Volume Number: 25
Issue Number: 04
Column Tag: MacEnterprise

MacEnterprise: Integrating with Active Directory

A look at third-party tools for leveraging your AD infrastructure

By Greg Neagle, MacEnterprise.org

In enterprise environments, Microsoft's Active Directory is possibly the single-most common directory service. It's well suited to large companies with geographically separated locations, and scales very well to tens and even hundreds of thousands of users. In any organization that has many Windows computers, or any company that uses Exchange, it is the obvious and maybe unavoidable choice for a directory service. For these reasons and more, Active Directory is the 500-pound gorilla of directory services. Questions about integrating Mac OS X with Active Directory are among the most common questions on the MacEnterprise mailing list (http://www.macenterprise.org/mailing-list).

Given the ubiquity of Active Directory in enterprise environments, it's not surprising that Apple offers a solution for AD integration: the Active Directory plug-in for Directory Services. This plug-in has been covered well here and elsewhere: Michael Bartosh wrote an excellent article for the November 2004 issue of MacTech covering the AD plug-in that shipped with Panther. You can find it in MacTech's online archives - much of what it covers is still relevant. In October 2007, Philip Reinhart covered a few more tricks with using the AD plug-in and the dsconfigad command-line tool. And of this writing, Apple has an excellent whitepaper on integrating Mac OS X with Active Directory available here: http://images.apple.com/business/solutions/it/docs/Best_Practices_Active_Directory.pdf

Still, Apple's built-in solution does not meet every possible need you might have when integrating Macs into an existing Active Directory infrastructure. Fortunately, there are third-party tools that can be used to supplement or even replace Apple's tools. We'll look at a few in this article. While not intended to be a in-depth examination, we'll briefly touch on the main features of some of the third-party solutions.

Before we look at third-party tools, it makes sense to talk about some of the "missing features" from Apple's offerings. Get ready for some three-letter acronyms:

GPOs, or Group Policy Objects, are used by Active Directory administrators to help manage their Windows clients. They can be used to manage security policies, software installation, login scripts, folder redirection, and some application settings. They are similar in concept to MCX settings in managed OS X environments. Some organizations would like to be able to define GPO settings to manage Macs along with their Windows machines. Apple's AD plug-in doesn't support Active Directory GPOs.

MCX is Apple's client management framework. Out-of-the box, there is no support for MCX settings in Active Directory. Some MCX options include extending the AD schema to include MCX attributes, deploying a dual-directory infrastructure where MCX records are stored in a secondary directory, or using a third-party replacement for Apple's AD plug-in.

DFS, or Microsoft's Distributed File System (sometimes written "Dfs") is a method of making shared filesystems available via a network. This is typically used to provide fault-tolerance and/or redundancy, and to insulate users from having to know on which fileserver a given resource is located. It is roughly equivalent to automounted NFS shares where a resource can be accessed by a specific path, no matter which actual fileserver hosts it. While this is not really a function of the AD plug-in, Apple's built in SMB/CIFS client does not support Microsoft's DFS.

This is not an exhaustive list - certainly there are other features of Active Directory and Windows file services that are not supported by Apple's tools, or with which Apple's tools have difficulty.

Thursby Software has been providing tools to help Macs connect to Windows for many years. ADmitMac, currently at version 4, is a complete replacement for both Apple's AD plugin and the built-in SMB client. Some key features:

Requires no Active Directory schema changes

Supports DFS, even for home directories

Support for Active Directory shared printers

Support for MCX client management

More information is available at http://www.thursby.com/products/admitmac.html

Another product from Thursby Software is DAVE. It implements a subset of the features in ADmitMac. It operates as a replacement for Apple's SMB client, but provides less integration with Active Directory. See http://www.thursby.com/products/dave.html to learn more.

DirectControl from Centrify is also an Active Directory plug-in replacement. Besides the obligatory support for Active Directory authentication, a major feature of interest is support for GPOs: Windows administrators can use standard Windows tools to define GPOs for Mac clients that can specify certain management settings for user and computers. The ability to use a single set of tools to manage users, groups, and manage computers, no matter the OS is an important one for some organizations. Centrify also offers DirectControl for Linux and UNIX, which offers the possibility of using Active Directory to authenticate and manage all your platforms. More information on the Mac product is available at http://www.centrify.com/directcontrol/mac_os_x.asp

Likewise Enterprise is yet another replacement for Apple's Active Directory plug-in. A unique feature of this product is the ability to store MCX data in Active Directory without extending the schema. This is similar in concept to what Centrify's DirectControl does, but with two important differences:

Administrators can not only define Group Policy Objects using the Microsoft Management Console, but they can also use Apple's Workgroup Manager application to define Mac-specific management settings

Because actual MCX data can be stored in AD, a wider range of management settings are supported.

Likewise Enterprise is also available for Linux and UNIX, again making it possible to use a single directory service for all your platforms. Additionally, Likewise offers an Active Directory management console that runs on Mac OS X and Linux. Visit http://www.likewise.com/products/likewise_enterprise/ for more information on this product.

ExtremeZ-IP is a product from GroupLogic that provides Apple File Protocol services and printing services from Windows servers. Implementing ExtremeZ-IP on your Windows file servers allows Mac clients to connect via the native AFP client instead of the SMB/CIFS client. Since this is a server-based file sharing solution, it might seem odd to include it in this list of third-party tools. But GroupLogic has announced that Extreme-IP 6, due this year, will provide support for Microsoft DFS. With ExtremeZ-IP 6, Leopard (and later) clients will be able to use AFP to connect to Microsoft DFS shares. As a server-based solution, it can be used in conjunction with many of the client-based solutions mentioned above. You can find out more about ExtremeZ-IP at http://www.grouplogic.com/products/extremeZ-IP/

To wrap things up for this overview, the table below lists the solutions mentioned in this article with a matrix of some of the features not directly supported by Apple's built-in tools. If Apple's bundled solutions for Active Directory and Windows file server integration don't meet all your needs, you have some additional options to explore!

Greg Neagle is a member of the steering committee of the Mac OS X Enterprise Project (macenterprise.org) and is a senior systems engineer at a large animation studio. Greg has been working with the Mac since 1984, and with OS X since its release. He can be reached at gregneagle@mac.com.