Home › Forums › OS X Server and Client Discussion › Active Directory › Active Directory Schema upate versus “Magic Triangle”
- This topic has 6 replies, 5 voices, and was last updated 14 years ago by
berrty.
-
AuthorPosts
-
May 29, 2010 at 1:15 pm #378654OpticParticipant
Hi All,
I know this has probably been asked a million times (and I have endeavoured to read everything I can about this) but I am still not sure what the best course of action is.
I administer an Active Directory environment at a school and up until now we have been a pure Microsoft/AD shop (with about 500 PCs). Starting next year we are implementing (for the first time) a 1:1 laptop program for all staff and students and we have chosen Apple Macs as the platform. There will be approximately 1000 Macs.
I have read everything that I have been able to get my hands on but I am still unsure about a clear direction between going with an OD server and a “Magic Triangle” versus extending our AD schema. I have no issue with extending our AD schema, nor do I have any issue with adding an OD server – so from my point of view I wouldn’t choose one method or the other based on wanting to minimise server numbers or because of a reluctance to extend the AD schema. I want to pick the best method from a technical and supportability point of view.
I have done as much reading as I can and come up with the following list of reasons to choose one over the other. Please correct me if you disagree!
Reasons to extend AD schema:
1. Single directory
2. Less complicated
3. Cheaper as no OD server required (but as I stated above, this is not an issue for us)Reasons to add OD server:
1. Potentially more supportable (??) – I am not even sure this is true, but I imagine that from an Apple point of view it may be easier to get support from Apple if I can demonstrate an issue between a Mac OS X client and an OD server, rather than trying to get support for an AD issue. I also assume that as Apple releases new patches and versions that they test the integration between OS X Client and OD quite extensively – which they may not do with AD.
2. Unknown future changes (??) – This is another one I am not sure about, but let me try and explain what I mean. I am thinking that in the future as Mac OS X 10.7, 10.8, 10.9 etc are released that Apple could add features to OD and OS X which may require an OD server in a similar way that the Microsoft client and AD are very tightly integrated. It’s possible Apple will add completely new features which rely on OD and we find ourselves having to add an OD server anyway. If this was the case, we would wish we had used OD in the first place.
3. Support for Computer Groups (AD integration only supports Computer Lists)
4. Microsoft will release their own patches which go on our domain controllers and new server OSes in the future which will upgrade AD. The fact that our MCX configuration lives in AD may add complication when it comes to upgrading to these newer versions.
5. No AD schema update required (but as I stated above, this is not an issue for us)I am not even sure that some of these are relevant. The OD list seems longer but they are less “solid” reasons and mostly based on “what ifs”. Using AD is obviously quite compelling as 1 directory service has to be better than 2! π
Does Apple have an official “recommended position” on which method is better to use? I know that their White Papers and Online Seminars show how to do both but maybe they have a preferred method.
What do AFP forum users recommend? Any advice appreciated!
Cheers,
DavidJune 1, 2010 at 3:31 am #378658mcrispinParticipantHere’s hoping my answer doesn’t sound too glib.. nevertheless, with that many Mac’s (now they will outnumber your PCs 2:1) wouldn’t you at least want one OSX server box if for only deployment? Heck even an ARD task server would be nice, software update server — I can think of lots of practical uses.
You didn’t really mention how these machines are going to be used, is it just faculty/staff, or are their labs involved? Portable Homes, Network Homes? Any ideas about Backup? Any concerns about AFP/HFS+ access? Will anyone be sharing any files? Does anyone need something like ADmitMac? Kerberized printing? DFS? VPN, blah blah blah…
Another issue would be client management, while it is true that there are 3rd party tools to do the job, I find much on the PC side to be lacking. It doesn’t sound like you need the entire Casper suite, but the imaging side could use something like JAMF Imaging or at least DeployStudio. Surely, a nice modular deployment workflow would help about immensely..
There is also the question of available talent, do you have the time to learn and really know about OSX server? Without a sufficient talent base, I could definitely see the logic in leveraging something like LANrev, FileWave, or Centrify – or trying to do your own thing with schema extensions alone, but that is heck of a lot of work for just one person. I find that using “built-for-mac” solutions are much more robust, predicable, easy-to-manage and scalable *and* cheaper.
With so many Macs – there is the question of support contracts and advantageous pricing from Apple and getting the most out of AppleCare (there are plenty of programs not widely advertised) – it really sounds like you need to have a sit down with your local Apple rep and see if they can get what Apple calls a “solutions architect” on the phone and hash out specifics. There is really no need for you to bear the burden of thinking about all of this all alone. Yes, of course they will tell you “Triangle all the way!’ (they actually have to call it “Dual-Directory” now) — but you can get into the nitty gritty and suss out your level of comfort.
Personally, I would do the Magic Triangle because it is very easy to accomplish and it gives you some flexibility on services when/if the need comes — if 2/3rds of your operation is going to OSX, it won’t take long before the mac people start asking for stuff that isn’t easily accomplished with Win boxes alone.
It might sound counter-intuitive, but I think it is easier and wastes less time by getting an OD box in the mix, even if that means learning OSX server from scratch..Doing a very similar project here with one of our more paranoid medical groups.
Nevertheless, sounds like a good adventure for you. Good Luck!
Michael Crispin
Duke UniversityJune 6, 2010 at 3:10 am #378703OpticParticipantHi Michael,
Thanks for the reply – I appreciate it.
I’ll try and address a few of your points!
I didn’t mean to imply that we would not be introducing any Mac OS X Server based systems. We have several Mac Xserve machines on order (3 or 4) to perform various roles – including the full Casper Suite, ARD, kerberized printing, Wiki and podcast servers, Final Cut server etc. I totally agree that using native Mac stuff is the way to go and that is why I am not that interested in things like ADmitMac, Centrify etc. I do not want to force the Macs to work with Group Policy or anything like that. I want them to do their own thing natively. I’m not scared of learning new things. π
My question was specifically about whether to use OD or whether to update the schema in AD to store the MCX XML data. As far as I can tell, both are really still “native” in the sense that I’d still be using Workgroup Manager to create the MCX XML blobs – the only difference is where they are stored. From a technical point of view, it seems like both methods essentially do exactly the same thing. I’m not sure that OD “adds any value” – it just seems to be a second directory to store the MCX XML blob when it could be in AD. If there is other value that OD adds then please point it out to me as that is exactly what I am looking for!
We already have a good relationship with Apple and we’ve spoken to “solutions architects” and all the fun that goes along with that. π They do say “install OD” and of course I knew that they would – and I’m sure Microsoft would tell me not to install OD. π It doesn’t hurt to ask a wider community like this to try and get a more unbiased technical appraisal. I was already leaning towards using OD anyway but I am still not sure “why”. I’d like to be able to say “I chose to use OD instead of extending my AD schema because it gave me X” but so far I am not exactly sure what X is!
As I’ve said – I totally agree that the Mac people will be asking for various services and I have no interest in forcing them to use the Windows boxes if Mac OS X Server makes more sense. The AD/OD question is a separate question and I’m looking for solid technical reasons why I should introduce OD (which I’m already pretty sure that I will do).
Incidentally – I’ve already done both in my lab environment (AD schema extension and dual directory) and have so far found both to be much the same. When you said you would use OD because it gives me some “flexibility on services” what do you mean by that? Were you referring to things that I can actually do with OD specifically (and if so, what)? Or were you just referring to the fact that I would have an OS X Server system which I could use for other things (which I will have anyway)?
Thanks again!
Cheers,
DavidJune 8, 2010 at 3:29 am #378709mcrispinParticipantMy pleasure —
I suppose in order to answer properly, I am assuming that your Casper and FCSvr are directly dialing into your AD.
So.. can I assume you are not running a dual-directory at all?
MC
June 23, 2010 at 4:09 am #378839superdave97ParticipantWhy couldn’t you just use AD and use Casper’s MCX controls if you already have that server in place?
February 14, 2011 at 9:55 am #380444kimerajammParticipant[QUOTE][u]Quote by: superdave97[/u][p]Why couldn’t you just use AD and use Casper’s MCX controls if you already have that server in place?
[/p][/QUOTE]
same question πMarch 29, 2011 at 7:05 am #380584berrtyParticipantThis will come in useful for anyone who is interested to know more about taking a choice between Active Directory Schema versus βMagic Triangle.β There is so much on the subject and I am sure that with the information given here, there is quite a lot you can learn on this subject!!
-
AuthorPosts
- You must be logged in to reply to this topic.
Comments are closed