Help

Scoping Distribution Point to use Extension Attribute

daworley
Contributor II

Posted on ‎06-14-2012 07:50 AM

I wrote an extension attribute to determine what AD site the Mac is using, via the Centrify tools.

#!/bin/bash
# determine via Centrify binding the Active Directory Site
site=`adinfo -s`
if [ "$site" == "" ]; then
    echo "<result>none</result>"
else
    echo "<result>$site</result>"
fi

So far, this works like a charm. Please use this if it is useful to you.

My question is moving forward, how can I use this result to determine which local server to use? (Distribution Point, NetBoot, SUS, etc)

The only obvious solution would be to have smart group logic for each policy... but that would require duplicating every policy for each site. I don't see that scaling well.

I would love for scoping the servers to input from an Extension Attribute, or some direct method like this.

0 Kudos
4 REPLIES 4

tlarkin
Honored Contributor

Posted on ‎06-20-2012 06:29 AM

Hey Douglas,

You can leverage your existing network infrastructure to set distribution points, SUS, and Netboot servers. If you know certain buildings have specific VLAN and subnet ranges you can use network segments to scope this out and the framework does this automatically. No scripting required.

If this doesn't work for you, and each specific location has a specific binding I think you may be able to use the dsconfigad -show command and manipulate the output of that command and then build in some logic that will set the proper extension attribute for scoping these things.

I personally think the network segments is the best solution, but I know that isn't always possible.

Let me know if any of that helped.

Thanks,
Tom

alexjdale
Valued Contributor III

Posted on ‎06-20-2012 10:32 AM

Network segments do work best, but I know in my situation I have over 500 segments I will have to create to get proper coverage. Being able to use the current site code of a system would certainly makes things easier.

If Casper could ever tie into AD Sites and Services, that would be a huge boon for large global enterprises.

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎06-20-2012 10:48 AM

Alex, you can have a network segment overlapping 2 VLANs like

Starting: 10.1.1.1
Ending: 10.1.2.255

Would that cut the number down?

You can also create one like

Starting: 1.1.1.1
Ending: 255.255.255.255

If you use the above examples, if a device is in the 10.1.1.x - 10.1.2.255 range it will come under that network segment. Else it will come under the second segment. .

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎06-20-2012 10:54 AM

Network Segments would work best, but unfortunately it isn;t a valid solution in every environment.
What would be nice is if there was a checkbox to make the "Override Default Policy Settings" section under the General tab of a policy permanent. Right now they work on a policy by policy basis and do not permanently make those servers the designated ones for that computer or group of computers. If we could do that, then scoping a policy on a Smart Group that uses that Extension Attribute info would work. Computer is part of such and such "$site", then a policy runs on next check in that sets the server management framework for it, and it sticks. Sadly that cannot be done with the current Casper Suite.

0 Kudos