Late last year, Apple released an updated document detailing how to manage Macs in an Active Directory environment.  You can either add an Open Directory server to the mix, which is another LDAP directory (sorta like AD, except for Macs), or you can just take the Apple specific “schema” modifications in Open Directory, and just apply them to AD (this is called extending the schema).  By the way, an LDAP schema defines what types of attributes are allowed to be stored, such as usernames, computernames, phone numbers, etc, but that’s really way out of scope of this post.

Anyway, even though Apple was nice enough to provide that document (grab it here: http://training.apple.com/pdf/wp_integrating_active_directory.pdf), they didn’t go so far as to *give* us the schema (ldif) file.  They make us create it on our own.  Ugh, really, Apple?  Their argument is that if we are forced to create our own LDIF file, then we’re sure to capture the exact differences between our AD and Open Directory (OD).  That is sort of a valid argument, but having gone through the process of creating that LDIF file, the instructions are so specific, that it appears everyone will end up with exactly the same file, so why didn’t they just give it to us in the first place?  But I digress…

Anyway, the document is well written and easy to follow, They want an OD server, and AD server, and an XP box in the middle with the ADAM (AD Application Mode) tools installed so that we can connect to both directories and spit out the schema differences.  This was slightly annoying because I haven’t had an XP box around for….quite some time.  What I did was to use a Windows 2008 test server I had laying around, and added the AD LDS role.  LDS (Lightweight Directory Services) is the 2008 version of ADAM.  After installing that, the same diff tool was still available, so I didn’t need an XP box, and the instructions still worked flawlessly.

To save you some trouble, just grab the file here:  apple-mods.ldf

Obviously, be sure to test this in a TEST ENVIRONMENT first, because these changes aren’t as common as Microsoft provided schema updates, so who knows how they will affect your existing environment, especially if someone before you has already extended your schema with earlier Apple stuff.

Hat tip to Michael Kuron who has a blog post on an earlier schema update.  If you’re considering extending your schema, you’ll definitely want to read the comments at the bottom of that post.  Very informative.

-Robbie