Connecting Macintosh OS X 10.3 and Higher Clients to a Windows Small Business Server 2003 Network

Objective

This document helps you connect Macintosh computers running Macintosh OS X version 10.3 or later to a server running the Microsoft® Windows® Small Business Server 2003 server software (Windows SBS). After you complete the steps outlined in this document, Macintosh users can access resources on the server, which include shared files, e-mail using either the Microsoft Entourage® 2004 e-mail and personal information manager or Microsoft Outlook® Web Access (OWA), the https://companyweb Web site, and Remote Web Workplace.

Overview

Before you begin connecting Macintosh client computers to the Windows SBS network, you must complete the following tasks:

• Setup and To Do List. Complete Windows SBS Setup, which includes the To Do List. The To Do List appears at the end of Setup and helps you finish configuring Windows SBS.
• Domain user account. Create a domain user account for the Macintosh user. For more information about creating a user account, on the server, click Start, click Help and Support, click Manage users and groups, and then click Add a user account.
• Web Services. Allow access to the following services by using the Configure E-mail and Internet Connection Wizard:
  • Outlook Web Access
  • Remote Web Workplace
  • Server performance and usage reports
  • Windows SharePoint® Services intranet site
  • For more information about how to allow access to these service using the Configure E-mail and Internet Connection Wizard, on the server, click Start, click Help and support, click Manage Internet access, and then click Allow access to Web services on the server.
• Register Internet domain name. If you want users to be able to access e-mail or to use Remote Web Workplace, then register an Internet domain name (for example, www.wingtiptoys.com). For more information about registering an Internet domain name, see Appendix A in Getting Started at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=20122).

If you are using a router between the server and the client computer, ensure that the router supports the AppleTalk protocol. Otherwise, you cannot connect a Macintosh computer to the server. For more information about what protocols the router supports, check the manufacturer’s documentation for the router.

To connect Macintosh client computers to a server running Windows SBS, complete the following steps:

• Step 1: Install the latest Macintosh updates. Install the latest software updates on your Macintosh computers.
• Step 2: Collect required information. Collect all the information that is required to connect your Macintosh computers to the Windows SBS network.
• Step 3: Configure DNS. Configure DNS settings on your Macintosh client computers to look up .local names using Rendezvous and standard DNS.
• Step 4: Share folders. Configure the client computers and the server to share folders on the server.
• Step 5: Access e-mail. Configure the client computers to access e-mail on the server.
• Step 6: Access the companyweb Web site. Configure security settings on the server to enable the client computers to access the https://companyweb Web site.
• Step 7: Access Remote Web Workplace. Configure the client computers and the server to enable access to Remote Web Workplace.

Step 1: Install the Latest Macintosh Updates

Install the latest updates to improve the security, functionality, and stability of your Macintosh client computers.

To install the latest Macintosh updates

1. On the Macintosh computer, from the Apple menu, click Software Update.

2. Select the updates you want to install, and then click Install X Items, where X is the number of items you selected.

Step 2: Collect Information

Collect the following information in Worksheets 1 and 2,which are in the appendix at the end of this document:

• Server IP address.
• Server NetBIOS name or internal domain name.
• Registered Internet domain name.
• Domain logon name and password for the Macintosh user.
• Local administrator account name and password for the Macintosh computer.

Step 3: Configure DNS

If you are using the .local label for the full DNS name of your internal domain, then the Macintosh computers cannot discover other computers that are members of the network and that use the .local label. Macintosh OS X version 10.3 uses the .local label for its Rendezvous service. To work around this, it is recommended that you do not use the .local label for the full DNS name of your internal domain. If you must use the .local label, then you must also configure DNS settings on the Macintosh computers so they can discover other computers on the network. To do this, complete these steps, using the procedures that follow them:

1. Configure TCP/IP settings on the client computers. Configure the TCP/IP settings on the client computers to specify the search domain explicitly, so that the client computers resolve .local names correctly.
2. Enable unicast .local resolution on the client computers. Enable the client computers to use unicast DNS (also called standard DNS) instead of multicast DNS to resolve names in the domain.local address space. Using the script described in the procedure, you can configure a Macintosh computer to look up all .local names on the local network by using either Rendezvous technology or unicast DNS (if the host is not available via Rendezvous). The client computer continues to use multicast DNS to look up all other names.
3. Modify the proxy exclusion list. Add the NetBIOS server name, the fully qualified domain name, and the NetBIOS domain name to bypass the proxy settings.
4. Verify DNS resolution. Verify that the NetBIOS server name, the fully qualified domain name, and NetBIOS domain name are resolving correctly on the Macintosh computer.

To configure TCP/IP settings on a client computer

1. From the Apple menu, click System Preferences.

2. Click the Network icon.

3. In the Show box, click Built-in Ethernet, and then click Configure.

4. In the DNS Servers box, type the internal (local) IP address of the computer running Windows SBS.

5. In the Search Domains box, type DomainName**.local**, where DomainName is the internal (local) domain name of your server running Windows SBS (see Figure 1).

6. Click Apply Now.

7. If an address appears in the IPv6 Address box, click Configure IPv6, select Off in the Configure IPv6 drop-down menu, and then click OK.

8. Quit System Preferences.

To enable unicast .local resolution on a client computer

1. Double-click Macintosh HD, double-click Applications, in the details pane double-click Utilities, and then double-click Terminal.

2. At the command prompt, type the following command, and then press Return.

   sudo su
   

3. Type the password for the local user account and then press Return.

4. Type the following command and then press Return.

   cd /usr/sbin
   

5. Type the following command and then press Return. A command prompt is not visible at this point. The command below is case-sensitive. Type it exactly as it appears here.

   cat > EnableUnicastDotLocal
   

6. Enter the following four commands and press Return at the end of each one. The commands below are case-sensitive, and they do not use any variables. Type them exactly as they appear here.

   #!/bin/tcsh
   echo domain.local > /etc/resolver/local.1
   grep -v domain /etc/resolv.conf >> /etc/resolver/local.1
   echo search_order 2 >> /etc/resolver/local.1
   

7. Press CTRL+D. The command prompt appears again.

8. Type the following command, and then press Return. The command below is case-sensitive. Type it exactly as it appears here.

   chmod +x EnableUnicastDotLocal
   

9. Type the following command, and then press Return. The command below is case-sensitive. Type it exactly as it appears here.

   /usr/sbin/EnableUnicastDotLocal
   

10. Type the following command, and then press Return. The command below is case-sensitive. Type it exactly as it appears here.

    cat /etc/resolver/local.1
    

11. Confirm that DomainName.local and W.X.Y.Z are correct, where DomainName is name of your domain and W.X.Y.Z is the internal IP address of your server. If the results list multiple servers, and their IP addresses are not identical to the IP address for your server, then verify that the first line that starts with nameserver contains the IP address of your server.

    Your result should be similar to this:

    domain.local

    search DomainName.local

    nameserver W.X.Y.Z

    search_order 2

12. Press CTRL+D, and then press Apple key+Q to quit the Terminal application.

To modify the proxy exclusion list

1. From the Apple menu on the Macintosh computer, click System Preferences.

2. Click the Network icon.

3. Click Built-in Ethernet, and then click Configure.

4. Click the Proxies tab.

5. In Bypass proxy settings for these Hosts & Domains, type the NetBIOS server name, the NetBIOS domain name, the fully qualified domain name of the server, the internal domain name, and https://companyweb. You recorded this information in Worksheet 1. Type each name on a separate line.

6. If the server is running ISA Server, select Web Proxy (HTTP) and Secure Web Proxy (HTTPS), and under Web Proxy Server, enter the IP address of the server (see Worksheet 1).

7. Click Apply Now.

Verify DNS query resolution

1. From the Macintosh HD, click Applications, click Utilities, and then click Network Utility.

2. On the Network Utility window, click the Ping tab.

3. Under Please type the network address to ping, enter the following addresses, which you recorded in Worksheet 1. Enter them one at a time, in order to test them:

  - NetBIOS domain name (for example, smallbusiness)
  - Internal domain name (for example, smallbusiness.local)
  - NetBIOS server name (for example, sbsserver)
  - Fully qualified domain name of the server (for example, sbsserver.smallbusiness.com)
  - If the server is running ISA Server, then enter **Publishing**.*DomainName***.local**, where *DomainName* is the NetBIOS domain name

After you complete these procedures, the Macintosh client computer can correctly resolve the fully qualified domain name of the server.

Step 4: Share Folders Using the SMB Protocol

You can access the Users Shared Folders that are stored on the server by using the server message block (SMB) protocol. To access the Users Shared Folders, you must configure both the server and the client computer. If you want to use the SMB protocol to access files that are located on the server from the Macintosh computer, complete these steps, using the procedures that follow them:

1. Configure the SMB settings by using Directory Access on the client computers.
2. Disable SMB signing on the server.

3. From the client computers, connect to the shared folders on the server.

Configure SMB Settings by Using Directory Access

This step configures the client computer and enables it to discover Windows SMB file servers (in this case, the computer running Windows SBS) by using Directory Access.

To configure SMB settings by using Directory Access on a client computer

1. On the client computer, double-click Macintosh HD, double-click Applications, double-click Utilities, and then double-click Directory Access.

2. Click the lock to make changes.

3. Enter the password for the local Macintosh account.

4. Make sure the SMB check box is selected, and then click Configure.

5. In the Workgroup box, type the NetBIOS name of the domain, which you recorded in Worksheet 1. (See Figure 3.)

6. In the WINS Server box, type the internal IP address of the server, which you recorded in Worksheet 1, and then click OK.

7. Click Apply, and then close Directory Access.

Disable SMB Signing on the Server

If the Microsoft network server: Digitally sign communications (always) Group Policy setting is enabled on the server, a client computer cannot establish a session with that server unless it has client-side SMB signing enabled. If the Microsoft network server: Digitally sign communications (if client agrees) Group Policy security setting is enabled, the SMB server negotiates SMB packet signing with client computers that request it.

Because Macintosh computers do not support SMB signing, you must disable both of these Group Policy settings on the server to ensure file sharing between the server and Macintosh client computers.

This step configures the server and creates a new Group Policy object (GPO) to disable digital signing of SMB packets on the server.

To disable SMB signing on the server

1. On the server, click Start, and then click Server Management.

2. In the console tree, double-click Advanced Management, double-click Group Policy Management, double-click Forest, and then double-click Domains.

3. Click the name of the internal domain, which you recorded in Worksheet 1.

4. In the console tree, right-click the name of the internal domain (for example, smallbusiness.local), and then click Create and Link a GPO Here.

5. In the Name box, type SMB Signing Disabled as the name of the new GPO, and then click OK.

   In the details pane, right-click the SMB Signing Disabled GPO that you just created, and then click Edit. Group Policy Object Editor opens.

6. In the console tree of Group Policy Object Editor, under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.

7. In the details pane, scroll down to Microsoft network server: Digitally sign communications (always), and then double-click it.

8. Select the Define this policy setting check box, and then click Disabled.

9. Click OK.

10. Repeat steps 8 and 9 for Microsoft network server: Digitally sign communications (if client agrees).

11. Close Group Policy Object Editor.

12. In the Server Management console, right-click SMB Signing Disabled, and then click Enforced. Click OK to the message asking if you want to change the enforcement setting for this GPO.

13. Verify in the Linked Group Policy Objects window that SMB Signing Disabled shows Yes for both Enforced and Link Enabled.

14. Between the console tree and the details pane, locate the Up and Down arrows and use the Up arrow to move SMB Signing Disabled just above Default Domain Policy.

To immediately apply the new Group Policy settings

1. On the server, click Start, click Run, and then type cmd to open the Command Prompt window.

2. At the command prompt, type gpupdate /force and press Enter.

3. When the update is finished, close the Command Prompt window and restart the server.

To connect to shared folders on the server from a client computer

1. On the client computer, open Finder by clicking the Finder icon in the Dock.

2. From the title bar, click Go, and then click Connect to Server.

3. In Server Address, type smb://NetBIOSServerName/ Users or type smb://workgroup@NetBIOSServerName/Users where NetBIOSServerName is the NetBIOS name of the server, and then click Connect.

4. In the SMB/CIFS Filesystem Authentication dialog box (see Figure 4), do the following:

   • In Workgroup/Domain, type the domain name.
   • In Username, type the domain user name.
   • In Password, type the password.

5. In the SMB mount dialog box, in Select a share, click Users. The USERS shared folder mounts on your desktop as a network icon.

6. Repeat steps 1 through 4 of this procedure to access any other shared folder located on the server.

After completing these steps, Macintosh users can access their shared folder in the Users Shared Folders on the server by clicking the USERS network icon on the Macintosh desktop.

Step 5: Access E-mail

You can access e-mail on the server by using either or both of the following:

• Entourage 2004
• Outlook Web Access

If Entourage is installed on the client computer, then the Macintosh user can use either of these methods to access e-mail located on the server. Otherwise, Macintosh users need to use Outlook Web Access to send and receive e-mail.

Step 5a: Access E-mail Using Entourage 2004

To complete this step you must first use the Microsoft Office 2004 for Mac CD to install Entourage 2004 on your Macintosh computer. If you have not installed Entourage 2004 on the Macintosh computer, then proceed to "Step 5b: Access E-mail Using Outlook Web Access."

In order to use Entourage to access e-mail messages on the server, complete the following steps:

1. Add the self-signed certificate that the server created to the Macintosh certificate store.
2. Verify that the client computer is properly resolving DNS queries to the server.
3. Set up an Exchange Server account on the client computer.

Add the self-signed certificate that the server created to the Macintosh certificate store

When you use a Macintosh client computer to try to access e-mail with Entourage, you get an error message. This is because Entourage does not recognize self-signed certificates, and you might have chosen to create a self-signed certificate when you first connected your server to the Internet.

To add the self-signed certificate to the Macintosh certificate store, complete the following steps, using the procedures that follow them:

1. Connect to the ClientApps shared folder on the server from the Macintosh computer.
2. Copy the server certificate to the Macintosh certificate store.

To connect to ClientApps shared folder on the server from a Macintosh computer

1. On the Macintosh client computer, open Finder by clicking the Finder icon in the Dock.

2. From the title bar, click Go, and then click Connect to Server.

3. In Server Address, type smb://NetBIOSServerName/ or type smb://workgroup@NetBIOSServerName/ where NetBIOSServerName is the NetBIOS name of the server, which you recorded on Worksheet 1, and then click Connect.

4. In the SMB/CIFS Filesystem Authentication dialog box, do the following:

   • In Workgroup/Domain, type the domain name.
   • In Username, type the domain user name.
   • In Password, type password for access.

5. In the SMB mount dialog box, in Select a share, click ClientApps. The CLIENTAPPS shared folder mounts on your desktop as a network icon.

To copy the certificate to the Macintosh certificate store

1. On the Macintosh computer, click the Finder icon to open Finder.

2. Click the Utilities folder in the Applications folder on your computer and locate but (but do not click) Keychain Access. You do not need to start Keychain Access.

3. From the desktop, double-click the CLIENTAPPS network icon.

4. In CLIENTAPPS, in the details pane, click the SBScert folder.

5. Drag the sbscert.cer certificate file under the SBScert window to the Keychain Access application under the Utilities window.

6. In the Add Certificates dialog box, under Keychain, click X509 Anchors, and then click OK.

7. In the Authenticate dialog box, under Password, type the password for the local Macintosh user account.

Verify DNS query resolution

Complete this step to ensure successful resolution of DNS queries to the server from the Macintosh computer.

Verify that the Macintosh computer is properly resolving DNS queries to the server

1. On the Macintosh computer, open the built-in Safari Web browser and go to https://ServerFQDN/exchange, where ServerFQDN is the fully qualified domain name of the Exchange server (for example, https://sbsserver.smallbuiness.local/exchange). The Exchange server is also the computer running Windows SBS. If you can log in and use Outlook Web Access, continue to the next procedure.

2. If the client computer does not resolve the fully qualified domain name of the server, and the domain name ends in ".local," follow the instructions in “Step 3: Configure DNS,” to resolve the issue.

3. Quit the browser.

Set Up an Exchange Server Account on the Client Computer

To set up an Exchange Server account for a user, you need to know the user’s e-mail address, account ID (which is the same as the user's domain logon name), and password, and you need to know the fully qualified domain name of the computer running Windows SBS.

To manually configure e-mail on a client computer

1. On the Macintosh computer, open Entourage by clicking the Entourage icon on the dock.

2. The first time you open Entourage, on the Would you like to make Microsoft Entourage your default e-mail program window, click Cancel and close the Entourage Setup Assistant window.

3. On the menu bar, from the Tools menu, click Accounts.

4. In the Accounts window, click the Exchange tab, and then in the toolbar click New.

5. In the Account Setup Assistant window, ensure that the My account is on an Exchange server check box is selected, and then click Configure my account manually.

6. In Account name, type the display name of the Exchange account for that user (see Worksheet 2). This can be the same as the user’s full name.

7. In Account ID, type the logon name of the domain user account (see Worksheet 2).

8. In Password, type the password of the domain user account (see Worksheet 2).

9. In Domain, type the domain name for the server. Use either the NetBIOS domain name or the fully qualified domain name of the server (see Worksheet 1).

10. Select Save password in my Mac OS keychain.

11. In Exchange Server, type https://ServerFQDN/exchange, where ServerFQDN is the fully qualified domain name of the server (see Worksheet 1).

12. In Name, type the display name of the Exchange account for that user (see Worksheet 2). This can be the same as the user’s full name.

13. In E-mail address, type the e-mail address of your Windows Small Business Server domain user account (see Worksheet 2) (for example, Chris@wingtiptoys.com).

14. While still in the Edit Account window, click the Directory tab.

15. In LDAP server, type the fully qualified domain name of the server (for example, sbsserver.smallbusiness.local).

16. Click the Click here for advanced options button.

17. Ensure that the This server requires me to log on check box is selected.

18. Select the Override default LDAP port check box, type 3268 in the box next to it, and then press ENTER.

19. While still in the Edit Account window, click the Advanced tab.

20. In Public folders server, type https://ServerFQDN/public, where ServerFQDN is the fully qualified domain name of the server (see Worksheet 1).

21. Under Synchronization options, ensure that the Synchronize all items to server check box is selected.

22. Under Security, select the DAV service requires secure connection (SSL) check box, and then click OK.

23. In the Entourage is now synchronizing message box, click OK.

24. If the Unable to establish secure connection message box appears, click OK.

25. In the Enter account ID and password window, enter the domain user name and password for the Macintosh user.

26. On the menu bar, from the Entourage menu, click Quit Entourage.

27. Reopen Entourage by clicking the Entourage icon on the dock.

28. If the Unable to establish secure connection message box appears, click OK.

29. In the Enter account ID and password window, enter the domain user name and password.

30. In the Folders list, click the arrow to expand the Macintosh user's mail account, and then click Inbox to view the e-mails.

After completing this step, users can access e-mail from their Macintosh computer by using Entourage 2004.

If you want Macintosh users to also be able to access their e-mail by using Outlook Web Access, proceed to "Step 5b: Access E-mail Using Outlook Web Access." Otherwise, proceed to "Step 6: Access the https://companyweb Web Site."

Step 5b: Access E-mail Using Outlook Web Access

This section describes how to use the Internet Explorer 5 for Mac, Safari, or Netscape Web browsers to access e-mail with Outlook Web Access (OWA). You can also use other Web browsers to access e-mail with OWA, but their requirements might differ.

To access Outlook Web Access from the Macintosh computer

1. From the Macintosh computer, open a Web browser and type https://ServerName/exchange, where ServerName is the NetBIOS name of the server, which you recorded in Worksheet 1.

2. If prompted, type the domain user name and password.

When you use a Macintosh computer to try to access e-mail through Internet Explorer, Safari, or Netscape, you get an error message. This is because these browsers do not recognize self-signed certificates, and the server creates a self-signed certificate by default when you connect to the Internet. To correct this, see the next sections of this document.

Access E-mail Using Internet Explorer 5 for Mac

You can download Internet Explorer 5 for Mac from the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=44594.

If you use Internet Explorer 5 for Mac to access e-mail with OWA, you get this message: “The identity certificate is invalid.” To correct this problem, purchase a signed certificate from a trusted authority and install it on your server.

For more information about adding a signed certificate from a trusted authority, click Start on the server, click Help and Support, and then search for "To change the Web server certificate.”

Access E-mail Using Safari

If you use Safari to access e-mail with OWA, you get this message: “This certificate is not valid.” To correct this problem, import the self-signed certificate that the server created and add it to the internal certificate store of the Macintosh computer. This allows Entourage 2004 to connect to the server, and it prevents Safari from displaying the certificate message when you are using OWA. To add the certificate to the Macintosh certificate store, see "Add the self-signed certificate that the server created to the Macintosh certificate store" in "Step 4: Share Folders Using the SMB Protocol."

Access E-mail Using Netscape

If you use Netscape to access e-mail with OWA, you have the option to install the self-signed certificate into Netscape's certificate store. Select Accept this certificate permanently, and then click OK. You will no longer get a message about the certificate after you install it in the Netscape store.

Step 6: Access the https://companyweb Web Site

This section describes how to use the Internet Explorer 5 for Mac, Safari, or Netscape Web browsers to access the https://companyweb Web site, which is hosted on the server. You can also use other Web browsers to access the https://companyweb Web site, but their requirements might differ.

To access the https://companyweb Web site from a Macintosh computer and make it your home page

1. From the Macintosh computer, open a Web browser and type https://companyweb.

2. When prompted, type the domain user name and password.

Although you can access the https://companyweb Web site using Safari or Netscape, it is recommended that you use Internet Explorer 5 for Mac, in order to help secure your network. Safari and Netscape use basic authentication to authenticate users who are connecting to the https://companyweb Web site. Basic authentication sends passwords in clear text between the client computers and the server. Internet Explorer 5 for Mac uses integrated Windows authentication, which is more secure.

Using Internet Explorer as Your Web Browser

You can download Internet Explorer 5 for Mac from the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=44594.

Using Safari or Netscape as Your Web Browser

In order to use Safari or Netscape, you need to turn on basic, clear-text authentication on the server, which hosts the https://companyweb Web site.

To enable basic authentication for the https://companyweb Web site

1. On the server, click Start, and then click Server Management.

2. In the console tree, double-click Advanced Management, double-click Internet Information Services, double-click ServerName, and then double-click Web Sites.

3. Right-click companyweb, and then click Properties.

4. On the Directory Security tab, under Authentication and access control, click Edit.

5. Select Integrated Windows authentication, select Basic Authentication (password is sent in clear text), and then click OK.

6. On the IIS Manager warning message dialog box, click Yes.

7. Click Apply, and then click OK.

Step 7: Access Remote Web Workplace

Because Remote Web Workplace uses Secure Sockets Layer (SSL), the requirements for accessing this Web site are identical to the requirements for accessing Outlook Web Access from a Macintosh client computer. Although you can use any Web browser to access Remote Web Workplace, this section describes the requirements for using Internet Explorer 5 for Mac, Safari, or Netscape only.

• Using Internet Explorer 5 for Mac: Purchase a signed certificate from a trusted vendor and install it on your server. For more information about adding a signed certificate from a trusted authority, click Start on the server, click Help and Support, and then search for "Change the Web server certificate.”
• Using Safari: Add the self-signed certificate that the server creates to the Macintosh certificate store. For step-by-step instructions about how to do this, see “Step 5b: Access E-mail Using Outlook Web Access.”
• Using Netscape: Add the self-signed certificate that the server creates to the Netscape certificate store. For step-by-step instructions about how to do this, see “Step 5b: Access E-mail Using Outlook Web Access.”

Although you can access Remote Web Workplace by using Safari or Netscape, it is recommended that you use Internet Explorer 5 for Mac, in order to help secure your network. Safari and Netscape use basic authentication to authenticate users who are connecting to the company’s internal Web site or the server performance and usage report sites. Basic authentication sends passwords in clear text between the client computers and the server. Internet Explorer 5 for Mac uses integrated Windows authentication, which is more secure.

To access Remote Web Workplace from a Macintosh computer

1. From the Macintosh computer, open a Web browser and type **https://**ServerName/remote, where ServerName is the NetBIOS name of the server, which you recorded in Worksheet 1.

2. Type the domain user name and password to access Remote Web Workplace.

Some features of Remote Web Workplace are not available when you are using a Macintosh client computer. Table 1 and Table 2 list which features are available to administrators and to all domain users respectively.

Table 1   Remote Web Workplace Features Available to Administrators on Macintosh Computers

Feature Name	Available (Yes/No)
Read my company e-mail	Yes
Use company’s internal Web site	Yes (must be enabled using the Configure E-mail and Internet Connection Wizard)
Download Connection Manager	No
Configure your computer to use Outlook via the Internet	No
Connect to server desktops	No
Connect to client-computer desktops	No
Monitor Help Desk	Yes
Administer the company’s internal Web site	Yes
View Help for Remote Web Workplace	Yes
View server performance report	Yes (must be enabled using the Configure E-mail and Internet Connection Wizard)
View server usage report	Yes (must be enabled using the Configure E-mail and Internet Connection Wizard)

Table 2   Remote Web Workplace Features Available to All Domain Users on Macintosh Computers

Feature Name	Available (Yes/No)
Read my company e-mail	Yes
Connect to my computer at work	No
Use company’s internal Web site	Yes (must be enabled using the Configure E-mail and Internet Connection Wizard)
Download Connection Manager	No
Configure your computer to use Outlook via the Internet	No
View Help for Remote Web Workplace	Yes

To connect to server or client-computer desktops from a client computer

You cannot use Remote Web Workplace to access the server desktop or other Windows-based client-computer desktops from a Macintosh client computer. Therefore, if you need to remotely connect to the server from a Macintosh client computer, you can use Remote Desktop Client for Mac just like you would from a Windows-based client computer. You must make sure that port 3389 is open and forwarded to your server at your firewall or router.

You can install Remote Desktop Connection Client for Mac from the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=44595.

To enable access to https://companyweb and to the monitoring Web sites

To enable a client computer to access the https://companyweb and the monitoring Web sites (View server performance report, View server usage report), use the following procedure to configure security settings on the Web server that hosts these sites.

To enable access to the https://companyweb and monitoring sites

1. On the server, click Start, and then click Server Management.

2. In the console tree, double-click Advanced Management, double-click Internet Information Services, double-click ServerName, double-click Web Sites, and then double-click Default Web Site.

3. Right-click Monitoring, and then click Properties.

4. On the Directory Security tab, under Authentication and access control, click Edit.

5. Ensure that Integrated Windows authentication is selected, select Basic Authentication (password is sent in clear text), and then click OK.

6. On the IIS Manager warning message dialog box, click Yes.

7. Click Apply, and then click OK.

8. Repeat steps 4 through 6 of this procedure for the https://companyweb Web site, if you have not already enabled access to site in " Step 6: Access the https://companyweb Web Site."

After completing this Step 7, "Access Remote Web Workplace," Macintosh users can use the Remote Web Workplace feature of Windows SBS.

Related Resources

For more information, see the following resources:

• For more information about File Services for Macintosh, see “Services for Macintosh” at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=44596).
• For more information about the Microsoft SMB protocol, see “Microsoft SMB Protocol and CIFS Protocol Overview” at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=44597).
• For more information about configuring Macintosh client computers to query for .local hostnames, see “Mac OS X 10.3: How to Look Up ‘.local’ Hostnames via Both Rendezvous and Standard DNS” at the Apple Web site (https://go.microsoft.com/fwlink/?LinkId=45060).
• For the latest information about Windows SBS, see the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=16918.

Appendix

Share Files Using File Services for Macintosh

By using File Services for Macintosh, Macintosh users can access shared folders that are stored on the server. To use File Services for Macintosh, you must configure both the server and the client computers.

Configure the Server

To share folders, configure the server by completing these steps, using the procedures that follow them:

1. Install File Services for Macintosh.
2. Configure the Shared Folder tool as a MacFile (Macintosh accessible file).
3. Create a shared folder on the server that the client computer can access.

To install File Services for Macintosh

1. On the server, click Start, click Control Panel, and then click Add or Remove Programs.

2. Click Add/Remove Windows Components.

3. Select Other Network File and Print Services, and then click Details.

4. Select File Services for Macintosh, and then click OK.

5. Click Next. The installation begins.

6. When the installation is complete, click Finish.

7. Close the Windows installer and Control Panel.

To configure the Shared Folder tool as a File Server for Macintosh

1. On the server, click Start, right-click My Computer, and then click Manage to open the Computer Management snap-in.

2. Right-click Shared Folders, and then click Configure File Server for Macintosh.

3. In Enable Authentication, click Apple Clear Text or Microsoft.

4. Click Apply, and then click OK.

You can configure any shared folder on the server so that Macintosh users can access it. It is recommended that you share the Users Shared Folders, which is on the server, so that users of both Windows and Macintosh can use it to share files with each other.

Use the following procedure to share the Users Shared Folders that is located on the server.

To share a folder on the server with Macintosh client computers

1. Click Start, right-click My Computer, and then click Manage.

2. Expand Shared Folders.

3. Right-click Shares, and then click New Share.

4. In the Share a Folder Wizard, click Next.

5. Either type the path of the folder you want to share (for example, Users Shared Folder) or click Browse to find the folder.

6. Click Next.

7. If the folder you selected is already shared to client computers running Windows, clear the Microsoft Windows users check box.

8. Select the Apple Macintosh users check box.

9. In Share name, type a name for the shared folder (for example, Mac Users Shared Folder), and then click Next.

10. Click Finish, and then click Close.

11. Right-click the name of the new share, and then click Properties.

12. Clear the This volume is read-only check box, and then click OK.

Configure the Client Computers

To use File Services for Macintosh to share folders on the server with the client computers, configure the client computers as follows:

• Install Microsoft User Authentication Module (UAM) on the client computers.
• Enable AppleTalk on the client computers.
• Configure AppleTalk settings on the client computers.

By default, the server running Services for Macintosh requires authentication using Microsoft UAM. But when a Macintosh computer tries to connect to a resource on the network, it does not use UAM. The result is this error message: “The user authentication method required by the server cannot be found.” To avoid this problem, install UAM on the Macintosh computers.

To install Microsoft UAM on Macintosh computers

1. Go to the Microsoft mactopia Web site (https://go.microsoft.com/fwlink/?LinkId=44593).

2. Download UAM for OS X 10.1 or later.

3. Open the MSUAM_for_X folder and run Install MSUAM for X.3 pkg.

To enable AppleTalk on a client computer

1. From the Apple menu on the client computer, select System Preferences.

2. Click the Network icon.

3. In the Show box, click Built-in Ethernet, and then click Configure.

4. Click the AppleTalk tab, and then select the Make AppleTalk Active check box.

5. Click Apply Now, and then close System Preferences.

To configure AppleTalk settings on a client computer

1. On the client computer, open Macintosh HD.

2. Double-click Applications, and then double-click Utilities.

3. Double-click Directory Access.

4. Click the lock to make changes.

5. Enter the user name and password for the user of that client computer.

6. Clear the Active Directory and SMB check boxes.

7. Select the AppleTalk check box.

8. Click Apply, and then quit Directory Access.

To access shared folders on the server

1. On the client computer, open Finder by clicking the Finder icon in the Dock.

2. From the title bar, click Go, and then click Connect to Server.

3. In the Server Address box, type **afp://**ServerName, where ServerName is the NetBIOS name of the server.

4. Click Connect.

5. Enter the domain user name and password to connect to the server.

6. Select the volume(s) you want to mount, and then click OK.

7. The volume(s) mount on the desktop.

Join the Macintosh Computers to the Domain

You do not need to join the Macintosh computers to the Windows SBS domain in order for Macintosh users to access network resources. However, joining the Macintosh computers enables you to view these computers in the Client Computers snap-in from Server Management.

To join a Macintosh computer to the network

1. From the Macintosh computer, double-click Macintosh HD, double-click Applications, double-click Utilities, and then double-click Directory Access.

2. Click the lock to make changes.

3. Type the password for the local Macintosh account.

4. Select Active Directory, and then click Configure.

5. In Active Directory Forest, type the fully qualified domain name of your Windows Small Business Server domain (for example, smallbusiness.local). (See Figure 6.)

6. In Active Directory Domain, type the fully qualified domain name of your Windows SBS domain (for example, smallbusiness.local).

7. In Computer ID, enter a unique network name for the client computer.

8. Click the arrow next to Show Advanced Options.

9. Clear the Authenticate in multiple domains check box.

10. Select the Prefer this domain server checkbox, and then type the fully qualified domain name of your server (for example, sbsserver.smallbusiness.local).

11. Select the Allow administration by check box.

12. Click Bind.

13. If required, type the user name and password of the local Mactintosh user.

14. In the Network Administrator Required dialog box, enter the user name and password for a domain account that has permission to add a client computer to the domain.

15. Click OK. The Macintosh computer goes through a five-step process to join the domain. When it is finished, the Bind button changes to Unbind.

16. Click OK.

17. Click the Authentication tab.

18. From the Search drop-down menu, click Custom Path.

19. Click Add.

20. Select /Active Directory/Domain.local, where Domain is the fully qualified domain name of your server (see Worksheet 1), and then click Add.

21. Click the Services tab.

22. Select the Active Directory check box, and then click Apply. If required, enter user name and password of the local user's account.

23. Quit Directory Access.

After completing this step, the Macintosh computer object is now visible from Server Management in the Client Computers management console.

After you join a Macintosh computer to the network, the Macintosh computer appears on a list of computers that are available for a remote connection using Remote Web Workplace. You need to remove the Macintosh computer names from the list because you cannot use Remote Web Workplace to connect remotely to a Macintosh computer. To remove Macintosh computers from the list of client computers available for remote connection, you need to create a new registry entry.

To remove a Macintosh computer from the list of client computers available for remote connection in Remote Web Workplace

1. From the server, click Start, click Run, and then type regedit to open Registry Editor.

2. In Registry Editor, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SmallBusinessServer\, right-click RemoteUserPortal, select New, and then click String Value.

3. In the details pane, type ExcludeList as the name for this new registry value.

4. In the details pane, double-click ExcludeList.

5. In the Edit string dialog box, under Value data, enter the names of the Macintosh computers. Use commas between the names (for example, computer1,computer2,computer3).

Worksheets

Use Worksheets 1 and 2 to collect relevant information for connecting Macintosh computers to computers running Windows Small Business Server 2003.

Worksheet 1   Collecting information

Information to collect	How to collect it
Server IP address	On the server, click Start, click Run, then type cmd. In the command line type ipconfig /all
NetBIOS domain name Or Internal domain name	On the server, click Start, click Run, and then type cmd. At the command prompt, type Set. The NetBIOS domain name is listed as USERDOMAIN.
NetBIOS server name	On the server, click Start, click Run, and then type cmd. At the command prompt, type Set. The NetBIOS server name is listed as COMPUTERNAME.
Fully Qualified Domain Name (FQDN) of the server	On the server, click Start, right-click My Computer, and click the Computer name tab. The server FQDN is listed next to Full computer name.
Domain name Or Internal domain name	On the server, click Start, right-click My Computer, and click the Computer name tab. The server domain name is listed next to Domain.
Registered Internet domain name	Contact your ISP.

Worksheet 2   Macintosh user information

User's display name	Macintosh local user account name and password	Domain user account name and password	Macintosh computer name