<br>On Wednesday, April 25, 2012, Joel Witherspoon wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">2008 AD is pretty solid. Much better than 2000, 2003. It's all LDAP (suspiciously similar to OpenLDAP), so you'll need to have a DNS that handles SRV records. If your Linux DNS doesn't deal with SRV records, you can set up DNS on the Windows server. You'll need to point the client's primary DNS to that AD servers DNS for auth. <div>
<br></div><div>It took me less than an hour to have a functional DNS and Tree set up. I've attached several OpenFiler servers using the AD connector tool and it worked great. I haven't tried connecting Linux workstations yet, but Mac OS X can connect with limited functionality.<div>
<br></div><div>A few things:</div><div>1) Always make sure you have a second domain controller (DC). You can promote any server to become a DC. Replication should be automagic but check to make sure.</div><div><br></div>
<div>
2) GPOs are your friend. Forget mapping drives via client properties, mapping drives and security is A LOT easier.</div><div>2a) Make sure your clients always have the latest GPO updates. </div><div>2c) There are workstation (computer) and user policies. Some policies in both categories do the same thing, but most are remarkably different. MS has cleaned up a lot of their GPO handling so it's been a lot easier to deal with them lately.</div>
<div><br></div><div>3) Use BGInfo on your desktops. It provides some WMI information that's good for troubleshooting</div><div><br></div><div>4) Brush up on PowerShell. It's better than cmd for scripting and it's good with Windows. However, compared to SSH, it blows and it's security structure blows.</div>
<div><br></div><div>4a) In the same vein, disable UAC on Vista and 7 workstations. You don't really need it with a sound GPO plan.</div><div><br></div><div>5) Unlike Novell's eDirectory (which was context-based), EVERY object in AD (context-less) needs to be unique. You can't have a username with the same name as a host, for example. We had to rethink our naming scheme because of that.</div>
<div><br></div><div>6) When the user first logs in on a Windows workstation, they will have very little rights. So you want to make sure your users have the correct rights for their position. GPO is good for this.</div><div>
<br></div><div>7) OSX workstations require a third party tool. We are currently testing Centrify on our Mac OS X's .<br><br>On Wednesday, April 25, 2012, matti wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div style="font-size:10pt;font-family:times new roman,new york,times,serif"><div>Hi,</div><div><br></div><div>I'm looking at setting up active directory services..</div><div><br></div><div>1) expect to have linux, mac OS X, and windows clients...</div>
<div><br></div><div>2) would like to use a linux server, but may have to setup a windows server..</div><div><br></div><div>Curious what sort of experiences people have had with it?</div><div>Recommendations? pitfalls? etc..</div>
<div><br></div><div>thanks! <br></div><div>matti</div><div><br></div></div></div></blockquote></div></div></blockquote><div><br></div><div>Sorry about the double post and top post. My Gmail has been wonky lately. </div>