In way over my head!

[macdummy]

I am need of some serious help. I have suddenly found my self a Creative Director of a motion design firm, and the Head IT admin for the company among other things. Over the past year we have switched over to MAC almost entirely. It has been painful at times, but I am so hooked! I am really happy we made the move. However. We have moved away from a Windows Domain running active directory.

While we are not a very big company…yet. I still desire to set the network up in a enterprise sort of way. I have been influenced by the Windows IT guys from our sister company. They have been operating a domain and active directory for a while now. The centralized management that is possible with AD seems extremely logical. I have jumped in with both feet operating on the assumption that I could mimic the Windows set-up on the MAC side. And while things might happen a little differently, I thought I would unveil some new features the MAC network provided over the Windows Domain environment.

So far, I have been wrong. But I hope it is just my complete incompetence with it all! We hired a local MAC shop that boasted about their corporate network portfolio. Now that we are half way through the implementation I am constantly hearing, you can’t do that, or you have to manage that separately, and so on. They also told me that the only way to set up our new Promise Raid was to hook it up to a PC. Hmmm. To say the least, my confidence in them is being challenged.

I have no idea where to turn to figure this all out. I attended a couple of server classes at Mac World last year. They helped, but not enough to provide a perfectly clear game plan. I have accessed the personal websites of the presenters looking for a number I could call and pay for some consulting. No luck. I have tried Apple’s site but have had nothing but trouble accessing it over the past couple of days.

I really want to configure this all the best way. I want to be able to scale and centralize management as much as possible. Does anyone have any suggestions on where I can turn for information? I need to find someone I can dump all the pieces of the puzzle on the table with, and they can help me solve it!

Thanks so much in advance for any help you can provide.

Deeply distressed, entirely grateful.

[Dave Hagan]

MacDummy,
Don’t despair! Things at this level can be very intimidating, esp. if you are green to the Mac and system administration. Once you overcome the intimidation and initial frustration you will realize just how nice the server management tools on the Mac are and how well Apple has integrated OS X with Active Directory. At the same time you will be annoyed that some of the spit and polish on OS X Server is lacking in some areas.

OS X Server’s OpenDirectory and Microsoft’s Active Directory are very similar in that they both use LDAP and Kerberos, and both require rock solid DNS. But the main difference is that you can manage both Windows and Mac clients from Active Directory, but you cannot manage Windows clients if you’re using OpenDirectory. Most people use Active Directory because they already have a domain controller setup for their Windows clients. But like you, I ditched our AD setup a few years ago, and setup an OpenDirectory domain for my Mac and Windows desktops. It’s working very well and is seamless between the Mac and Windows. As we have added more Windows PCs into the mix, I am considering going back to AD and doing the magic triangle or extending AD’s schema so that I can manage the WIndows clients with group policy and still have the same nice management controls like I have on our Macs.

There are many interesting documents on this site on the integration of OS X Server into Active Directory if you go that route. I would suggest you download the PDF on AD/OD integration.

Lastly, you should very much be able to run your Promise RAID on an OS X Server. Apple sells the Promise RAID products, don’t they?

[macdummy]

[QUOTE][u]Quote by: macshome[/u][p]We have quite a few documents host here, or linked here, that should help. At a minimum I would check out JohnD’s Tips and Tricks and our own whitepapers.

It’s not all that hard to get going, it’s just different than on Windows. Mac admins adding WIndows skills often run into the same frustrations you have.

Note that you need to purchase the Promise unit through Apple to get the Apple supported config.

What sorts of things are your consultants telling you that you can’t do on the Mac?[/p][/QUOTE]

Yea, we got the Promise through Apple and it appears to be functioning well. And we now have web access to the admin controls! So the PC is out of the picture now.

I guess more than us getting the response that “you can’t do it” I am hearing that “Apple doesn’t do it that way”. Which is fine. However, if they do something different and it creates a bigger headache rather than bennefit I want to know the truth. The biggest thing is the Domain issue. Can we create a domain on the XServe? The other part is network logins instead of local user acounts. The whole idea is to get to centralized management. Right now it is all locally managed and is becoming a nightmare.

Thanks for your post, and your williness to respond with your knowledge.

[macdummy]

[QUOTE][u]Quote by: Dave+Hagan[/u][p]Most people use Active Directory because they already have a domain controller setup for their Windows clients. But like you, I ditched our AD setup a few years ago, and setup an OpenDirectory domain for my Mac and Windows desktops. It’s working very well and is seamless between the Mac and Windows. As we have added more Windows PCs into the mix, I am considering going back to AD and doing the magic triangle or extending AD’s schema so that I can manage the WIndows clients with group policy and still have the same nice management controls like I have on our Macs.

There are many interesting documents on this site on the integration of OS X Server into Active Directory if you go that route. I would suggest you download the PDF on AD/OD integration.
[/p][/QUOTE]

Thanks so much for your post Dave. I will check out the resources. I am ver appreciative.

On the seamless functionallity with OD for the Windows and Mac systems. How do you achieve that? I know that is a wide open question, but how do you mean semaless. All our users have tons of different username and passwords to access things. One for the Windows Server, One for the Mac Server, One for their system, etc.

Thanks so much for your williness to help.

[EA]

[QUOTE][u]Quote by: macdummy[/u][p]

I guess more than us getting the response that “you can’t do it” I am hearing that “Apple doesn’t do it that way”. Which is fine. However, if they do something different and it creates a bigger headache rather than bennefit I want to know the truth. The biggest thing is the Domain issue. Can we create a domain on the XServe? The other part is network logins instead of local user acounts. The whole idea is to get to centralized management. Right now it is all locally managed and is becoming a nightmare.

Thanks for your post, and your williness to respond with your knowledge.[/p][/QUOTE]

Yes, you can create a Windows domain on an XServe, with the XServe serving as the Primary Domain Controller for your domain. The level of functionality will lag far behind those of an Active Directory domain for your Windows clients, but it can be done. You will lose out on things like Group Policies for the Windows clients. This is why the Active Directory piece gets implemented if it isn’t already there. OD can use AD for authentication, but not vice versa, so you put yourself in a position of the Windows Active Directory server being the canonical source of authentication information for your enterprise.

If you want to do a purely Open Directory implementation, authentication can be managed centrally using the Open Directory LDAP/Kerberos combination (and, really, just the LDAP portion can handle this). At my place, I have Windows, Linux, and Mac servers and clients authenticating against Open Directory hosted on OS X Server, as well as web applications like a wiki, databases, and WebDAV shares. Network logins are part and parcel of having users in the Open Directory LDAP directory. Just set the users’ home directories properly.

[ingenious7]

Sounding very similar to what we have done. We have never run a Windows Domain before, but have always used Mac OS X as the file server for our users. While most of our workstations are Mac OS X, there are a number of Windows based computers.

As you would know, with users logging in to many different computers, the headache of using complicated scripts to map drives and copy folders because everything is local on the Windows computers is a real headache.

We decided to bring in Primary and Backup Domain Controllers served from Mac OS X 10.5 using Samba. Roaming Profiles have given us back a lot of control. While the initial setup may not be as friendly as Windows Server, it isn’t too hard and once you overcome the initial hurdles it runs exceptionally well, and there isn’t much of a performance loss.

To those who are missing the Group Policy stuff – look for a small and obscure program from Microsoft called System Policy Editor. This is pretty much what you will need to use to control policies based on the registry in a Samba domain environment. It takes a bit of getting used to but is fairly simple and gives you control over most Windows settings that Group Policy does. I don’t know how familiar you are with it, but if you save your output as an NTConfig.pol file and store it under /etc/netlogon you will claw back some of that control that Windows sysadmins love.

[macdummy]

[QUOTE][u]Quote by: ingenious7[/u][p]Sounding very similar to what we have done. We have never run a Windows Domain before, but have always used Mac OS X as the file server for our users. While most of our workstations are Mac OS X, there are a number of Windows based computers.

As you would know, with users logging in to many different computers, the headache of using complicated scripts to map drives and copy folders because everything is local on the Windows computers is a real headache.

We decided to bring in Primary and Backup Domain Controllers served from Mac OS X 10.5 using Samba. Roaming Profiles have given us back a lot of control. While the initial setup may not be as friendly as Windows Server, it isn’t too hard and once you overcome the initial hurdles it runs exceptionally well, and there isn’t much of a performance loss.

To those who are missing the Group Policy stuff – look for a small and obscure program from Microsoft called System Policy Editor. This is pretty much what you will need to use to control policies based on the registry in a Samba domain environment. It takes a bit of getting used to but is fairly simple and gives you control over most Windows settings that Group Policy does. I don’t know how familiar you are with it, but if you save your output as an NTConfig.pol file and store it under /etc/netlogon you will claw back some of that control that Windows sysadmins love.

[/p][/QUOTE]

I originally wanted to use roaming profiles. However in a MacWorld session the presenter cautioned about users iTunes library and the space hog this can be. I think they also mentioned you can prevent certain things like iTunes from syncing. I think that is my next move. I experimented with this a while back but ran into some issues as our workstations are Tiger and the Server is Leopard.

Thanks for your post.

[Author]

Posts