[SGVLUG] Active Directory and linux
Joel Witherspoon
joel.witherspoon at gmail.com
Wed Apr 25 15:32:03 PDT 2012
On Wednesday, April 25, 2012, Joel Witherspoon wrote:
> 2008 AD is pretty solid. Much better than 2000, 2003. It's all LDAP
> (suspiciously similar to OpenLDAP), so you'll need to have a DNS that
> handles SRV records. If your Linux DNS doesn't deal with SRV records, you
> can set up DNS on the Windows server. You'll need to point the client's
> primary DNS to that AD servers DNS for auth.
>
> It took me less than an hour to have a functional DNS and Tree set up.
> I've attached several OpenFiler servers using the AD connector tool and it
> worked great. I haven't tried connecting Linux workstations yet, but Mac OS
> X can connect with limited functionality.
>
> A few things:
> 1) Always make sure you have a second domain controller (DC). You can
> promote any server to become a DC. Replication should be automagic but
> check to make sure.
>
> 2) GPOs are your friend. Forget mapping drives via client properties,
> mapping drives and security is A LOT easier.
> 2a) Make sure your clients always have the latest GPO updates.
> 2c) There are workstation (computer) and user policies. Some policies in
> both categories do the same thing, but most are remarkably different. MS
> has cleaned up a lot of their GPO handling so it's been a lot easier to
> deal with them lately.
>
> 3) Use BGInfo on your desktops. It provides some WMI information that's
> good for troubleshooting
>
> 4) Brush up on PowerShell. It's better than cmd for scripting and it's
> good with Windows. However, compared to SSH, it blows and it's security
> structure blows.
>
> 4a) In the same vein, disable UAC on Vista and 7 workstations. You don't
> really need it with a sound GPO plan.
>
> 5) Unlike Novell's eDirectory (which was context-based), EVERY object in
> AD (context-less) needs to be unique. You can't have a username with the
> same name as a host, for example. We had to rethink our naming scheme
> because of that.
>
> 6) When the user first logs in on a Windows workstation, they will have
> very little rights. So you want to make sure your users have the correct
> rights for their position. GPO is good for this.
>
> 7) OSX workstations require a third party tool. We are currently testing
> Centrify on our Mac OS X's .
>
> On Wednesday, April 25, 2012, matti wrote:
>
>> Hi,
>>
>> I'm looking at setting up active directory services..
>>
>> 1) expect to have linux, mac OS X, and windows clients...
>>
>> 2) would like to use a linux server, but may have to setup a windows
>> server..
>>
>> Curious what sort of experiences people have had with it?
>> Recommendations? pitfalls? etc..
>>
>> thanks!
>> matti
>>
>>
Sorry about the double post and top post. My Gmail has been wonky lately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.sgvlug.net/pipermail/sgvlug/attachments/20120425/fccea845/attachment.html
More information about the SGVLUG
mailing list