[mcrispin]

My pleasure —

I suppose in order to answer properly, I am assuming that your Casper and FCSvr are directly dialing into your AD.

So.. can I assume you are not running a dual-directory at all?

MC

[mcrispin]

Here’s hoping my answer doesn’t sound too glib.. nevertheless, with that many Mac’s (now they will outnumber your PCs 2:1) wouldn’t you at least want one OSX server box if for only deployment? Heck even an ARD task server would be nice, software update server — I can think of lots of practical uses.

You didn’t really mention how these machines are going to be used, is it just faculty/staff, or are their labs involved? Portable Homes, Network Homes? Any ideas about Backup? Any concerns about AFP/HFS+ access? Will anyone be sharing any files? Does anyone need something like ADmitMac? Kerberized printing? DFS? VPN, blah blah blah…

Another issue would be client management, while it is true that there are 3rd party tools to do the job, I find much on the PC side to be lacking. It doesn’t sound like you need the entire Casper suite, but the imaging side could use something like JAMF Imaging or at least DeployStudio. Surely, a nice modular deployment workflow would help about immensely..

There is also the question of available talent, do you have the time to learn and really know about OSX server? Without a sufficient talent base, I could definitely see the logic in leveraging something like LANrev, FileWave, or Centrify – or trying to do your own thing with schema extensions alone, but that is heck of a lot of work for just one person. I find that using “built-for-mac” solutions are much more robust, predicable, easy-to-manage and scalable *and* cheaper.

With so many Macs – there is the question of support contracts and advantageous pricing from Apple and getting the most out of AppleCare (there are plenty of programs not widely advertised) – it really sounds like you need to have a sit down with your local Apple rep and see if they can get what Apple calls a “solutions architect” on the phone and hash out specifics. There is really no need for you to bear the burden of thinking about all of this all alone. Yes, of course they will tell you “Triangle all the way!’ (they actually have to call it “Dual-Directory” now) — but you can get into the nitty gritty and suss out your level of comfort.

Personally, I would do the Magic Triangle because it is very easy to accomplish and it gives you some flexibility on services when/if the need comes — if 2/3rds of your operation is going to OSX, it won’t take long before the mac people start asking for stuff that isn’t easily accomplished with Win boxes alone.

It might sound counter-intuitive, but I think it is easier and wastes less time by getting an OD box in the mix, even if that means learning OSX server from scratch..Doing a very similar project here with one of our more paranoid medical groups.

Nevertheless, sounds like a good adventure for you. Good Luck!

Michael Crispin
Duke University

[mcrispin]

We have a very similar issue here. The clear answer is the Augmented User Record process. However the problem with this is that it does not allow for automation without a decent level of scripting knowledge.

If you get the 10.6 Directory Services Manual from the Apple Training Series, and go to pages 377-379, you will see the basic methodology. At minimum it would seem that your AD sysadmin would have to create an OU for just your subset of users to make this process practical (as opposed to trying to import the entire institution, or even worse, importing a name at a time). Another issue I’m finding is that there is no apparent way to efficiently account for changes inside the AD OU when normal add/drop occurs. Meaning, it’s unlikely the AD sysadmin is going to provide you a constant list of user changes when they occur.

The “Passenger” application is certainly the best (if not only) solution for native OD users when you need to mass import, and Passenger does know how to handle duplicate records, but I don’t believe it has any kind of AD functionality. Passenger has been used to great affect by K-12 sysadmins for years – it does not seem as practical for college departmental needs.

As for creating homes ahead of time, I might be off base here, but I don’t see why that would be necessary if the client is a) bound to an OD master, and 2) authenticated against a Kerberos realm on which the user’s AFP home is a part (meaning, the user home template for OD bound OSX clients comes from the server and not the client in Snow Leopard), therefore, there are no permissions issues that I can see which would cause an issue here – but I have no tried this myself, so buyer beware. This can also be used to great affect for getting around certain application level configuration issues to which neither MCX, not preference manifests can easily solve.

Since our population is much lower (500-700) with only about 50% turnover per year, I run a local OD Master with direct attached storage (and then mirrored via central campus Tivoli (IBM) and use the account creation process as a kind of administrative sieve because our area is a very power-user orientated multimedia space and is therefore not exactly open to the University as a whole. I should also mention we are fully networked home directory environment with no mobile users (yet).

Not any solutions here, but I hope this does some legwork for you.

Michael Crispin
Duke University

[mcrispin]

Thanks for your help – it was an password server corruption in OD. I have less than 60 accounts, so while a pain the arse, I rebuilt the whole thing and all the problems went away. I suspect the corruption existed prior to the server crash in September and was pulled over in the migration. We don’t really micro-manage things like that, as you said – so the rebuild was the thing to do.

Again, thanks for your post.

[mcrispin]

I am not sure how directly this is related to your request, nevertheless…

In Leopard Server it is very important that when using SSL you never delete the Default cert should you choose that your users have access to a non-SSL web service. You can create your own, but don’t overwrite the default or delete it. Hope this is helpful.

[mcrispin]

Hi, I work with the person (esmith) who first made this post.

We run an Intel Xeon Quad 2.0 XServe w/ 4GB of RAM as an OD master.

VPN users are around 20 total, but no more than 6-7 are on at any given time.

Mail users are around 50.

We suspect this was also a problem in the previous server configuration which was entirely PPC, however due to a lack of documentation from those who came before us (!) we can’t confirm.

As a matter of full-disclosure, VPN services were temporarily moved to a PPC box with results as described above. As a new router will soon be installed, VPN services are expected to be handled from that hardware, thus the PPC box will be elminiated from the network.

– Thanks!

[Author]

Posts