Windows

SolutionBase: Connect your Macs to Windows Small Business Server

Simply connecting Apple systems to Windows workgroups isn't always enough; it's often necessary to join Macs to Windows Small Business Server-powered networks. Using Samba, you can make a Mac play nice with Microsoft products with relative ease. Erik Eckel shows you how it works.

To maximize Mac use on Windows networks, simply connecting Apple systems to Windows workgroups isn't always enough. Frequently, it's necessary to join Macs to Windows Small Business Server-powered networks.

Considering that most of the renewed energy surrounding the Macintosh platform centers on Mac OS X 10.3 and above, trials and tribulations associated with AppleTalk are a thing of the past. Beginning with Mac OS X version 10.2 (and essentially stabilized with version 10.3), Apple began including technology enabling Macs to connect to Windows server-powered networks using Samba. Using Samba, you can make a Mac play nice with Microsoft products like Windows 2003 Small Business Server with relative ease. Here's how it works.

Issues to address

Before a Windows administrator can connect Apple computers to the Windows domain, administrators must consider two issues.

First, if the Windows server uses a domain name that ends in .local (which Microsoft recommends and is typically the case in small and medium-sized business environments), Macs running Mac OS X version 10.2 and 10.3 will encounter difficulty resolving addresses using DNS. This is due to the Mac's Rendezvous service resolving DNS names. Rendezvous conflicts with the Mac's ability to resolve DNS addresses using the Windows server's DNS services. However, the issue was fixed in Mac OS X 10.4 (known as Tiger), as long as users enable proper domain search information with the Mac's network settings (more on that in a moment). For this reason alone, any Macs being joined to Windows servers should be upgraded to Mac OS X 10.4, or a newer edition.

Second, older Macs experience trouble connecting to Windows server shares using encrypted connections (which Windows XP and Vista systems do by default). The issue was supposedly fixed with Mac OS X 10.4, but subsequent Windows service packs have added wrinkles. To ensure smooth logons from Mac systems, Windows administrators should ensure all Macs that will be connecting to the Windows domain are running Mac OS X 10.4 or newer. Further, two Windows server group policies -- Microsoft Network Server: Digitally Sign Communications (Always) and Microsoft Network Server: Digitally Sign Communications (If Client Agrees) -- should be disabled to enable compatibility.

Configuring .local resolution

The next issue to address is the .local DNS resolution problem, which can prove vexing. A critical but easy step to miss is ensuring the Mac systems are set to properly navigate .local domains. To do so:

  1. Log on to the Macintosh system.
  2. Select System Preferences.
  3. Double-click Network.
  4. Press the padlock that appears in the bottom-left corner and enter a Macintosh username and password possessing administrator privileges to enable making changes.
  5. Select the network interface -- Built-in Ethernet, Airport, etc. -- you wish to use to connect to the Windows domain and enter local as the first option with the Search Domains field.
  6. Enter the domain name (in the format acme.local) as a second option (separate the two using a comma).
  7. Press Apply Now.

Configuring Directory Access

Next, from the Mac system, Windows professionals need to open Directory Access. Directory Access lives within the Mac's Utilities directory. Thus, these are the required steps:

  1. Log on to the Macintosh system.
  2. Open Finder.
  3. Navigate to the Applications directory.
  4. Navigate to the Utilities subdirectory.
  5. Double-click Directory Access.
  6. Click the padlock in Directory Access' lower left corner and enter the username and password for the local Macintosh system to enable making changes to the Mac's current Directory Access configuration.
  7. Check the SMB box and, while SMB is highlighted, press the Configure button, as shown in Figure A.

Figure A

SMB/CIFS is found on the Services tab of the Directory Access menu.

  1. Within the Workgroup field, enter the domain name. For example, if the domain name is acme.local, enter the Workgroup field as acme.
  2. Enter the Windows' server's IP address in the WINS field.
  3. Press OK; then press Apply.

Next, Windows administrators must configure the Mac to connect to Active Directory. While Mac systems don't properly receive or enforce group policies and scripts, Active Directory-enabled Macs can leverage user profiles, redirect the user's documents and spreadsheets to be stored on the server and more easily access server-based file shares. In addition, Windows account credentials can be used to log on to the Windows domain from the Mac. These are the next steps for joining a Mac OS X 10.4 system to Active Directory:

  1. From the Macintosh system, open Directory Access.
  2. Enter the Windows domain name (using the acme.local format) within the Active Directory Forest field. You'll see this illustrated in Figure B.

Figure B

Enter the Windows domain name, using the domain.local format, within the Active Directory Forest and Active Directory Domain fields.

  1. Specify the domain name (again, using the acme.local format) within the Active Directory Domain field.
  2. Within the Computer ID field, enter a computer name for the Mac.
  3. Next, press the expansion arrow to Show Advanced Options. From the Administrative tab, ensure the checkbox is selected for Prefer This Domain Server and specify the name (using the format server.acme.local) of the Windows Small Business Server box, as shown in Figure C.

Figure C

The preferred domain server is entered using the Directory Access menu's Administrative tab.

  1. Press the Bind button.
  2. Specify the username and password of a Windows administrator account possessing permission to add workstations to the Windows domain and press OK.
  3. Press OK to close the Directory Access Services page.
  4. Press the Authentication tab.
  5. Ensure /Active Directory/All Domains appears within the Directory Domains window.
  6. Press the Contacts tab.
  7. Ensure /Active Directory/All Domains appears within the Directory Domains window.

Encrypted connections issues

Once administrators have completed configuration changes on the Mac system, they can proceed to disable Windows server's encrypted connections requirement. These are the steps:

  1. Log on to the Windows server.
  2. Open Server Management.
  3. Expand Advanced Management.
  4. Expand Group Policy Management.
  5. Expand the domain forest.
  6. Expand Domains.
  7. Expand the server domain.
  8. Right-click Default Domain Policy and press Edit.
  9. Expand Windows Settings within Computer Configuration.
  10. Expand Security Settings.
  11. Expand Local Policies.
  12. Expand Security Options.
  13. Locate the two policies - Microsoft Network Server: Digitally Sign Communications (Always) and Microsoft Network Server: Digitally Sign Communications (If Client Agrees), as seen in Figure D. Right-click each, and select Properties. Check the Define This Policy Setting box and select the Disabled radio button and press OK to close the Security Policy Setting window.

Figure D

The Microsoft Network Server signing policies are found within Security Settings | Local Policies | Security Options within the default domain controllers policy's Windows Settings.

  1. Navigate to the Default Domain Controllers Policy entry (it's found within Advanced Management | Group Policy Management | Domain Forest | Domains | Server Domain | Domain Controllers).
  2. Repeat the operation from Step 13.
  3. Open a command prompt.
  4. Type gpupdate and press Enter.

Profiles and redirection

Windows administrators can enable Mac user profiles and redirect users' files to be saved on the Windows server. These are the steps:

To configure user Profile settings:

  1. Log on to the Windows Small Business Server.
  2. Open Server Management.
  3. Select Users.
  4. Double-click the user whose profile you wish to set.
  5. Press the Profile tab.
  6. Within the Home Folder section, specify the directory that should hold the user's profile.
  7. Press OK.

To redirect users' My Documents:

  1. Log on to the Windows Small Business Server.
  2. Open Server Management.
  3. Expand Advanced Management.
  4. Expand Group Policy Management.
  5. Expand the domain forest.
  6. Expand Domains.
  7. Expand the domain server.
  8. Right-click Default Domain Policy and select Edit.
  9. The Group Policy Object Editor will appear. Expand User Configuration.
  10. Expand Windows Settings.
  11. Expand Folder Redirection.
  12. Right-click My Documents and select Properties.
  13. Select the Setting drop-down menu and enter the appropriate selection (such as Basic -- Redirect Everyone's Folder To The Same Location).
  14. Specify Create A Folder For Each User Under The Root Path within the Target Folder Location.
  15. Specify the root path (the location where the user's My Documents files should be stored). When you're done, it will look like Figure E.

Figure E

Redirect My Documents using the My Documents Properties dialog box.

  1. Press OK.
  2. Link the group policy object by right-clicking the domain within the Group Policy Management console, selecting Link An Existing GPO, and selecting Folder Redirection Policy.

Logging on

Mac users should now be able to log on to the Windows domain from their Apples, assuming the Mac's automatic logon feature is disabled. To disable automatic logon, administrators need to log on to the Macintosh, select System Preferences, select Security, and check the Disable Automatic Logon option.

To log on to Windows domains, Mac users should enter domain\username within the Mac's Name field. The Windows network password, meanwhile, should be supplied in the Mac's password field. Upon supplying those credentials, they'll then be passed to the Windows server, authenticated, and a new user account will be created on the Mac.

Summary

Adding Macs to Windows workgroups is one thing; enabling Apple users to join Windows domains is another. In addition to helping Apple users store documents and files on the server (thereby simplifying backup routines), joining Macs to Windows servers helps reduce the number of user accounts, network logons and separate administrative functions that must be maintained.

About

Erik Eckel owns and operates two technology companies. As a managing partner with Louisville Geek, he works daily as an IT consultant to assist small businesses in overcoming technology challenges and maximizing IT investments. He is also president o...

3 comments
jcarroll
jcarroll

What do I do if SBS/CIFS is not listed under services?

ctune
ctune

I think it would be nice to add discussion of using the Mac's "Mail" program to connect to Exchange. Since Exchange Server is part of SBS and almost everybody is going to use it, and since "Mail" seems to be the common app for email, then it seems that there is need to know how these two bad boys "play together". Looking at the Mac, it seems like Mail's set up wizard (do they call them wizards in Mac-land? I don't care. . .) that Exchange is one of the possible types of connections. I'm just not getting any results from any of the normal full server names. Looking at the server both POP3 and IMAP seem to be configured, and the Web Connect is happening just fine I was able to log on and look at my email on the net using the Web Connect and my login just fine, so I think the DNS is working. I'm at ctune@westernstudioservice.com Nice article

viruser
viruser

Am worried about my mac security, should I be?

Editor's Picks