Tuesday 28 August 2007

Mac on SBS - WSUS and the iMac

We are in the process of formatting and reinstalling the iMac. We are going to run through the SBS setup steps a number of times so we can refine our setup procedures for OS X 10.4.x Tiger. So, this post is coming via one of our Windows workstations.

We were greeted with a warning from WSUS on SBS R2 not long after the iMac was added to the domain:

There are 1 computer(s) that have not registered with Update Services. For more information, click More Information, and then in the Troubleshooting section click Common Problems.

So, WSUS wants the iMac to register as per the common Group Policy that requires all Active Directory registered workstations to be updated via WSUS if it is installed on SBS RTM or SBS SP1. SBS R2 has WSUS installed by default.

Well, we all know that a Mac cannot be updated via WSUS! ;)

Under Advanced Management on the SBS server, then in Group Policy Management, click on the Small Business Server Update Services Common Settings Policy. Click on the Settings tab on the right hand side. Click the Show All near the top right of the settings page. Right click anywhere in the page, and print it. You will need those settings for the next steps.

The simplest method to eliminate the WSUS error message is to create an OU beside SBSComputers called SBSMacs. You will find SBSComputers under Domain\My Business\Computers in Group Policy Management.

After adding a Mac to the domain, it will show up in the default Computers group under the domain in Active Directory Users & Computers. So, once the SBSMacs OU is created, open ADUC under Advanced Management and move any Mac computers out of the default Computers folder into the new SBSMacs OU. Answer Yes if you are warned about moving them.
Create and link a new Group Policy Object (GPO) to the SBSMacs OU and call it SBSMacs Update Policy or something to the like. Once you have created the GPO, right click on it and click "Enforced". The Enforced setting will override the relevant GP settings from the default domain level GP.

You will end up with the following:

Edit the SBSMacs Update Policy by right clicking on it under the SBSMacs OU and clicking on Edit..., and Disable any of the Enabled settings found in the Small Business Server Update Services Common Settings Policy that we printed out previously.

Once the settings are completed, Start-->Run-->GPUpdate /force [Enter] to update Active Directory on the SBS box and any other DCs on the domain.

Here is a screen shot of the default SBS Update Services Common Settings Policy GPO for reference:

It is best to not have the SBS Update Services Common Settings Policy opened for edit while disabling the specific GP settings in the Mac specific GPO. This eliminates the possibility of confusion and the subsequent disabling of the settings in the wrong GPO!

This should eliminate any Mac based computer having to register with WSUS and thus the Yellow Shield warning in SBS R2.

Remember, it is always a good idea to create specific Organizational Units located in specific places within Active Directory for any Group Policy tasks we have in mind. Group Policy Objects are subsequently linked to those OUs with the appropriate settings for our specific requirements as we have done here. No GPO at the domain level should be created or modified there unless there is an absolute need for it!

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

No comments: