Manage your Apple Macintosh clients like you manage your Windows clients
It wasn’t too long ago that using an Apple Macintosh computer in a Windows environment meant hassling with software integration and Active Directory (AD) schema changes. Within the past few years, however, this integration has become a lot easier and literally out of the box. This change didn’t occur because Microsoft and Apple suddenly had a kumbaya moment and started working together. It occurred because they both have done a great job of following the RFC 2703 and LDAP standards. As a result, if you’re using Windows Server 2003 R2 or later and Apple OS X Panther (version 10.3) or later and you just need your Mac clients to authenticate to AD, you don’t need any special software. You can simply specify the old “NT style” Home Folder path in the user’s AD object to have the user’s network drive show up on the desktop. If it’s a mobile account (what Microsoft calls "cached credentials and a Profile"), users can even log on when they aren’t connected to the domain—again all without any additional software. But if you want to manage your Mac clients like you manage your Windows clients, you’ll need a Mac-to-AD integration solution. I recently reviewed four products that do a great job.
Three of the products—Centrify’s DirectControl, Likewise Software’s Likewise Enterprise, and Quest Software’s Authentication Services—integrate Mac, UNIX, and Linux computers into your Windows world. The fourth product, Thursby’s ADmitMac, integrates Mac computers only.
I tested each product in a dedicated Windows Server 2008 AD environment hosted on a VMware ESXi server. I installed DirectControl and Authentication Services directly on the domain controller (DC). As recommended by the documentation, I installed Likewise Enterprise on a dedicated server. ADmitMac doesn’t require the installation of back-end software.
For the client, I used a MacBook Pro running OS X Snow Leopard (version 10.6.7). After installing and configuring each product, I ran it through the paces. The testing involved:
- Installing the client software
- Adding the Mac client to the domain
- Removing the Mac client from the domain
- Logging on to the domain
- Migrating a user
- Using the product’s management console (if applicable)
- Changing settings using a Group Policy Object (GPO)
- Adding a Global Group to a Local Group
- Deploying software to the Mac client
- Using cached credentials to log on when not connected to the domain
- Disabling automatic logons and logon messages using a GPO
For more information about the testing, see the web-exclusive sidebar “Criteria for Testing the Mac-to-AD Integration Solutions” (www.windowsitpro.com, InstantDoc ID 135957).
Installing DirectControl was a breeze. You simply double-click CentrifyDC_Console-4.4.3-win32 on a DC and follow the prompts. No database or other prerequisites are required, except to disable the .Net Publisher evidence verification option. Disabling this feature is easy, as the installation routine does it for you. However, finding out what the .Net Publisher evidence verification option does proved to be a bit more challenging. After numerous Internet searches and queries to my developer friends, I finally reached out to the folks at Centrify for an explanation. According to Centrify, “Disabling the ‘publisher evidence verification’ simply speeds up the launch of the console applications since it configures the app to launch without performing the time-consuming verification process, which can be problematic in isolated networks such as test labs that don't have Internet connectivity.”
After the setup routine finishes, you start the DirectControl console. The first time this program runs, a setup wizard walks you through setting up the default zone. Zones help you collect and identify collections of UNIX, Linux, and Mac computers. By grouping the client machines this way, you can easily enforce security or configuration policies. Zones are stored in the AD container domain.com/Program Data/Centrify/Zones.
The setup wizard also helps you install the required licenses, which are stored in the AD container domain.com/Program Data/Centrify/Licenses. In all of the products that I’ve reviewed, I’ve never seen licenses stored in AD. It’s unique, to say the least.
After the back-end support has been installed, the next step is to install the client software onto a Mac computer using a platform-specific package. For Mac OS X Snow Leopard, you use the CentrifyDC-4.4.3-mac10.6.dmg file. Double-clicking this file opens a menu that has a Prepare feature, which you use to ensure that DirectControl and AD are communicating properly and ready for integration. When prompted, you enter the name of your domain, and in a few seconds, a total of 20 tests are performed. These tests check to see whether there’s adequate disk space on the client, whether DNS is working properly, whether there’s a DC in the site, and much more. I failed the test that checked whether the DC’s and the client’s clocks were synchronized. After I fixed the problem, I was ready to install the client.