Active Directory or Open Directory in a Windows based college, you thoughts?

[topcat]

[b]I wondered what your thoughts are on this. As you may have seen in my other post, we are a mainly Windows college so using AD would be very beneficially for our users. I wondered how many other people have looked into this, and what did you decide, did you keep the Macs a separate network, or did you go ahead an use AD. What problems did you have?[/b]

Using OD we would have a completely Apple based infrastructure from server to client so would be fully supported. I expect all the features of 10.5 server to work well such as wiki etc, and there would be no saving problems to drives etc. We could also use mobile home directories on laptops. We would not need to worry about the plugin braking between our OD and AD system, there is less to go wrong.

The downside of this setup though is that it is a separate infrastructure with extra admin overhead. I would need to spend time importing users each year, and users would need to keep separate login details for both systems. And then when accessing the college systems such as the intranet, they would have to remember to input their AD credentials. Also connecting to windows network shares would requite their AD details again. Plus I dont know how well it would work with out web proxy and wireless authentication.

Using AD would mean that users have a single login for both systems and can access the same files and folder over any machine.

There are quiet a few downsides though.
The biggest being that we are working with two different directory systems and there is more to go wrong!
When we tried this in the past we found that the network home folders when using AD used th smb share so it was nice that the users could login to the pcs and see the same files that they do on the macs, but certain mac apps didnt like saving to a smb home and had various problems such as Office would let users save sometimes etc.

So what do you think, are you using AD/OD and happy?

[SpeedDemon]

It depends on how big your organization is really. If you are big enough to warrant the time spend on doing the R&D, then I would recommend that you going with a full UNIX/Linux solution instead of using Mac OS X Server. Mac OS X Server should at best be considered a beta product and is in fact not very well supported by Apple. The problems that you will run into with OS X Server will mostly center around authentication errors, and trouble moving between versions (which will break things). If you go with a full customized *NIX solution then you’ll have more control over the environment which will ensure that the end-users (students and faculty) won’t have to be burdened.

OS X Server is really targetted at very small installations and generally most of the biggest installations of “OS X Server” are just using Darwin UNIX.

[anodyne]

I’m with a large K12 school district. We have been trying to maintain momentum here in regards to AD integration (all users in Active Directory). Unfortunately, w/in our organization, Apple’s AD support/reliability has been found lacking (overall lack of continuity between releases/updates). The most recent example is the Leopard release. We weren’t able to bind to AD in our (large) domain until 10.5.2 came out. Now with the 10.5.3 release we are unable to bind again. I have found that I can take a 10.5.2 AD bound machine and upgrade it to 10.5.3 and it maintains it’s bound state. Unfortunately, if I choose/need to unbind, I am unable to rebind under 10.5.3 (this applies to client and server). The issues we have seen maintaining Active Directory integration w/in our organization has not made us particularly optimistic regarding binding many more of our ~10,000 Mac clients.

I have also been experiencing issues with 10.5.2 server relating to AFP and AD accounts. AFP will eventually become dysfunctional with AD accounts (local/OD accounts continue to work). SMB continues to work during this time with AD accounts. I have found unbinding/rebinding to more often than not be the (temporary) solution to this issue. Again, doesn’t bode well for further AD integration of servers. I’ve had a case open for ~1 month on this issue w/out any progress.

We are currently rolling out an Oracle Identity Management solution. I had hoped to continue using the magic/golden triangle approach (we had great success in the 10.3.x days, and OK success under 10.4 with the exception of AFP reliability/performance issues). Now I’m thinking I should examine the OpenLDAP/OD route with the use of a connector given the issues with Mac’s and AD here. We will also be looking at retreating from our continued XServe/OSXS purchases and taking another look at the Group Logic ExtremeZ-IP solution, consolidating on the Windows backend.

Best of luck/sucess in your chosen direction!

Curtis

[anodyne]

Since I posted in this thread, I thought I should provide a brief update relating to the 10.5.3 update and subsequent binding issue. I have had assistance in determining that disabling packet signing and encryption (dsconfigad -) prior to binding resolves this issue. Evidently some changes were made in 10.5.3 around the area of packet signing and/or encryption. Were still at the early stages regarding this discovery so I don’t have much more information. That said, this will allow me to test the 10.5.3 server update in relation to the AD/AFP issue we have been experiencing with 10.5.2 server. Good times.

Curtis

[anodyne]

It is interesting. I can still reliably bind 10.5.2 machines in our domain with dsconfigad defaults (i.e. allow). For 10.5.3 fresh installs/binds, I have found it necessary to disable both packet signing and encryption to have any success with the initial bind. We’re still working through this, but definitely can reproduce this experience in our domain since the 10.5.3 point update. Thanks.

Curtis

[Author]

Posts