Questions about Extending AD Schema – Server 2008 R2 and a complicated environment

[dead2sin]

Our University is looking at extending our AD Schema so that we can manage our Macs on campus. I’ve read the white paper and watched the video, but I just had a few questions for people who currently have their AD Schema Extended:

1. Has anyone done this with Server 2008 R2 yet? Any issues?
2. What is your opinion of this setup? Does it work well? Is it equal to the magic triangle-style setup?
3. What happens when OS X Server gets updated (going from 10.5 to 10.6 for instance), do you need to update the AD Schema and how does this work?
4. Does Apple support this? Can long term support for this type of setup be counted on?
5. Are there any regrets setting it up this way? What hard lessons have been learned by doing it this way vs a Seperate OD server?

Thanks in advance,

Nate

[Mertt]

Hi Nate

I was involved in extending the schema of a 2008 R2 forest just recently

1. No technicial issues, I followed the steps whitepaper to use Microsoft’s schema analyser, The biggest issue for me was convincing the “Windows Guys” to let the “Mac Guys”
touch their schema 😉
2. Can’t really answer this one, we didnt have magic triangle set up before (Mac users were effectively on their own) – however it did save us having to buy xservs
3. I asked our Apple consultant about this, the answer was that the schema extensions didnt change from 10.5 to 10.6, however future versions may include additional functionality which may require the schema to be updated again to be taken advantage of, I imagine this would be done the same way as the current upgrade is performed
4. We made this decision based upon a reccommendation from Apple, as far as I know they will continue to support it, The 10.6.2 version of Workgroup Manager fixed a lot of error messages you would get when working with an Active Directory so it would appear they are still actively looking at it
5. Biggest annoyance would be the lack of support for computer groups which were introduced in 10.5, which means I cant say have seperate computer groups for “Lab 1” which is nested in “Block A”, which is nested in a Campus wide computer group – you need to work with the limitations of computer lists (A computer can only be in one list and a list can’t be in another computer list).

Hope this info was useful

[dead2sin]

Thanks for the great info! Its good to know they still support it.

Its ok if a computer can only be in one computer list, I guess a question I should ask then is can you apply a MCX to an AD OU? We sort all our machines into OUs and bind directly to specfic OUs.

Thanks again,

Nate

[dead2sin]

Thanks for all the useful information so far guys.

Does anyone else have any good info regarding this setup? We are trying to decide between Schema Extension and Magic Triangle, with Schema Extension making the most sense for our setup (4,000+ PCs and only 400 macs).

Thanks,

Nate

[Author]

Posts