If you give a typical Windows network administrator the choice between supporting Apple Macintosh workstations and a sharp blow to the skull, the administrator will personally choose the hammer for you. Unfortunately, most Macintosh users are a fanatical lot—almost as blindly loyal to their operating system of choice as Linux users. This invariably leads to conflicts for a Windows administrator.
Consider this example: Glenda in the downtown graphic arts office calls to tell you there are some new hires in her department, and they're trying to get the new Macintosh computers online so that they can access the file server you set up in your office last week. Chances are, you’re not going to be in a position to tell her that Macs aren’t supported. You're forced to figure out how to make them work. This is where Microsoft’s Services For Macintosh (SFM) come into play. SFM gives Mac users access to a Windows 2000 server and even, if need be, lets them perform administrative functions on that server via the connected Macintosh. In this Daily Drill Down, I’ll show you how it works.
Getting to know SFM and AppleTalk
Windows 2000 has the ability to connect to other operating systems, including the Macintosh OS. SFM gives Macintosh computers the same access to resources and files as Windows 2000 Professional workstations.
The AppleTalk protocol allows Macintosh and Windows PCs to play well together. It's the underlying protocol for communicating with File Services For Macintosh, Print Server For Macintosh, and the Macintosh network, or in this case, the Macintosh computers on your network. However, you don’t need to run AppleTalk on your network to use SFM. File Services For Macintosh works equally well in a TCP/IP-only environment.
SFM comes with the following tools and individual services to help you get your network to talk to AppleTalk.
The Administrative Tools feature provides centralized administration of the Macintosh computers on your network through the Microsoft Management Console (MMC) and a specialized snap-in.
Apple Standard User Authentication Method
The Apple Standard User Authentication Method provides support for both clear and encrypted passwords. Please be sure to follow your security standards for the Macintosh just as you would for Windows. While clear passwords are available, they may not be the most secure solution for your situation.
As in Windows 2000, this feature can limit the disk space on NTFS volumes running the version of NTFS included with Windows 2000. Systems administrators can use it to limit the disk space available to Macintosh users.
File Services For Macintosh
File Services For Macintosh gives Macintosh users access to files and folders on Windows 2000 Server and gives the server and other Windows users access to files and folders on Macintosh computers by providing support for AppleTalk Filing Protocol over both TCP/IP and AppleTalk.
Print Server For Macintosh
Print Server allows computers running both Windows and Macintosh to access PostScript printers connected to the network via AppleTalk.
Remote access (support for AppleTalk Control Protocol)
This allows Macintosh users to dial in to a Windows 2000 server on the network and gain access to AppleTalk and TCP/IP simultaneously over a standard PPP dial-up connection.
Secure logon (Microsoft User Authentication Module)
This enforces the same type of security for users on Macintosh systems as those on Windows 2000 systems. Users will see a logon window similar to that on Windows 2000 PCs and will be required to log in to access the network and its resources.
Support for AppleTalk phase 2
AppleTalk phase 2 is the latest version of the AppleTalk protocol. SFM uses this more up-to-date version of AppleTalk.
Support for plug and play
Plug and play support allows the MMC user interface to make changes to all applicable computers automatically. This eliminates the need to reboot the computer after making any of the changes mentioned here.
SFM also provides enhanced performance and robustness for increased reliability for Macintosh users of Windows 2000 resources.
Installing Services For Macintosh
To install Services For Macintosh, use the Windows Components Wizard. Start the wizard by clicking Start | Settings | Control Panel | Add/Remove Programs. When the Add/Remove Programs window appears, click Add/Remove Windows Components. Next, click Components.
The first screen you’ll see is the Windows Components screen. Scroll down the Components list box until you see the Other Network File And Print Services. Select the check box and click Details. Make sure that both the File Services For Macintosh and Print Services For Macintosh check boxes are selected. Don’t worry about the Print Services For Unix.
After selecting the check boxes, click Next to continue. You'll see an image displaying the status of the installation. If you haven't copied the Windows 2000 Server CD-ROM to CAB files on the hard disk, you'll need the Installation CD. Once you've provided the CD-ROM, the wizard will copy the necessary files and set up Services For Macintosh. When Setup has finished copying files, you’ll see the Completing The Windows Components Wizard screen. Click Finish to end the wizard. You can then begin configuring SFM.
Even though SFM can use TCP/IP, most Macintosh networks use the AppleTalk protocol. For the purposes of this Daily Drill Down, we’ll assume all of your Macs are running AppleTalk.
Talking the (Apple)Talk
When setting up Services For Macintosh, you first need to get the AppleTalk protocol running in your network environment. You simply right-click My Network Places and select Properties. When the Network And Dial-Up Connections window appears, right-click Local Area Connection and select Properties. You’ll then see the Local Area Connection Properties screen. Scroll through the Components list box until you see AppleTalk protocol.
Installing SFM should have added AppleTalk to your list of available protocols. If you don’t see AppleTalk, click Install and add it. Select the AppleTalk check box in Local Area Connections to enable AppleTalk.
Click Properties to bring up the AppleTalk Protocol Properties screen. Select Allow Inbound Connections to allow Macintosh clients to access the Windows server. You can also join the AppleTalk zone the server will participate in by selecting it from the System Will Appear In Zone drop-down list box. Click OK repeatedly to save your changes and close Local Area Connections.
Configuring file and print access
After you’ve gotten your server to participate in an AppleTalk Zone with your Macintosh workstations, you can begin to configure file sharing. To configure your server for file sharing with Macintoshes, create a folder or network drive partition to use as a Macintosh-accessible storage volume. Then run the Macfile utility from the command prompt. The syntax is as follows:
macfile volume /add /server:\\servername /name:sharename /path:pathname
In the above example, servername is the name of the server on which SFM is running; sharename is the name of the share you want your clients to access; and pathname is the directory of the share. For example, when performing one of several operations for this Daily Drill Down, I used the following syntax to make the Macfiles folder on drive G available to Macintosh computers:
Macfile volume /add /server:\\server /name: “MacintoshFiles” /path:g:\Macfiles.
This command will make the Macfiles folder on drive G accessible to the Macintosh computers that are in the same zone as this server, as well as all Macintosh computers that have access to this zone.
The Macfile command has other switches that allow you to do more than just work with volumes. You can get the full syntax for all the Macfile commands by typing macfile /? and pressing [Enter]. Macfile switches you can use include:
- Macfile directory—This command modifies directories in Macintosh-accessible volumes. It allows you to do such things as changing the owner of the directory, specifying or changing the Macintosh primary group associated with the directory, and setting permissions on the directory.
- Macfile server—This command changes the SFM server configuration. You’ll use it to specify the maximum number of users that can use SFM, change the logon message Macintosh users see, and specify whether guest users are allowed to access the server.
- Macfile forkize—This command joins the data fork and resource fork of a Macintosh file into one file. You can also use Macfile forkize to change the type or creator of the file.
Macintosh users accessing Windows 2000 servers via the AppleTalk protocol are subject to the same disk quota specifications as Windows users, if the administrator so chooses. Enabling disk quotas for Macintosh clients is much the same as enabling disk quotas for Windows clients. This is because the users on Mac clients have files stored on the server, just as Windows users do. This makes them susceptible to disk quotas based on the amount of disk space on the Macintosh-enabled folder that they have saved to, copied to, or taken ownership of.
To set disk quotas, right-click the disk drive in My Computer that contains the directory you made Macintosh-accessible, and select Properties. When the Properties screen appears, select the Quota tab for that volume. Select Enable Quota Management to turn on disk quotas. You can also choose how much disk space a user is allowed to consume, or log when users get close to or exceed their quota. The Stoplight icon on this page tells you the status of disk quotas for the volume, with red being disabled, green being enabled, and yellow being in process.
Accessing shared printers on your Windows 2000 server from Macintosh workstations works the same way it does for your Windows workstations. Just set up the printer for sharing, and you’re ready to go. Naturally, to make printing work, the clients that will work with the shared printer must have Macintosh drivers installed.
Increasing logon security for your Macintosh clients
By default, when Macintosh clients log on to your Windows server, they send their passwords in clear text, which a hacker could easily discover using a sniffer. You can encrypt logons by using Microsoft User Authentication modules on your Macintosh workstations. The User Authentication Module (UAM) is a utility that allows Macintosh computers to connect using encrypted authentication methods rather than the standard clear text methods allowed by SFM. You can download these modules from Microsoft’s Web site. Microsoft includes a set of authentication modules for both Mac 8.x/9x and Mac OS X. Extract and install the modules onto your Macintosh workstations to make the UAM work. The installation varies, depending on the version of the Mac OS you’re running, and is beyond the scope of this Daily Drill Down.
What Mac users don’t know can’t hurt them
SFM makes it easy to get your Macintosh workstations to talk to your Windows 2000 servers with just a little extra work. Properly configured, your Mac users won’t even know they’re using Windows 2000 in the background. They can connect without compromising their fanatical loyalty, and you can go about the business of administering the network.
Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.