Networking

[leoniloilo]

Finally found a way to integrate Macs in a Windows domain.

I hope others could find a solution for their problems here.

 

Our network consists of a server

(Windows Small Business Server 2003)

and a number of Windows XP clients.

I found it not easy to integrate a few Mac clients into that network.

 

PART ONE.

 

First of all, TCP/IP has to be set.

In System Preferences,

open Network:

 

 

If you have a server that automatically assign IP addresses, then:

Configure IPv4 = Using DHCP

 

If you don't, then you have to fill in the IP addresses yourself,

like i have done.

If you don't know those addresses,

you should ask them to your sys admin.

 

It is important what you set in Search Domains.

First you set

local

then a comma

then the name of your domain.

 

The other tabs of Network (PPPoE, AppleTalk...) are not important (i think).

 

 

PART TWO.

 

Then let's move to Sharing in System Preferences:

 

 

Type in Computer Name the name of your mac,

as you want others on the network to see your computer.

(yeah i bought myself a real MacMini, just to see... )

Then you can set also Personal File Sharing, Windows Sharing,

as you like.

 

 

PART THREE.

 

Then start Programs-Utilities-Directory Access:

 

 

Important is the tab Services.

Check there

- Active Directory

- AppleTalk

- SMB/CIFS

 

Now let's configure Active Directory:

 

 

In Active Directory Domain, set the name of your domain.

I found out that in some cases you can avoid some problems with adding

.local

to the domain name,

so the name looks like

domain_name.local

 

In Computer ID, set the name of your mac,

as you want to see it in Active Directory.

I named mine MACMINI.

Take a look at the Advanced Options.

In User Experience,

it should look like my settings.

 

The tabs Mappings and Administrative are less important (i think).

 

Now is the time to integrate the mac into the domain.

Click on the button Bind...

 

 

and type in the credentials of someone who has the rights,

to add a computer to the domain.

 

Then the mac takes 5 steps to be added to the domain:

 

 

Back to Directory Access:

 

 

In AppleTalk, nothing can be configured.

 

In SMB/CIFS, we put the name of our domain,

and (maybe less important) the IP address of the WINS server.

If you don't know, ask your sys admin.

 

 

 

PART FOUR.

 

Now comes a difficult part.

If you don't take this step, you won't see the shares (shared directories) on your server.

The problem is that Windows and the Mac handle passwords in a different way.

How to deal with this situation is described in KB 839499:

http://support.microsoft.com/kb/839499/en-us

 

I will cite here what is important for us.

You will need to edit the registry on the server -

so be very carefull what you do.

 

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

1. On the domain controller, click Start, click Run, type regedit, and then click OK.

2. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters

3. In the right pane, double-click enablesecuritysignature, type 1 in the Value data box, and then click OK.

4. Double-click requiresecuritysignature, type 1 in the Value data box, and then click OK.

5. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters

6. In the right pane, double-click enablesecuritysignature, type 1 in the Value data box, and then click OK.

7. Double-click requiresecuritysignature, type 0 in the Value data box, and then click OK.

8. After you change these registry values, restart the Server and Workstation services. Do not restart the domain controller, because this action may cause Group Policy to change the registry values back to the earlier values.

9. Open the domain controller’s Sysvol share. To do this, click Start, click Run, type \\Server_Name\Sysvol, and then press ENTER. If the Sysvol share does not open, repeat steps 1 through 8.

10. Repeat steps 1 through 9 on each affected domain controller to make sure that each domain controller can access its own Sysvol share.

11. After you connect to the Sysvol share on each domain controller, open the Domain Controller Security Policy snap-in, and then configure the SMB signing policy settings. To do this, follow these steps:

a. Click Start, point to Programs, point to Administrative Tools, and then click Domain Controller Security Policy.

b. In the left pane, expand Local Policies, and then click Security Options.

c. In the right pane, double-click Microsoft network server: Digitally sign communications (always).

 

Note In Windows 2000 Server, the equivalent policy setting is Digitally sign server communication (always).

 

Important If you have client computers on the network that do not support SMB signing, you must not enable the Microsoft network server: Digitally sign communications (always) policy setting. If you enable this setting, you require SMB signing for all client communication, and client computers that do not support SMB signing will not be able to connect to other computers. For example, clients that are running Apple Macintosh OS X or Microsoft Windows 95 do not support SMB signing. If your network includes clients that do not support SMB signing, set this policy to disabled.

d. Click to select the Define this policy setting check box, click Enabled, and then click OK.

e. Double-click Microsoft network server: Digitally sign communications (if client agrees).

 

Note For Windows 2000 Server, the equivalent policy setting is Digitally sign server communication (when possible).

f. Click to select the Define this policy setting check box, and then click Enabled.

g. Click OK.

h. Double-click Microsoft network client: Digitally sign communications (always).

i. Click to clear the Define this policy setting check box, and then click OK.

j. Double-click Microsoft network client: Digitally sign communications (if server agrees).

k. Click to clear the Define this policy setting check box, and then click OK.

12. Run the Group Policy Update utility (Gpupdate.exe) with the force switch. To do this, follow these steps:

a. Click Start, click Run, type cmd, and then click OK.

b. At the command prompt, type gpupdate /force, and then press ENTER.

For additional information about the Group Policy Update utility, click the following article number to view the article in the Microsoft Knowledge Base:

298444 A description of the Group Policy Update utility

Note The Group Policy Update utility does not exist in Windows 2000 Server. In Windows 2000, the equivalent command is secedit /refreshpolicy machine_policy /enforce.

 

For additional information about using the Secedit command in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

227302 Using SECEDIT to force a Group Policy refresh immediately

13. After you run the Group Policy Update utility, check the application event log to make sure that the Group Policy settings were updated successfully. After a successful Group Policy update, the domain controller logs Event ID 1704. This event appears in the Application Log in Event Viewer. The source of the event is SceCli.

14. Check the registry values that you changed in steps 1 through 7 to make sure that the registry values have not changed.

 

Note This step makes sure that a conflicting policy setting is not applied at another group or organizational unit (OU) level. For example, if the Microsoft network client: Digitally sign communications (if server agrees) policy is configured as "Not Defined" in Domain Controller Security Policy, but this same policy is configured as disabled in Domain Security Policy, SMB signing will be disabled for the Workstation service.

15. If the registry values have changed after you run the Group Policy Update utility, open the Resultant Set of Policy (RSoP) snap-in in Windows Server 2003. To start the RSoP snap-in, click Start, click Run, type rsop.msc in the Open box, and then click OK.

 

In the RSoP snap-in, the SMB signing settings are located in the following path:

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options

Note If you are running Windows 2000 Server, install the Group Policy Update utility from the Windows 2000 Resource Kit, and then type the following at the commmand prompt:

gpresult /scope computer /v

After you run this command, the Applied Group Policy Objects list appears. This list shows all Group Policy objects that are applied to the computer account. Check the SMB signing policy settings for all these Group Policy objects.

 

----

As i said, that Microsoft stuff is not easy.

Hope you managed well...

The best if if you print that Microsoft article,

and then just perform every step...

 

 

Now if everything went well,

you can see the names of the active computers in your network:

 

 

and we can also see the shares on the server:

 

 

 

----

 

If you only have a group of computers,

connected to each other,

and no server,

then you have a WORKGROUP

(or another name given by the sys admin).

Then things are more simple.

You just put WORKGROUP_NAME instead of DOMAIN_NAME,

in the steps mentioned above.

And you don't have to apply part 4 = the Microsoft stuff.

 

If you have a group of computers,

AND a server,

then we speak of a DOMAIN.

The server acts as a domain controller,

file server,

and can have many more roles too.

 

 

-------------------

Cheers !

[dponmac]

Only step I didn't do was the regedit, because I'm not going to be permanently connect to the domain but man, that was a lot of steps, but I'm connected now, thanks for this post! Helped out a lot!

 

Wow, its funny how much faster it is to browse and copy files from a Windows 2003 server to an OS X machine than it is to copy to a XP machine..

[clecio]

Hi guys,

 

Inthe step three, when I try to Bind I receive a message like: "an unknow erros was occured".

 

 

Can you help me?