Does joining a Lion Open Directory with Windows actually work?

According to https://help.apple.com/advancedserveradmin/mac/10.7/#apd52648A71-571A-433C-81A8-2A7792333F22 it's possible to join a Lion Open Directory using a Windows machine, making it think it's joining an Active Directory domain.

However, I had no success what so ever in actually making this work.

For one, not even the SRV record in DNS (on the same Lion server that's also running OpenDirectory) was created.

Once I've added that manually, replicating the real SRV record of a real Active Directory domain, Windows at least managed to find the server, but no success in actually connecting:

DNS was successfully queried for the service location (SRV) resource record used to
locate a domain controller for domain "miranda.pilif.home":

The query was for the SRV record for _ldap._tcp.dc._msdcs.miranda.pilif.home

The following domain controllers were identified by the query:
miranda.pilif.home


However no domain controllers could be contacted.

Common causes of this error include:

- Host (A) or (AAAA) records that map the names of the domain controllers to their IP  
  addresses are missing or contain incorrect addresses.

- Domain controllers registered in DNS are not connected to the network or are not 
  running.

don't concern yourselves with the strange domain - this is a test-mac mini running Lion at home.

Seeing how spotty the documentation for Lion Server was so far, I would be inclined to think that the documentation I linked above is just plain not true and that Lion, like its predecessors doesn't support playing Active Directory master.

Am I correct in this assumption or am I doing something wrong while installing Lion? Has anybody ever had success in joining Windows to a Lion Open Directory?


With eyes open, I upgraded from Snow Leopard Server to Lion Server for a client in a mixed environment. I was aware of the lack of domain support under Lion and that Windows machines could not be a part of the Open Directory and that SSO for all windows clients would be gone (which was not a big deal, because I had to configure all windows 7 clients this way due to lack of support in Samba which was bundled with Snow Leopard Server which was acting as a PDC).

So, I thought, hey, do the simple upgrade. You lose pdc, but who cares really? So, after taking the 'plunge' so to speak, All windows machines lost the ability to even connect with any of the shares on the previously available shares pre-upgrade. I could smb:// from macs to the server, but not from windows to the server. I was getting messages like the resource is not accessible...

After over a week of back and forth with Apple support, I am still no closer, however, as administrator, I can connect to the server using direct ip address (but not with the user accounts - even if I make them admins... which I also found curious)... which is a clue that it has something to do with user accounts and privileges where something got lost in the migration.

The config tools are awful for Lion Server, giving you minimal options and little documentation on where to go or on how to solve problems. For example, I was unable to find out where and/or how to change the machine name to windows users. Not documented anywhere. In fact windows support is a small check box beside each share asking if you want to share with windows clients. Workgroup name - nowhere, Domain, nowhere, machine name, nowhere. ARRGH. The server name can be adjusted by clicking on the server icon. Changing this only affects Mac clients, not Windows.

At the end, Apple representatives gave me lip service about how everyone's in competition and they don't really want each other to talk... and the fact that they do is a miracle. Don't buy it, but hey, I guess he ran out of suggestions for me.

On a newly configured 10.7 box with Server utils installed, there were no issues connecting to the shares with windows clients, so this config works as advertised... just not the upgrade.

My next step is to blow out the OD and rebuild it along with the shares to see if that could be the cause. Stay tuned. Another few hours I won't get back.

Recommendation in hind sight... Snow Leopard Server version works fine. Don't 'upgrade'. Tools offered in Lion Server are simplistic and any real configuration has to be done by command line... Apple doesn't know how to solve issues yet. If you want to be adventurous, go for it... just don't be surprised if you get bogged down in unexpected ways. A week's worth of productivity for me.


As far as I know, the SMB component in 10.7 is not capable of acting as a Domain Controller in any way, neither NT4 style nor AD. All it can do is act as a SMB2 server.

They have discontinued Samba in 10.7 because Samba switched to GLPv3, a license Apple is unable or unwilling to use and instead wrote their own minimal SMB server.

As far as I am concerned, 10.7 Server is a terrible joke and it's the end of the line for me with Apple on the backend.


Am I correct in this assumption or am I doing something wrong while installing Lion? Has anybody ever had success in joining Windows to a Lion Open Directory?

Not likely, Lion having only been out for a couple of days as of this posting. I've already had to dissuade some of my users from upgrading due to critical incompatibilities.

As for Open Directory, the documentation is pretty scanty about exactly what it is doing. There are two ways to join an AD domain:

  • Join the Kerberos Realm, which Kerberos enabled services have been able to do since 2000.
  • Join the Windows Domain through all of the Microsoft hooks, which has been possible through the Samba product (and others) for quite some time now.

When it comes to emulating a straight up AD Domain Controller, which is what is needed to emulate Active Directory, things get a lot trickier. I know of one commercial product that can do it, as well as the still-in-development Samba 4 suite. The commercial product borrowed heavily from Samba 4 as I understand it (IIRC it has a GPL component and a closed-source component) to do what it does.

An earlier documentation page shows one way that Open Directory does what it does. It isn't terribly clear, but the "magic triangle" it is talking about suggests it is using AD for Auth in Open Directory, and allows using all the other Open Directory bits with it (whatever they may be).

In fact, it isn't clear at all that it is making an Active Directory domain. It could just be creating an NT4-style domain with a PDC, the kind that Samba has been doing for years now. Those don't need DNS records. The domain name in your case looks like it's either "MIRANDA" or "PILIF".