This is an overview document for integrating Podcast Producer into your Active Directory environment.
There are some fundamentals we need to check off before starting. First, and as is so commonly repeated, you need to check your DNS. This integration will work best when DNS is hosted by your Windows servers. The setup testing here was done with a Windows 2003 server with Active Directory and DNS running on the same server. When checking DNS you want to ensure that both the forward and reverse DNS entries are set up correctly. You can use dig, nslookup or host to accomplish this.
bash-3.2# host pcpserver.example.com
pcpserver.example.com has address 10.0.1.5
bash-3.2# host 10.0.1.5
220.127.116.11.in-addr.arpa domain name pointer pcpserver.example.com.
Once you've verified that DNS is set up correctly, install Leopard Server. Chose the advanced setup, configure with a static IP and name to match the one that you checked in the DNS setup, but leave the Directory setup as stand-alone for the moment. Once configured run all you software updates to bring you up to the most recent version of OS X Server.
While waiting for your software updates, get in touch with your Active Directory administrators and get a new account set up for binding the server to the Active Directory server. This needs to be an account that has the ability to create a computer record in Active Directory - full administrator rights are not required. With your newly acquired AD account, bind your server using Directory Utility to Active Directory, and test that you can lookup AD users to ensure everything is working correctly. If this doesn't complete correctly you'll have to go through troubleshooting steps for getting a successful bind before proceeding.
Now that you're bound to Active Directory we can set up Open Directory on the OS X Server. The reason we do the setup this way round is to ensure that kerberos does not start on our OD Master. We only want kerberos tickets handed out from one location, and that is our Active Directory server. Set up Open Directory from Server Admin on your OS X Server, verify after going through the setup assistant that kerberos is not running.
Podcast Producer requires the group administrator user to be an Open Directory or local account, our testing used the user pcastadmin set up in Open Directory. See http://support.apple.com/kb/TA25011 for further details, but as of 10.5.6 the note about the HTTP authentication at the end of this article is no longer required - Podcast Producer now supports any combination of authentication methods, as described here - http://support.apple.com/kb/HT3289
After creating the pcastadmin user in Workgroup Manager, make this user an admin user on the server - this is required for podcast postings using the built-in workflows. You can set up a couple other regular Open Directory users for testing at this point if you like. I should point out at this point in time also, that if you're planning on running your web server on another server you will need to add the pcastadmin user to the local admin group of the web server.
Next comes setting up the website on our server. Go to web in Server Admin, select the Sites tab and select the default domain that's already in there. We need to rename the domain to be the FQDN (Fully Qualified Domain Name), so pcpserver.example.com in the Domain Name field in our case. From the Web Services tab in our site we need to enable Wiki and blog. Save your settings, and start Web in Server Admin.
Back in Workgroup Manager we set up a new group called "Podcasts", and add the pcastadmin user and some test users from both Open Directory and Active Directory. We also want to enable wiki services for this group - while this is possible in Workgroup Manager, I've seen better success enabling the wiki for a group within the Directory.app, found in /Applications/Utilities. Once doing this, open a web browser, and go to your server, in our case we went to pcpserver.example.com and test the "Podcasts" group wiki. If you aren't seeing the group wiki at this point in time you will need to troubleshoot the group wiki creation before carrying on.
Next is going to be the configuration of Xgrid. We need this to be a kerberized service however, so before setting up Xgrid we need to enable Single Sign-on for all supported services as we're using this server with Active Directory.
bash-3.2# sudo dsconfigad -enablesso
Use the "Configure Xgrid Service..." button on the Overview pane of Xgrid to set up the service. Chose "Host a Grid", and when prompted for a username and password, ensure that it's looking to /Active Directory/All Domains for it's authentication. Use the same username and password that you used from AD to bind your OS X Server to Active Directory. Continue through the setup, and Xgrid should start. Check the Settings pane, and ensure the Controller Authentication is set to Kerberos. If you have any issues with Xgrid starting, or the authentication is not set to Kerberos, you have to troubleshoot this step before continuing on. The logs will be you best place to start looking - if you see something similar to the following in the logs:
servermgrd: ERROR in record creation: Error Domain=OpenDirectoryFramework Code=-14140 UserInfo=0x25161f0 "Unable to create record pcpserver.example.com:/private/var/xgrid/sfs in /Active Directory/All Domains."
This is an issue with Kerberos - ensure you ran the dsconfigad -enablesso, and check your Kerberos files. You can test Xgrid is set up correctly by opening the Xgrid Admin application, select your server as the Xgrid controller to connect to, and when prompted select single sign-on rather than entering a username and password. At this point you should be prompted with a kerberos window to get your ticket. If you are able to then view your controller you've set Xgrid up correctly.
Moving onto configuring Podcast Producer in Server Admin. Set up the properties with the appropriate user, group, e-mail etc as shown in the Podcast Producer PDF from Apple - http://images.apple.com/server/macosx/docs/Podcast_Producer_Admin_v10.5.pdf . For this example our group is the Podcasts group we set up earlier, and our group administrator os the pcastadmin user we set up in Open Directory, while the Xgrid user is an Active Directory user. If these settings aren't fully configured the built-in workflows may fail. You may find that in setting up Podcast Producer it reports that Xgrid is unavailable - you can ignore this as long as you can use Xgrid Admin successfully.
Mail services for Podcast Producer can be configured either on OS X Server, or on the Windows server, however, you will need to be able to contact the SMTP server to send out notifications. Do note, that if the user submitting the job to Podcast Producer does not have an e-mail address specified in their account the mail task will fail.
Finally, it's time to test your deployment. From a client machine, open Podcast Capture and test a workflow with both an Open Directory user that's in the Podcasts group and an Active Directory user from the Podcasts group. If the jobs show up in Xgrid Admin your setup is working - even if the job fails - the failure is usually based around bad property settings in the Podcast Producer pane of Server Admin. In 10.5.6 or later you can also use single sign-on with Podcast Capture - your client machine must be bound and using a network account or a manually acquired kerberos ticket from the Kerberos application (/System/Library/CoreServices/Kerberos.app).
If you're planning on using the workflows to publish to the built-in wiki/blog you will need to enable clear text authentication due to the authentication methods that Active Directory supports as described here - http://support.apple.com/kb/TS1619. As noted, you can use SSL on the site after doing this, however, this will break the "subscribe to podcast" link in the wiki/blog - you can still subscribe in iTunes however if you use the https URL to point to the RSS feed.
Once this is all set up and working no doubt you'll have more than one group wanting to use the Podcast Producer setup - to separate out workflows for different groups take a look at the script provided here - http://pcast-producer.blogspot.com/2008/01/creating-new-workflows-from-script.html