In part 1 of this series, I went over the installation and initial configuration of the Mac Lion Server (10.7).  In this post, I’ll go over the steps on actually creating the connection between the Mac server and the Active Directory server.  Again, I highly recommend doing these steps in order, at least until you get very comfortable with the setup.  Remember if you’re connecting to the server using VNC, change the options to use Hextile and Full Colors.  Bear with me, there are a lot of steps…

First you’ll want to download and install the Server Admin tools from here. You might be able to get them from Apple updates, but it’s just as easy to download them from the direct link.  These tools do not come with the Mac server download, so pay close attention to whether I’m referencing the Server app or the Server Admin app (within the Server Admin tools folder, which gets created when you install the Server Admin tools).

  1. Open Finder from the dock and click on Applications in the left pane
  2. Scroll down to the Server Folder (not app) and open it
  3. Open the Server Admin App
  4. Highlight your server name and click on Settings at the top
  5. Click on Services and put a checkmark next to Open Directory and save your changes
  6. Click the pull-down arrow next to your server and highlight the Open Directory service
  7. Click on General and make sure next to Role it says “Standalone Directory.”  If it doesn’t, change it by clicking the Change button
  8. Back in the General tab, click the Change button (again if you had to change it back to Standalone Directory)
  9. Choose “Create Open Directory” and click Continue
  10. Click the Open Directory Utility Button
  11. Highlight Active Directory and click on the edit button, which looks like a pencil
  12. Enter the Active Directory Domain which you would like to bind to (ex:  The Computer ID should already be populated.
  13. Click to show Advanced options
  14. If you’re using laptops you will most likely want to put a check next to “use mobile accounts.”  I recommend reading up on Mobile Accounts to see if they’re necessary for your environment.
  15. Click on the Administrative tab and put a checkmark next to “Allow Administration By:” if you would like AD domain and enterprise administrators to have Administrative access.
  16. Click the Bind button and enter your Active Directory domain administrator credential along with the OU you would like the Mac server to go in (ex: CN=Computers,DC=domain,DC=org).
  17. Click OK and then check in Active Directory Users and Computers to see if the Mac server computer name appears in the proper OU.
  18. Disable Kerberos by going to the terminal and typing:
Sudo sso_util remove -k -a diradmin -p password -r KERBEROS.REALM

(where diradmin is the admin you created during the Open Directory configuration, KERBEROS.REALM can be found on the general page when Open Directory is highlighted in the Server Admin App)

19.   Then Kerberize services using AD by going back to the terminal and typing:

Dsconfigad -enablesso

That completes the connection between the Active Directory server and the Mac server.  At this point you can begin setting up your clients, and I’ll go over that in a future post.  Again, please remember that this set up works best if everything is in the same subnet (including your mac clients).  In the next posts, before completing the magic triangle, I will go through setting up a few of the optional services including Profile Manager, Time Server and Software Update.  There is also what’s called a Workgroup Manager that is somewhat similar to Group Policy.  However, it’s not always fool proof and can cause issues when you’re setting up your clients.  I’ll go over some brief setup of Workgroup manager as well.