library/Application Support/Final Cut Server/Final Cut Server.bundle/Contents/MacOS/fcsvr_stored[77891] pps proxy error: dsDoDirNodeAuth = -14091
  Not finding much info out there regarding this. Any guidance is appreciated.

• Active Directory Error 0x51 occurred when trying to check the suitability of server ' servername '. Error: 'Active directory response: The LDAP server is unavailable'. It was running the command 'Get-OwaVirtualDirectory'.

  This issue is driving us nuts - there are no issues with Domain Controllers or AD in this environment.  The server it is citing in the error has been retired - it was gracefully dcpromo'ed down and removed from the environment.  DNS has no record of it, nor is it located anywhere else.  We are not able to log into Outlook Web App either with authentication failed errors - and I can't help but expect these 2 issues are related?  I tried hard coding the Configuration Domain Controller at the org level, as well as using the -staticdomaincontrollers and -staticglobalcatalogservers with the "Set-ExchangeServer" powershell command - no luck....  System settings of the exchange 2010 servers show they are pointing to the correct DCs - but I still get this error accompanied with long delays in rendering windows in EMC.  Extremely frustrating.....  I have an issue logged with MS now, but they aren't looking at them until Nov 9.  Has anyone seen this issue at all?  More info on the OWA config - using Form based auth, and I'm not able to perform a simple test-owaconnectivity -mailboxcredential (get-credential\username) -allowuntrustedcertificate -allowinsecurelogon - please help

  Create a "global catalog" on the 2nd domain contoller, will fix this problem. 
  To create a new global catalog:
  On the domain controller where you want the new global catalog, start the Active Directory Sites and Services snap-in. To start the snap-in, click Start , point to Programs , point to Administrative Tools , and then click Active Directory Sites and Services .
  In the console tree, double-click Sites , and then double-click <var>sitename</var> .
  Double-click Servers , click your domain controller, right-click NTDS Settings , and then click Properties .
  On the General tab, click to select the Global catalog check box to assign the role of global catalog to this server.
  Restart the domain controller.

• Server 2008 R2 DNS Server can not open active directory erro 4000

  The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly
  and reload the zone. The event data is the error code. Error 4000
  This just started happening yesterday. Also File service and print server is unable to contact because of this error. I have no lookup zones. When I try and go to the DNS server I get a message The server VETSALDC could be contacted The error was Access
  Denied. Would you like to add it anyway?
  PLEASE HELP

  Hi,
  According to your description, my understanding is that DNS unable to open Active Directory with error 4000.
  This happens when that particular DC/DNS server has lost its Secure channel with itself or PDC. This can also happen in a single DC environment where that DC/DNS server holds all the FSMO roles and is pointing to itself as Primary DNS server.
  You may check AD DS using command line “DCdiag” (run as administrator). besides, you may try to stop and restart AD DS service(detailed steps reference the link:
  http://technet.microsoft.com/en-us/library/cc732714(WS.10).aspx ), make sure that the AD DS is running correctly.
  Then restart the DNS service, detailed steps reference the link:
  http://technet.microsoft.com/en-us/library/cc735673(v=ws.10).aspx .
  If the problem still exits, is there any other DC or DNS on your network? Post the TCP/IP parameters (ipconfig /all) of DC and DNS here.
  Best Regards,           
  Eve Wang     
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• After rebooting ML server, unable to open active directory.  Error msg is Unable to open requested node error -14006.

  This active directory is a replica of master on 2nd Mac Mini server which still thinks replica is there (perhaps it is) and will not let us delete in order to recreate.  Both servers are running 10.8.4.  Nothing changed on either server, simply did a reboot.  When we logged in, Active Directory was turned off and when trying to turn on or access received message "Unable to open the requested node.  The node LDAPV3/127.0.0.1 could not be opened because of an unexpected error -14006".
  Does any one have experience with this and how can we recover?  Thanks in advance for your help.

  Hi again,
  I've been able to run Reports by changing the "Reports_Tmp" key in the Registry under:
  Hkey_local_machine\software\oracle\home0\
  to the D:\ drive

• Unable to access server files shares with Active Directory Users

  Quick breakdown of my issue.
  I have setup a Yosemite file server running the latest version of Yosemite and Server.
  File sharing in Server.app is enabled and shares have been created
  The server is bound to my company's Active Directory and you can directly login to the computer via AD credentials.
  The big issue is this, unless the user has directly walked up to my server and logged into it at least once, they cannot authenticate to the file shares via their AD credentials.
  For example: Administrator (me) I can login and access all file shares without issue.
  Jane Smith (SMITH) who has actually walked up to my server and logged in via her AD credentials, can also access all file shares. (That she has access to)
  John Doe (JDOE) who has not logged into the server in anyway, cannot authenticate to the server file shares  at all (even though I have granted him permission) He just gets an "Access Denied" message.
  I have gone into Directory Utility and changed the search order to give AD priority and this still doesn't resolve the problem.
  We have unbound the server from AD and added in back again and still not able to resolve.
  If you open Server.app and go to add someone from AD to a file share, it finds the AD user quickly and everything looks right. but still unable to authenticate to the server if they haven't directly logged into it before?
  All of the documentation and google articles I have found say my server is setup correctly, any help would be greatly appreciate it!
  Thanks in advance!

  I figured this out. In Mountain Lion Server, it doesn't matter if you give the user rights to a shared file or folder, if the user doesn't have access the File Sharing service, they can't get it. I had to find the specific users in the Server app under the AD in the Users tab, and give them rights to the File Sharing service. I think you can do this for a whole AD group as well, but I haven't tried.

• Is dns server required to install active directory

  i have a confusion here.... i have to install active directory on win 2k or 2k3 server.... Can i install it with the help of WINS but not DNS .... is it possible to install AD with WINS installed/configured on server but at same time not any kind
  of DNS (Third party Server/Service) is installed/configured there????..... thanx

  AD rely on DNS name resolution. So DNS name resolution is a requirement for AD installation. 
  DNS requirements for installing Active Directory:
  http://technet.microsoft.com/en-us/library/cc739159(WS.10).aspx
   http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx
  Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.

• WebLogic Server 8.1 Integrating Active Directory Filtering Users by Group

  I am trying to specify the User Base DN value with a Group. I only want users with in that group retrieved from AD. Any assistance would be appreciated.
  Using AD examples from this site:
  http://support.bea.com/support_news/product_troubleshooting/LDAP_Issues_Pattern.html
  I attempted to enter LDAP config values in the following way. However, while users DO exist in the group Users, which is specified in the UserBaseDN parameter, no users from LDAP show up on the Admin Console's users screen. No error occurs on the lookup either, so this values agrees with the directory structure:
  <weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
  ControlFlag="SUFFICIENT" Credential="{3DES}96Kl0euDFQQ="
  GroupBaseDN="CN=Users,DC=supportLDAP,DC=example,DC=com"
  GroupFromNameFilter="(&(cn=%g)(objectclass=group))"
  Host=" HOST IP or NAME OF LDAP"
  Name="Security:Name=myrealmActiveDirectoryAuthenticator"
  Principal="CN=Administrator,CN=Users,DC=supportLDAP,DC=example,DC=com
  Realm="Security:Name=myrealm"
  StaticGroupDNsfromMemberDNFilter="(&(member=%M)(objectclass=group))"
  StaticGroupNameAttribute="cn"
  StaticGroupObjectClass="group"
  StaticMemberDNAttribute="member"
  UserBaseDN="CN=Users,DC=supportLDAP,DC=example,DC=com"
  UserFromNameFilter="(&(cn=%u)(objectclass=user))"
  UserNameAttribute="cn" UserObjectClass="user"/>

  Hi
  I didn't filter it on the provider configuration.
  Instead I removed some presentation services prvileges from authenticated users and granted them only to some specific application roles. You don't have to remove authentiated users from much privileges just some basic ones as "see Dashboards" and so on.
  Now everyone can authenticate on the login page but after logon they get a message that the don't have permissions to access answers, dashboards and so on.
  Regards

• Mac OS X Server File Shares and Active Directory Users

  About ready to pull my hair out on this one...
  We have a department that only uses Macs. At the moment, it's a hodgepodge of different setups. We were able to convince the department to standardize, and purchase a Mac Mini Server. To keep things a bit simpler, we are setting up their department shares on the server as well.
  To make my life simpler (or so I thought...) I decided to bind the OS X Server to our AD, and use the AD users/groups to allow access to the shares. The OS X Server app lists all of our AD user and groups, and I can apply them to the shares, however, when we try to access the share, it fails.
  I don't think the server is talking to our AD correctly.
  I can login to the Mac Server with my network account, my network account works for accessing Server.app, but nothing I've tried will allow our Mac or Windows clients to access the shares with the AD credentials. The log file comes up with:
  mccsrvrmac.mcc.local smbd[441]: check_account - [7]: [permission denied] pam_acct_mgmt
  Also seeing this:
  mccsrvrmac.mcc.local kdc[57]: Asked for LKDC, but there is none
  A bit of background: We added this Mac to the domain once before, realized that the HDDs weren't setup in a RAID config, so wiped it and reinstalled. I did remove the computer account before rebinding.
  Any help is appreciated!

  I figured this out. In Mountain Lion Server, it doesn't matter if you give the user rights to a shared file or folder, if the user doesn't have access the File Sharing service, they can't get it. I had to find the specific users in the Server app under the AD in the Users tab, and give them rights to the File Sharing service. I think you can do this for a whole AD group as well, but I haven't tried.

• Windows 2012 R2 Active Directory Domain Services and Remote Desktop services Role on the same server.

  Findings: 
  Currently, Windows 2012 R2   AD DS role and RDS With Broker services can only seem to coexist properly in a new domain not an existing domain. Any attempt to add to an existing domain causes internal database user access denied issues and any attempt to
  adjust rights and circumvent is dubious at best.
  The escalation technician said it best. Out of 50 clients that want to do this, they end up not being able to help 5 right off the bat for whatever reason. As for the other 40 they might be able to help by running reports, adjusting rights and trying to add
  the roles until it works.  This can end up being a 20 day process. Basically they are playing whack-a-mole with user rights and permissions until something sticks.
  We tried creating an OU where any other domain policies would not be inherited to see if that was the issue, a fresh install with different sequence of adding the Roles, no effect.
  Given the errors I witnessed when running procmon and then trying to add the roles, the NT System and the Windows Internal database user had access denied issues on 100+ registry keys when trying to add the roles. After that the system is not behaving normally.
  The errors displayed almost mirror the errors that would occur on Windows 2012 when those two roles would be added which of course is officially NOT supported on that system.
  This blog needs serious revision:
  http://blogs.msdn.com/b/rds/archive/2013/07/09/what-s-new-in-remote-desktop-services-for-windows-server-2012-r2.aspx
  This is the excerpt from that blog: Single server RDS deployment including Active Directory. We now support running our RD Connection Broker role service on the same physical instance as an Active Directory Domain Controller.  In addition, we published
  guidelines for how RD Session Host could be used without the RD Connection Broker.
  Microsoft Support was curteous and helpful and they were the ones who advised cutting our losses, which mirrored my hunch after seeing what was transpiring in the system.  They refunded my money for the support call. 
  For me, it was an opportunity to find out if there was any way to configure Windows 2012 R2 in the Same manner that it was setup as Windows 2008 R2 and lay that to rest. The coexistence is poorly implemented. It is as if there was a reaction from all the deprecation
  of bread and butter features such as shadowing in TS and the coexistence of AD DS and RDS to where those features were re-added haphazardly. (I have no complaints on shadowing on Windows 2012 R2 it works, just do not like having to go to server manager to
  use it).
  I opted for virtualizing the Domain controller to eliminate the incompatibility issues and that is what I will be doing from now on. I found free solutions for backing up and reporting for virtual machines as well as the suggested procedures for configruing
  a Domain controller as a virtual machine on a Hyper-V environment and I will be sticking to those. Thus far the setup has been operational.
  I am not allergic to virtualization, but for really small setups it adds additional time and considerations but if that is how it has to be done, so be it. Windows 2008 R2 days are numbered and since we can usually squeeze 5-7 years on quality server equipment,
  buying a Windows 2008 R2 setup now is a borderline disservice in my opinion.
  Hopefully someone finds this useful and saves some time.

  Hi,
  Thank you for posting in Windows Server Forum.
  Do you need any other assistance?
  Based on your description, you are describing your story of successfully implementing RDS server with AD role and more regarding all RDS related scenario. For shadowing feature, you can use with command also. Below is the syntax to shadow a session.
  mstsc /v:<ServerName> /shadow:<SessionID>
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• Is it a safe to install DFS namespace service to an Active Directory Server?

  Hi All,
  Is it safe and/or best practice to install a DFS namespace server to a server that runs an Active directory services?
  I have read a blog in which, as much as possible, active directory server should only run the directory services and no other installed services. But we're running out of a physical server and our virtual environments were already full so I'm hoping that
  DFS namespace server could be installed to the AD server.
  Also, if its possible , what could be the possible conflicts/problems/errors that we might encounter in the near future of running this 2 services into a single server?
  Appreciate any suggestions and feedbacks.

  Hi,
  >>Is it safe and/or best practice to install a DFS namespace server to a server that runs an Active directory services?
  Yes, we can host DFS namespace on domain controllers. However, as the following article states:
  When deciding whether to host a DFS namespace on a domain controller, consider the following factors:
  Only members of the Domain Admins group can manage a DFS namespace hosted on a domain controller.
  If you plan to use a domain controller to host a DFS namespace, the server hardware must be sized to handle the additional load. As described in the previous question, root servers that host large or multiple namespaces require additional memory.
  Distributed File System: Namespace Server Questions
  http://technet.microsoft.com/en-us/library/hh341468(v=ws.10).aspx
  Best regards,
  Frank Shen

• OS X Server and Active Directory

  Hi
  I'm trying to use OS X Server 10.5 with Active Directory and have got to the stage where I can view AD users and groups in Workgroup Manager and have authenticated on the domain.
  However, if I try and change a user's password I get "The password could not be set. The action failed because you are not authorized to perform the operation."
  Also, if I try and create an account on the domain I receive the following - "Got unexpected error Error of type eDSNoStdMappingAvailable (-14140) on line 4267 of /SourceCache/WorkgroupManager/WorkgroupManager-319/PMMUGMainView.mm".
  I can delete accounts using Workgroup Manager and have confirm this has worked by checking in AD so can't understand what's going on.
  Any help greatly appreciated!

  You should post your question in the OS X Server forums:
  http://discussions.apple.com/category.jspa?categoryID=96

• Does Sun Messaging Server support Microsoft Active Directory

  Hello,
  I just got this qustion. Does Sun Messaging Server work with Microsoft Active Directory?
  Thanks.

  Please post in the messaging server forum: [http://forums.sun.com/forum.jspa?forumID=708|http://forums.sun.com/forum.jspa?forumID=708]

• Active Directory 2003 and Sun One Directory Server 5.2

  I just installed Sun One Directory Server 5.2 on a Linux machine. I want to configure LDAP on that machine so that it can be authenticated on Active Directory 2003. How do I go about doing this?

  Active Directory server is a "directory server" (and kerberos server.) If your linux client authenticates against Active Directory it doesn't have to involve the Sun Directory Server at all. You have several general approaches you could investigate:
  1. Linux client gets accounts and and authentication via LDAP from Active Directory
  If you use AD to handle unix LDAP authentication (opt 1) you may need to extend schema in AD to add the unix password field. I haven't tried it yet, but hope to.
  2. Linux client gets accounts from AD LDAP and authorization from AD Kerberos.
  There should be docs on support.microsoft.com on enabling kerberos support for non-Win clients.
  3. Linux client (with samba client installed, with winbind or pam_smb to support unix level services) gets accounts and authentication as a "Windows" client from Active directory "Windows server"
  Check the samba.org docn or forums- I think this is a pretty common solution.
  4. Linux client gets account information from Sun Directory server but uses kerberos (against active directory) for authentication.
  There should be docs on support.microsoft.com on enabling kerberos support for non-Win clients.
  5 Linux client gets account and authorization from Sun Directory server, which the sun Directory server configured to use Active Directory as a Kerberos server.
  Probably incredibly complex.