Home Forums OS X Server and Client Discussion Active Directory Active Directory Schema Extension with OS X 10.8 Mountain Lion

Viewing 1 post (of 1 total)
  • Author
  • #385186

    We are looking to integrate in Active Directory a small number of Mac computers (about two dozens for now, will climb later) in a big Windows computer environment (thousands).

    We looked at the Apple Technical White Paper about the Best Practices for Integrating OS X Lion with Active Directory : http://training.apple.com/pdf/wp_integrating_active_directory.pdf

    We use GPO on Windows, so we need Managed Preferences on OS X. We discarded the “Do Nothing” option. We want to avoid using a Mac OS X Server due to our small initial deployment. We discarded the “Profile Manager Server”, “Dual Directory (or magic triangle)”.

    We are left with “Extend the Active Directory Schema to Handle Management” and “Use a Third-Party Solution”.

    Extending the Schema made sense to us, nothing to purchase, no permanent Mac OS X Server to set up, no extra software, no extra hardware, low maintenance and little training. Not to mention nothing to install on the Domain Controllers, nothing to install on the Macs, no middleware. Just extend the schema and use native Workgroup Manager on any Mac to set up the Managed Preferences for all of them at once. That’s not to say that using third-party is bad, but it looked that we could avoid it. Not to mention we don’t have any Mac specialists in current staff, so asking one for help just for supervising the short “extending the schema” phase made sense, after that we fall back to current staff for basic maintenance.

    Problem is, we found out a new revision of the document called Best Practices for Integrating OS X with Active Directory :


    This new revision is about OS X 10.8 Mountain Lion and completely avoid talking about Extending the Schema, cutting down the White paper from 28 pages to 14.

    Is there a new directive from Apple to stop Extending Active Directory Schemas ? Does Apple and/or Mountain Lion stopped supporting that way of integration ? If it’s still supported, where can we find an updated paper about it ?

    Since this is a technical white paper, I expect it to grow with more and more technical information, so seeing it halved with all that great information gone made me a bit nervous.

    I asked for information on the Apple forum, I got very good information from a knowledgeable person but I would like a second opinion.

    He advised me against extending schema due to where Apple is going. He also told me this : “The old magic triangle of injecting a Mac server between the clients and the windows server is being depreciated by Apple.  MCX is effectively depreciated in Mountain so many of the tools and concepts related to extended schema and third party tools like Centrify no longer apply.  Apple is moving to Profile Manager and this requires a lighter weight (depending on the angle you look) deployment model.”

    This makes lots of sense, I didn’t see it at my first reading of official documentation, but after a second more careful read, it looks like that Apple philosophy versus Active Directory completely changed with Mountain Lion.

    Can you help me or direct me to the right place ?

    Thank you very much and have a nice day,


    P.S. : Link to original post if someone is interested – https://discussions.apple.com/thread/4788531?start=0&tstart=0

Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.

Comments are closed