Jesus Vigo explains how to configure a Golden Triangle between Active Directory, Open Directory, and OS X on Apple computers.
What is a Golden Triangle? It's not some mythical hero dressed in green tights that will rid your network of malware and save the princess. Nor is it a black hole that sucks up all the data that's lost when hard drives crash.
A Golden Triangle refers to a configuration trinity between Microsoft's Active Directory (AD), Apple's Open Directory (OD), and OS X clients on a network. The goal is to leverage an existing AD infrastructure to provide DNS and user authentication while combining OD services, such as Profile Manager, to manage settings and preferences on OS X/iOS client devices.
Since most organizations have established Active Directory infrastructures in place, it would be redundant to setup and manage similar services in a separate Open Directory master server — not to mention the possibility of configuration errors from incorrect setups that could potentially cause service disruptions. Additionally, separating the duties each directory server will manage means server resources shouldn't be as taxed, and that's always a good thing.
Before proceeding with the three-part setup, please review the requirements below and ensure that all requirements for parts I and II are met, otherwise the Golden Triangle configuration will fail.
Part I - Active Directory
Here are the requirements for your Active Directory:
- Server running Microsoft Windows Server (2008 or later)
- Microsoft Windows Server running the following services:
- User accounts and security groups setup for user authentication
Part II - Open Directory
Here are the requirements for your Open Directory:
- Apple computer running Apple OS X Server (1.0+)
- Open Directory service setup and configured
- Apple OS X Server running the following services:
- 3rd-party SSL certificate (optional, but required if managing devices over WAN)
Part III - OS X Client Computers
Follow these steps to complete the Golden Triangle setup on OS X client computers:
- Launch System Preferences.app from the Applications folder and select the Users & Groups preference pane (Figure A).
- Select Login Options and click the padlock to authenticate as an administrator (Figure B).
- Next, click the Edit... button to display the list of directory servers the computer is bound to. If none are listed, bind OS X to an Active Directory domain first. Troubleshoot any issues binding OS X to Active Directory prior to proceeding to the following step.
- Once bound, the list should contain the Active Directory domain (Figure C).
- Click the plus sign [+] to add another directory server. This time, enter the domain host name (or IP address) of the OS X Server hosting the Open Directory domain, and click the OK button to add it (Figure D).
- Prior to establishing the connection to the OD server, you'll be prompted to accept the trust certificate for the server you're binding to. This occurs when a self-signed certificate is used (by default) instead of a 3rd-party certificate. Click Trust to proceed (Figure E).
- Click Continue if you receive a prompt while attempting to establish an SSL connection with the server (Figure F).
- The directory list should now have an entry created for the Open Directory domain in addition to the Active Directory domain (Figure G).
- Click OK to return to the Users & Groups preference pane, and you'll notice the word Multiple next to Network Account Server. This indicates the OS X client is bound to multiple directory services, and the green bulb next to each represents an established connection (Figure H).
The Golden Triangle configuration is complete. The Active Directory and Open Directory domains are setup, and the OS X client has been bound to both services, receiving DNS and user authentication services from AD and managing settings and configuration from OD.
From this point, further configuration of the Profile Manager service may be performed on the OS X Server to deploy settings to OS X clients and enable Mobile Device Management (MDM) functions for iOS-based devices.