Snow Leopard Server in 'Magic Triangle' setup not allowing managed preferences in WM to be saved

Question

I have setup a new Snow Leopard Server (10.6.4) in a Magic Triangle setup (Dual Directory Integration), but am not able to manage preferences from within Workgroup Manager and am wondering if I might be missing something.

I've bound it to AD, ran "sudo dsconfigad -enablesso", setup the server as OD master, and checked that my DNS is all correct.

When I attempt to save a change I've made to a setting for 1 computer (eg. Energy Saver pref to turn off the computer everyday at 8pm), I get an error message saying, "Error while saving record "compname$": The directory system schema does not support storing Managed Desktop settings." This gives me a message in the console from WorkGroup Manager, "DirServices [dsAddAttribute] error: -14140"

Also, when I push the button to create a new computer group for my macs I get the following error: "Got unexpected error Error of type eDSNoStdMappingAvailable (-14140) on line 1268 of /SourceCache/WorkgroupManager/WorkgroupManager-361.3.1/PMMUGMainView.mm" This same message shows up in the Console.

In WM, I am authenticated as a domain admin to the Active Directory and can see all the users, user groups and computers from the AD, but no computer groups. The button to create a new user, new user group, or new computer are greyed out, and only the New Computer Group is available, though as stated above, I can't actually use it.

Other things that might be helpful: In my Search Policy, AD is listed above the OD. I have only bound one mac client machine to it as a test. OD is the only service currently running on the server.

Answer 1

It sounds like you're trying to edit the users, computers, etc. directly in AD; that's not the way magic triangles work. You need to create groups in OD, put your AD users into the OD groups, and apply management settings to the OD groups. If you want to do computer-based management, you can either put the AD computer objects into OD computer groups and manage those, or create OD computer entries (with the Ethernet ID entered, so they can ID themselves), put OD first in the Search Policy so those'll override the AD computer objects, and manage the OD computers and/or OD computer groups you put those into.

To control whether you're editing the AD or OD domains, there's a hidden pop-up menu just under the Accounts and Permissions buttons (where it says something like "Viewing ..." or "Authenticated as ..."), and then maybe authenticate into that domain by clicking the padlock at the far right.

To add AD users to an OD group, go to the group's Members tab, click + to show the users/groups sidebar, then use the similar hidden pop-up menu at the top of that to select your AD domain, then drag AD users (and/or groups) from the sidebar into your OD group's members list.

Answer 2

From my understanding of the way the Magic Triangle works you will need to bind your client first to OD and then second to AD and on the client the Search Policy needs to have OD listed first. So the machine can receive policies from the OD and authenticate the user with AD.

In addition, even when authenticated with a Domain Admin account to AD you won't be able to manage AD from Workgroup Manager without extending the AD Schema (which is why I'm assuming those buttons are grayed out).