To maximize Mac use on Windows networks, simply connecting
Apple systems to Windows workgroups isn’t always enough. Frequently, it’s
necessary to join Macs to Windows Small Business Server-powered networks.

Considering that most of the renewed energy surrounding the
Macintosh platform centers on Mac OS X 10.3 and above, trials and tribulations
associated with AppleTalk are a thing of the past.
Beginning with Mac OS X version 10.2 (and essentially stabilized with version
10.3), Apple began including technology enabling Macs to connect to Windows server-powered
networks using Samba. Using Samba, you can make a Mac play nice with Microsoft
products like Windows 2003 Small Business Server with relative ease. Here’s how
it works.

Issues to address

Before a Windows administrator can connect Apple computers
to the Windows domain, administrators must consider two issues.

First, if the Windows server uses a domain name that ends in
.local (which Microsoft recommends
and is typically the case in small and medium-sized business environments), Macs
running Mac OS X version 10.2 and 10.3 will encounter difficulty resolving
addresses using DNS. This is due to the Mac’s Rendezvous service resolving DNS
names. Rendezvous conflicts with the Mac’s ability to resolve DNS addresses
using the Windows server’s DNS services. However, the issue was fixed in Mac OS
X 10.4 (known as Tiger), as long as users enable proper domain search
information with the Mac’s network settings (more on that in a moment). For
this reason alone, any Macs being joined to Windows servers should be upgraded
to Mac OS X 10.4, or a newer edition.

Second, older Macs experience trouble connecting to Windows
server shares using encrypted connections (which Windows XP and Vista systems do by default). The issue was supposedly
fixed with Mac OS X 10.4, but subsequent Windows service packs have added
wrinkles. To ensure smooth logons from Mac systems, Windows administrators should
ensure all Macs that will be connecting to the Windows domain are running Mac
OS X 10.4 or newer. Further, two Windows server group policies — Microsoft
Network Server: Digitally Sign Communications (Always) and Microsoft Network
Server: Digitally Sign Communications (If Client Agrees) — should be disabled
to enable compatibility.

Configuring .local resolution

The next issue to address is the .local DNS resolution problem,
which can prove vexing. A critical but easy step to miss is ensuring the Mac
systems are set to properly navigate .local
domains. To do so:

  1. Log
    on to the Macintosh system.
  2. Select
    System Preferences.
  3. Double-click
    Network.
  4. Press
    the padlock that appears in the bottom-left corner and enter a Macintosh
    username and password possessing administrator privileges to enable making
    changes.
  5. Select
    the network interface — Built-in Ethernet, Airport, etc. — you wish to
    use to connect to the Windows domain and enter local as the first option
    with the Search Domains field.
  6. Enter
    the domain name (in the format acme.local) as a second option (separate the two using
    a comma).
  7. Press
    Apply Now.

Configuring Directory Access

Next, from the Mac system, Windows professionals need to
open Directory Access. Directory Access lives within the Mac’s Utilities
directory. Thus, these are the required steps:

  1. Log
    on to the Macintosh system.
  2. Open
    Finder.
  3. Navigate
    to the Applications directory.
  4. Navigate
    to the Utilities subdirectory.
  5. Double-click
    Directory Access.
  6. Click
    the padlock in Directory Access’ lower left corner and enter the username
    and password for the local Macintosh system to enable making changes to
    the Mac’s current Directory Access configuration.
  7. Check
    the SMB box and, while SMB is highlighted, press the Configure button, as
    shown in Figure A.

Figure A

SMB/CIFS is found on the Services tab of the Directory Access menu.

  1. Within
    the Workgroup field, enter the domain name. For example, if the domain
    name is acme.local,
    enter the Workgroup field as acme.
  2. Enter
    the Windows’ server’s IP address in the WINS field.
  3. Press
    OK; then press Apply.

Next, Windows administrators must configure the Mac to
connect to Active Directory. While Mac systems don’t properly receive or
enforce group policies and scripts, Active Directory-enabled Macs can leverage user
profiles, redirect the user’s documents and spreadsheets to be stored on the
server and more easily access server-based file shares. In addition, Windows
account credentials can be used to log on to the Windows domain from the Mac.
These are the next steps for joining a Mac OS X 10.4 system to Active
Directory:

  1. From
    the Macintosh system, open Directory Access.
  2. Enter
    the Windows domain name (using the acme.local format) within the Active Directory Forest
    field. You’ll see this illustrated in Figure
    B.

Figure B

Enter the Windows domain name, using the domain.local format, within the
Active Directory Forest and Active Directory Domain fields.

  1. Specify
    the domain name (again, using the acme.local format) within the Active Directory Domain
    field.
  2. Within
    the Computer ID field, enter a computer name for the Mac.
  3. Next,
    press the expansion arrow to Show Advanced Options. From the
    Administrative tab, ensure the checkbox is selected for Prefer This Domain
    Server and specify the name (using the format server.acme.local) of the Windows
    Small Business Server box, as shown in Figure C.

Figure C

The preferred domain server is entered using the Directory Access menu’s
Administrative tab.

  1. Press
    the Bind button.
  2. Specify
    the username and password of a Windows administrator account possessing
    permission to add workstations to the Windows domain and press OK.
  3. Press
    OK to close the Directory Access Services page.
  4. Press
    the Authentication tab.
  5. Ensure
    /Active Directory/All Domains appears within the Directory Domains window.
  6. Press
    the Contacts tab.
  7. Ensure
    /Active Directory/All Domains appears within the Directory Domains window.

Encrypted connections issues

Once administrators have completed configuration changes on
the Mac system, they can proceed to disable Windows server’s encrypted
connections requirement. These are the steps:

  1. Log
    on to the Windows server.
  2. Open
    Server Management.
  3. Expand
    Advanced Management.
  4. Expand
    Group Policy Management.
  5. Expand
    the domain forest.
  6. Expand
    Domains.
  7. Expand
    the server domain.
  8. Right-click
    Default Domain Policy and press Edit.
  9. Expand
    Windows Settings within Computer Configuration.
  10. Expand
    Security Settings.
  11. Expand
    Local Policies.
  12. Expand
    Security Options.
  13. Locate
    the two policies – Microsoft Network Server: Digitally Sign Communications
    (Always) and Microsoft Network Server: Digitally Sign Communications (If
    Client Agrees), as seen in Figure
    D.
    Right-click each, and select Properties. Check the Define This
    Policy Setting box and select the Disabled radio button and press OK to
    close the Security Policy Setting window.

Figure D

The Microsoft Network Server signing policies are found within Security
Settings | Local Policies | Security Options within the default domain
controllers policy’s Windows Settings.

  1. Navigate
    to the Default Domain Controllers Policy entry (it’s found within Advanced
    Management | Group Policy Management | Domain
    Forest
    | Domains | Server Domain
    | Domain Controllers).
  2. Repeat
    the operation from Step 13.
  3. Open
    a command prompt.
  4. Type
    gpupdate
    and press Enter.

Profiles and redirection

Windows administrators can enable Mac user profiles and
redirect users’ files to be saved on the Windows server. These are the steps:

To configure user Profile settings:

  1. Log
    on to the Windows Small Business Server.
  2. Open
    Server Management.
  3. Select
    Users.
  4. Double-click
    the user whose profile you wish to set.
  5. Press
    the Profile tab.
  6. Within
    the Home Folder section, specify the directory that should hold the user’s
    profile.
  7. Press
    OK.

To redirect users’ My Documents:

  1. Log
    on to the Windows Small Business Server.
  2. Open
    Server Management.
  3. Expand
    Advanced Management.
  4. Expand
    Group Policy Management.
  5. Expand
    the domain forest.
  6. Expand
    Domains.
  7. Expand
    the domain server.
  8. Right-click
    Default Domain Policy and select Edit.
  9. The
    Group Policy Object Editor will appear. Expand User Configuration.
  10. Expand
    Windows Settings.
  11. Expand
    Folder Redirection.
  12. Right-click
    My Documents and select Properties.
  13. Select
    the Setting drop-down menu and enter the appropriate selection (such as Basic
    — Redirect Everyone’s Folder To The Same
    Location).
  14. Specify
    Create A Folder For Each User Under The Root Path
    within the Target Folder Location.
  15. Specify
    the root path (the location where the user’s My Documents files should be
    stored). When you’re done, it will look like Figure E.

Figure E

Redirect My Documents using the My Documents Properties dialog box.

  1. Press
    OK.
  2. Link
    the group policy object by right-clicking the domain within the Group
    Policy Management console, selecting Link An
    Existing GPO, and selecting Folder Redirection Policy.

Logging on

Mac users should now be able to log on to the Windows domain
from their Apples, assuming the Mac’s automatic logon feature is disabled. To
disable automatic logon, administrators need to log on to the Macintosh, select
System Preferences, select Security, and check the Disable Automatic Logon
option.

To log on to Windows domains, Mac users should enter domain\username within the Mac’s Name field. The Windows network password,
meanwhile, should be supplied in the Mac’s password field. Upon supplying those
credentials, they’ll then be passed to the Windows server, authenticated, and a
new user account will be created on the Mac.

Summary

Adding Macs to Windows workgroups is one thing; enabling
Apple users to join Windows domains is another. In addition to helping Apple
users store documents and files on the server (thereby simplifying backup
routines), joining Macs to Windows servers helps reduce the number of user
accounts, network logons and separate administrative functions that must be
maintained.