Lessons Learned

There are a couple of connectivity issues related to using a Macintosh in a Windows network that are worth noting. These can impact connectivity of both Mac OS 10.4 and 10.5 in an SBS (or other Active Directory network).

First, if the Active Directory login name matches either the Full Name or shortname of a local Macintosh account, you will not be able to authenticate against active directory. What seems to be happening in this instance is that the Mac OS authentication mechanism looks first at the local user directory before looking at any remote user directories when attempting authentication. If the name entered at login matches an accoun in the local user directory, Mac OS will attempt to authenticate against that user instead of the account in the remote user directory. This means an AD account named “jane” will not authenticate against AD if there is a local account with the shortname “jane” or the long name “Jane Dough.” Even if the shortname for “Jane Dough” is “admin,” the authentication will fail.

To resolve this issue, first create another local Mac user account with a long name and short name that have no close matches to any account in Active Directory. Make that user an administrator over the local machine. Then log in with that new user and remove any local accounts with names similar to the AD login name. If the user has been using that local account for a while, you will need to take steps to move the local user profile information into another account, which is not a trivial task. Only after you delete the local account with a similar name to the AD account will you be able to authenticate against the AD account. This happens whether you join the Mac to Active Directory or not.

Second, I have seen two instances where joining a fresh Leopard (10.5) install to an SBS network have been problematic. Specifically, when you log in with AD credentials, the process can take 5 or more minutes to process the login. Unfortunately, I have not been able to troubleshoot these two instances the way I had wanted, and I have not been able to replicate the behavior on demand. I believe that there is an issue/delay with the Mac doing LDAP lookups in AD to get the account information for authentication, but I cannot be sure withouth further testing.

If anyone has seen this problem and is willing to work with me to do some more in-depth troubleshooting on the problem, please let me know. Given the number of systems that I’ve connected and that have been done following the instructions on this blog and the smallbizserver.net site, this specific behavior is very rare. But now that I’ve seen it twice, I’d like to know what’s going on and modify these instructions as needed to help prevent that problem in the future.

Now that Mac OS 10.5 has hit the streets, there are folks who are wanting to know how to connect a Mac running the new operating system to an SBS network. This document covers steps for connecting a Macintosh running Mac OS 10.5 to an SBS 2003 network. This document assumes a healthy SBS network set up according to best practices.

Note: Before you start, make sure the local user name on the Macintosh does not match the Active Directory login name that will be used to access resources on the SBS network. This includes both the long name and the short name for the local Macintosh account. If the local Mac account for Jane Dough has a long name of “Jane Dough” and a short name of “jane” and the Active Directory account for the user is “jane,” you will not be able to authenticate to active directory properly. See “ Outstanding Macintosh Connectivity Issues” for more details.

Phase 1 – Network Configuration

If the SBS 2003 server is set up properly and the Macintosh is getting its network information from DHCP, the network settings should be ready to go out of the box, so to speak. These steps will confirm proper network settings on the Macintosh to work with the SBS network.

1. Open the System Preferences application from the Dock or from the Apple Menu.
2. Select the Network panel from the System Preferences application.
3. Review the settings for the active network connection. You should see settings that match the values expected for the SBS network. You will also see the DNS server address listed (but grayed out) as well as the internal domain name in the Search Domains field. If these values to not match your SBS network, make the necessary adjustments. The DNS server should point to the internal IP address of your SBS server, and the Search Domains field should contain the internal domain name of the network (i.e., domainname.local).
4. Click the Advanced button in the Network pane.
5. Click the WINS tab.
6. Select the correct NetBIOS domain name from the Workgroup drop down list. The WINS server address should already be populated and be the internal IP address of the Server.
7. Click OK and then Apply in the main Network panel.
8. Close System Preferences.
9. Open the Macintosh HD icon and select the Application icon from the navigation tree.
10. Open the Utilities folder and scroll down to the Terminal icon.
11. Open the Terminal application. Ping the SBS server by its short name (i.e., if the fully-qualified domain name for the server is servername.domainname.local, ping servername).
12. If the Mac is getting proper DNS resolution, the internal IP of the address will respond to a ping. Note that you will need to press Control-C to stop the ping command. If you do not get the proper IP address of the server from the ping command, go back and review the network setup steps.
13. Close the Terminal application.

Phase 2 – Accessing Server Resources

Mac OS 10.5 can access shares from the SBS server via the SMB (server message block) protocol like earlier versions of OS X. There are some key differences, however. You must still disable SMB Signing on the server in order for the Mac to be able to read and write files to the server share (see  this post for instructions on how to disable SMB signing on the server). If you have Windows 2003 Service Pack 2 on the server, you also need to make sure that all scalable networking components are disabled as well. See MS KB936954 and the step 4 in this post on the Official SBS Blog for instructions on disabling the scalable networking components.

The key difference between Leopard and previous versions of the Mac OS are that you will be able to authenticate against the server and open shares on the server even if SMB signing is not disabled. However, you will not be able to read or write files in the server shares. In previous versions of the OS, you would not be able to authenticate against the server at all if SMB signing were still enabled.

Once you have disabled SMB signing on the server, follow these steps to access the shares on the server from the Mac.

1. From the Finder, select Connect to Server from the Go menu, or press Command K to open the Connect to Server window.
2. Enter the server path as smb://servername in the Server Address field and click Connect.
3. You will be prompted to enter your domain username and password to access the share. Enter the username in the domainname\username format.
4. After you authenticate, you will be presented with a list of shares on the server that you may connect to. Select the share and click OK.
5. Another key difference in Leopard from previous versions of the Mac OS is that the network share no longer appears as a mounted disk volume on the Mac. Instead a new window will open to the share, and the server will appear under the Shared area of the navigation tree with an Eject symbol next to it. If you close the window and need to get back to the share, you can click on the server name in the navigation tree and see a list of the shares available on the server.
6. In the Connect to Server window, you can enter the full path to a share in the format smb://servername/sharename. You can save the path in the Favorite Servers list by clicking the plus sign next to the Server Address field. You can also open a folder on the share directly by using the format smb://servername/sharename/foldername.
7. When you click Connect in the Connect to Server window, a new window will open to the path specified in the Server Address window. If you selected a folder under a share, that folder window will open directly.

Phase 3 – Joining Active Directory

By default, you will have to enter your domain username and password every time you access a server resource when that resource is not connected to the Mac (i.e., right after bootup, after a share has been “ejected”, or if a network connection drops the connection to the server). By joining the Macintosh to Active Directory, you can log into the Mac with your Active Directory user credentials and not have to enter them every time you access a shared resource. To be able to log in to the Mac with Active Directory credentials, follow these steps.

1. From the Utilities folder in the Applications folder, open the Directory Utility application.
2. Once the application opens and finishes the process of detecting directory servers on the network, click the Show Advanced Settings button.
3. When the Advanced Settings appear, click the Services icon.
4. Click the lock to get access to the panel. You will be prompted for credentials. Enter your Macintosh username and password, then click OK.
5. Double-click on the Active Directory line to open the Active Directory configuration.
6. Click on the Show Advanced Options triangle.
7. Enter the internal domain name in the Active Directory Domain field (i.e., domainname.local).
8. Change the name of the Mac to a shorter name in the Computer ID field if desired.
9. Turn on the Create mobile account at login checkbox.
10. Select the Administrative tab.
11. Turn on the Prefer this domain server checkbox and enter the fully-qualified domain name of the SBS server (i.e., servername.domainname.local).
12. Turn on the Allow administration by checkbox.
13. Click Bind to join the Macintosh to the domain.
14. Enter the domain administrator username and password when prompted. The Macintosh will be placed in the Computers container by default. This can be changed in Active Directory later if needed.
15. Once the join process is complete, you will see both the Active Directory Forest and Active Directory Domain fields populated.
16. Confirm that the Active Directory checkbox is enabled in Directory Utility and close the application.
17. Open System Preferences and click the Accounts icon.
18. Click the lock to make changes and enter the password for the local Mac account.
19. Click on the Login Options icon in the navigation tree.
20. Set Automatic Login to Disabled.
21. Close System Preferences.
22. Log out of the Mac account by selecting Log Out from the Apple menu. You do not need to restart the Mac to be able to log in with your Active Directory credentials.
23. When you get the login screen, click Other.
24. Enter your Active Directory credentials as domainname\username.
25. You will be prompted to create a mobile account. Click Create Now.
26. Once login completes, open System Preferences and open the Accounts pane.
27. Click the lock to make changes.
28. When you are prompted to enter an administrator credentials, you will need to enter information for the local Macintosh account. You will need to enter the short name as the account name. If you are not sure what the short name is, log back in as the Mac user and look for the name of the home folder. The home folder is named with the short name of the account.
29. After you enter the authentication information, turn on the Allow user to administer this computer checkbox.
30. You will get a message that you need to log out and log back in for the settings to take effect. Click OK.
31. Log out and log back in with the Active Directory credentials.
32. Open a new Finder window and select the server name in the Shared section of the navigation tree. All of the shares on the server will appear and can be selected from here. You can also use the Connect to Server method described earlier in this document to connect. The difference is that you will not be prompted to enter a username and password when you enter the network resource you wish to use.
    A version of the document complete with screen shots will be available at smallbizserver.net in the near future. 

I plan to have several posts related to Leopard (Mac OS 10.5) connectivity with SBS networks over the next few days, and I have a methodology defined for how I’m going to approach the various scenarios that present themselves. Initially, however, I’ve taken an existing 10.4 install that was joined to Active Directory and logging in with AD credentials and upgraded that system in place to Leopard. There was one hiccup with creating the mobile user account, but I’m not sure that wasn’t a carryover from a similar issue I’d already had with that machine.

After the upgrade, I was able to log in with the user’s AD credentials just fine. I was presented with the Setup Assistant, which I closed without completing. I was presented with two updates for Leopard, neither of which look critical to most of the clients I work with. One was an update for the Apple Remote Desktop utility, and the other was a login and keychain update. That one I reviewed the Apple KB and found that it addresses an issue with long passwords on direct upgrades from 10.1, which for me is going to be a very rare case.

I still plan on recommending a clean install with user settings transfer for most Leopard “upgrades” and that’s the case I plan on testing next. But on a clean install of Tiger with very few 3rd party applications installed, the in-place upgrade worked nicely and kept my user settings as close as they can given the changes with Leopard.

More to come…

This document provides instructions for connecting a Macintosh running Mac OS X 10.4 to an SBS 2003 server. This document was prepared using Mac OS X 10.4.10, but should apply to any later updates to 10.4. This document makes several assumptions:

1. The SBS server is a healthy setup and is configured according to best practices (DHCP running on the server, private IP address range on the internal network, etc.).
2. The Macintosh has been updated with the latest available security patches from Apple.

Note: Before you start, make sure the local user name on the Macintosh does not match the Active Directory login name that will be used to access resources on the SBS network. This includes both the long name and the short name for the local Macintosh account. If the local Mac account for Jane Dough has a long name of “Jane Dough” and a short name of “jane” and the Active Directory account for the user is “jane,” you will not be able to authenticate to active directory properly. See “ Outstanding Macintosh Connectivity Issues” for more details.

Phase 1 – Network Configuration

1. Open the System Preferences either by selecting the System Preferences icon in the Dock or by selecting System Preferences from the Apple menu.
2. Click the Network icon under Internet & Network.
3. Confirm that the Macintosh has an active network connection in Network Status. Double-click on the active network adapter.
4. Confirm that the network settings provided by the DHCP server are correct. The DNS Servers field will be empty and should remain that way (the DHCP server provides the DNS server entries and those are not displayed in the interface).
5. Turn off IPv6 by clicking on the Configure IPv6 button and selecting Off from the available options.
6. Enter the internal domain name in the Search Domains field. If the internal domain is .local, no other configuration is necessary in Mac OS 10.4.
7. Click Apply Now, then close the Network panel.
8. Open the hard drive and open the Applications folder by selecting the Applications icon in the navigation tree.
9. Open the Utilities folder in the Applications folder.
10. Open the Terminal application in the Utilities folder.
11. Ping the SBS server by fully-qualified domain name (i.e., servername.domainname.local) to confirm proper DNS lookup for the FQDN. [Note: you will need to press Control-C to stop the ping process in the Terminal window.]
12. Ping the SBS server by NetBIOS name (i.e., servername) to confirm proper DNS lookup for the nodename.
13. Quit the Terminal application after confirming proper DNS lookup. At this point, you should have the correct network settings needed to communicate with the SBS server via DNS and IP.

Phase 2 – Active Directory Configuration

1. Open the Directory Access application in the Utilities folder.
2. Click the lock in the lower left corner of the Directory Access window to make changes to the configuration.
3. Enter the password for the local Macintosh account to open the Directory Access settings.
4. Select SMB/CIFS from the list and click Configure.
5. Enter the NetBIOS domain name for the Workgroup (i.e., domainname instead of domainname.local) and the internal IP address of the SBS server as the WINS server, then click OK.
6. Turn on the checkbox for Active Directory.
7. With Active Directory selected, click Configure.
8. Click the Show Advanced Options arrow to display the full set of options.
9. Enter the internal domain name (i.e., domainname.local) in the Active Directory Domain field.
10. Turn on the Create mobile account at login checkbox.
11. Turn off the Use UNC path from Active Directory to derive network home location checkbox.
12. Click the Administrative tab.
13. Turn on the Prefer this domain server checkbox and enter the fully-qualified domain name of the server (i.e., servername.domainname.local).
14. Turn on the Allow administration by checkbox.
15. Change the name of the Macintosh in the Computer ID field if necessary (the default name of the Macintosh may be too long).
16. Click Bind to join the Macintosh to Active Directory.
17. When prompted, enter the domain administrator username and password. Note the default location of the Macintosh object will be in the Computers container of Active Directory. This location is fine and can be modified later in Active Directory.
18. Click OK and the Macintosh will join the domain.
19. When the domain join completes, quit the Directory Access application.
20. Open the System Preferences and select the Accounts icon under System.
21. Click the lock in the lower left hand corner of the Accounts panel to make changes. Make note of the Short Name of the default Macintosh account in the Accounts page. [Note: If this short name is the same as the Active Directory username, you will not be able to log in to Active Directory.]
22. When the Accounts panel is unlocked, click the Login Options icon.
23. Turn off the Automatically log in as checkbox.
24. Close the Accounts panel.
25. Reboot the Macintosh. When the Macintosh comes up, you will see an icon for the default account in the login pane. Wait until another icon named “Other” appears to get the Active Directory login.
26. Click the Other icon when it appears and enter the Active Directory login information as domainname\username.
27. When prompted to create a portable home directory, click Yes.
28. Open System Preferences and select the Accounts icon under System.
29. Note the Active Directory account now appears under My Account. Click the lock to make changes.
30. When prompted for an administrator’s name and password, enter the Short Name of the default Macintosh account that you noted earlier and the password for that account.
31. Turn on the Allow user to administer this computer checkbox.
32. Close System Preferences and log out.
33. Log back in using Active Directory credentials and now you will have full access to the Macintosh.

Phase 3 – Accessing Server Resources

1. From the Finder, select the Go menu and select Connect to Server.
2. In the Connect to Server window, enter smb://servername and click Connect to get a list of shares from the server.
3. You may get an error saying the computer could not connect to the server because the username or password is not correct. This is either because SMB signing has not been disabled on the server or because Windows Server 2003 SP2 has been installed and the scalable networking options have not been disabled. To learn how to disable SMB signing on the SBS server, see How to Disable SMB Signing in SBS 2003. To disable the scalable networking additions of Service Pack 2, see KB 936594 and follow Step 4 in this post from the SBS blog.
4. If communication is set properly on the SBS server, you will see a list of available shares. Select the desired share and click OK.
5. Once you select the share, the share will open a new window on the desktop. It will also appear as a volume in the navigation tree.
6. In the Connect to Server window, you can also specify the full path to a share (i.e., smb://servername/users) and you can save paths on the network to the favorites list by clicking the plus sign next to the server address when you have the path entered correctly.

Other Resources:
Automounting network shares on a Macintosh at logon time:
http://www.smallbizserver.net/Articles/tabid/266/articleType/ArticleView/articleId/97/Automounting-SMB-Shares-on-a-Macintosh.aspx (with screen shots)
http://simultaneouspancakes.com/Lessons/2005/11/27/automounting-sbs-shares-on-a-macintosh/ (text only)

The Alternative to RWW for the Macintosh:
http://www.smallbizserver.net/Articles/tabid/266/articleType/ArticleView/articleId/84/The-alternative-for-RWW-for-Mac.aspx

A version of this document with screen shots will be available at smallbizserver.net.

Parallels released an update to the 3.0 product which I downloaded and installed today. A couple of items worth noting:

1. When doing an update of Parallels, you should always re-run the Parallels Tools installer on the first launch after the update installs. Parallels should offer this to you by default, but in case it doesn’t run it yourself.

2. When you forget about #1 above and try to launch applications within Windows after Parallels lets you start the environment, you might gt into a conflict with the Parallels Tools installer and have it lock Windows/Parallels to a point of reset (or Force Quit in my case).

3. If you’re using the Coherence video settings in Parallels, you might want to wait until all the Parallels Tools updates have finished, even after the restart following the completion of the installation, before switching back into Coherence mode, lest your video look really lo-res and ugly.

4. If you’re in the middle of trying to meet a deadline (or just some friends for lunch), that might not be the best time to choose to install the Parallels update. Since you need a little patience for items 1-3 above, it might behoove you to wait until you’ve got 10-15 minutes with nothing else to do before going through the update process.

Just a few thoughts…

If you’ve updated to Mac OS 10.4.9 since it was released last week, you may have fallen victim to an update that wasn’t highly publicized by Apple. To address a problem where PoweBook and MacBook users have been ejecting the CD by accidentally pressing the Eject key (which, granted, is dangerously close to the function keys and not really separated on the Power/MacBook keyboard layout), the 10.4.9 update introduced a “key delay” for that key to curb accidental ejections. Unfortunately, they didn’t really tell anyone about it, and there’s no setting to adjust for desktop Mac users who have a completely separate key and are less prone to accidental ejection.

Now, if we were talking about the ejector seat in a car or plane, I’d absolutely want to prevent accidental pressing of the key. But this is a CD. If you eject it accidentaly, yeah, you may lose a few seconds, but is the fix worth the frustration this has caused some Mac users who are suddenly thinking their keyboards (or minds) are on the blink?

Apple’s Doc on the subject explains the behavior, but doesn’t give much background. There’s also the unusual “This document will be updated as more information becomes available” line at the end of the document. Maybe that means there’s a fix for the fix underway? Who knows at this point…

Given everything else that’s going on with DST and calendaring, Entourage 2004 is actually fairly straightforward to deal with. However, what if you’re running an older version of Entourage, say Entourage X? Well, MS no longer officially supports that product, so while the default response might be to say “deal with it” or “upgrade to Office 2004, some folks in the Entourage community have put together a workaround to deal with the issue.

It’s worth noting here (they also note this in their posting, but this is important) that this workaround has not been sanctioned or approved by Microsoft, and you do this at your own peril. But it’s actually a fairly straightforward adjustment and has a script developed as well, so compared to the potential damage versus just having all your appointments off by an hour, it’s not too bad. Plus, recovering from a failed modification is easy.

Worth checking out if you’ve got that particular challenge.

And here you were thinking that your Mac would be immune to the DST problems that seem to be plaguing the rest of the US. Well, not necessarily. Turns out that Microsoft has included updates in Office Update 11.3.3 for Entourage that handles issues related to calendar items and the new DST rules. And if you’re only using Entourage 2004 for POP3 or IMAP accounts, you’re probably going to be OK. But only if you install Update 11.3.3 (at least according to KB924606).

But, if you’re using Entourage 2004 to connect to an Exchange server, your calendar may just get a little funky for a little while. According to a blog post from the MS Higher Education West group, if the Exchange server has not been updated with the patches to fix the DST issue. Where can I learn about these updates, you may be asking? Well, this Microsoft page has information, and http://www.dstpatch.com/ also has update information.

Bottom line, the patch for Exchange is out, but not necessarily universally installed. The Entourage patch is out, as is the OS update from Apple that allows the core Mac OS to handle the new DST laws. But the Outlook patch is not yet available, so expect that until all three players are updated in a particular location there will be some discrepancies about meetings that are scheduled after March 11, 2007.

My Mac recommendation: go ahead and update to 11.3.3 for Office for the Mac, but be aware of possible DST meeting hiccups until everyone else gets updates.

I have it on good authority that the Entourage media part number listed in page 430 of the SBS 2003 Unleashed book (Q56-00005) is no longer available from Microsoft. There is a new SKU for Entourage media from MS fulfillment, but it’s been ‘bundled’ as part of the R2 set, and is not yet available.

The new part number is Q56-00232 Entourage Mac 2004 Mac English Disk Kit CD (this is listed on http://www.microsoft.com/windowsserver2003/sbs/evaluation/faq/prodinfo.mspx). I’ll post an update when I have a better idea that it is actually available. I now have on good authority that not only is the new part number available for order, but someone has actually received their copy of the media. Well, it seems that even though someone was able to order the media, it still has yet to get delivered to that person. Plus another person was having difficulty getting the media ordered. So, it’s back to “I’m not sure what the status is” status on the Entourage media.I received confirmation on 10/23/2006 that the Entourage media is happily in the hands of the person who ordered it in mid-September. I think it’s finally out there…

I originally posted this on my business-focus blog, but though it would be of interest to readers of this blog as well. This is the first post in a series on the new Intel-based Macs.

I have to admit that when I heard Apple was releasing a new series of Macs based on the Intel chip, I was a little befuddled. For years, one of the claims to fame of the PPC and G-series CPUs is that they ran circles around the Intel equivalents in terms of performance. Soon enough, I started hearing about how Apple had, once again, done a fabulous job of porting their entire solution to a completely different hardware structure (ala Motorola 68000 CPU architecture to PPC architecture) in a way that was seamless to the end user. Then there were reports that you could actually install Windows XP and run it on one of the Intel-based Macs, some reports indicating that Windows even ran better on an Intel-based Mac than on your average name-brand Windows-only PC.

Then two announcements caught my attention. The first came from Apple, introducing a public beta of a software known as Boot Camp. The second came from a company I had previously not heard of called Parallels, announcing a solution that would allow you to run non-Mac operating systems in a virtual environment on Intel-based Macs.

Needless to say, my curiosity was piqued, and I started my research. That, combined with several queries from my mixed environment clients, prompted me to acquire an Intel-based Mac and do my own research. What follows are my initial observations of the solutions.
Read the rest of this entry »