OS X Server OPEN DIRECTORY v. ACTIVE DIRECTORY?

[zippyfly]

Hi.

Why do I see a lot of OS X Server deployments using AD integration?

Why wouldn't a site just get away from AD and fully use OS X Server's Open Directory spec without having dependency on an AD server?

(I see many of these sites use Mac OS X as a primary client and just a few Windows clients, not the other way around).

Just curious what the "advantages" are, aside from perhaps inertia from a previous Windows topology.

Thanks.

 

[JGruber]

In short, Mac's can join an OD or AD domain. Windows can't join a OD domain (that I'm aware of).

You would need to know more about the network config. Maybe they use the AD server for DNS and DHCP. There are many reasons.

 

[foshizzle]

In short, Mac's can join an OD or AD domain. Windows can't join a OD domain (that I'm aware of).

I cannot say from firsthand experience, but I believe this is false. Both can connect to the other. OD is just openLDAP, and AD is microsoft's proprietary version of LDAP.

 

[Nermal]

Windows can indeed connect to OD.

 

[zippyfly]

Hi guys - thanks for your inputs; as to the AD server doing DNS and DHCP, why wouldn't a site just migrate completely to OS X Server?

It seems puzzling to me that when the bulk of computing is done on Macs, there's really not much need to have Microsoft servers on the backend.

I guess what I am asking is, in other words, what can a Microsoft server do that OS X Server can't (especially when the clients are mostly Macs)?

 

[Metatron]

OpenDirectory in an enterprise environment is no replacement for Active Directory unless you are a mac only house.

Both offer great benefits for managing their respective platforms. AD has more platform specific options, but the only logical reason I can see a mac shop using AD is for exchange.

 

[JGruber]

I cannot say from firsthand experience, but I believe this is false. Both can connect to the other. OD is just openLDAP, and AD is microsoft's proprietary version of LDAP.

Windows can indeed connect to OD.

Thanks for that info... never knew that!

In my little server world, we use both servers, that handle each client base. Of course my Windows network consit's of 1300 PC's, 8 servers. Mac's are only 50 with 2 servers.

 

[RedTomato]

I have more experience with Windows servers than OSX Server, but my impression is that like it or not, Windows offers more back-office and enterprise level applications / functions / utilities than OSX.

I am sure someone here will correct me soon.

 

[calderone]

I have more experience with Windows servers than OSX Server, but my impression is that like it or not, Windows offers more back-office and enterprise level applications / functions / utilities than OSX.

I am sure someone here will correct me soon.

For example?

 

[nefan65]

The only "Back Office" integration I'm aware of with a Windows Environment is the integration with specific MS products. Granted, there are some that are non-MS, and integrate okay. But if you look at Exchange as an example; the integration is that the user in AD can be associated with a Mailbox on Exchange. They'll also authenticate to the network/Exchange with said account.

But the same can be said for non AD environments, and using OSX, or any other LDAP network. A good example of that is Novell, and their LDAP and GroupWise. Or a Linux LDAP deployment, and say an Opensource Mail product.

I think the biggest reason for AD is that they have the market share at the moment. More businesses use AD vs. others. That doesn't mean it's better, just that there's more out there, and more to support it. I happen to think the integration of OSX LDAP and Linux is FAR superior to AD, personally. I support AD, and it's far too complex, and doesn't need to be. The tools for all their products are also fragmented greatly. Especially with Exchange 2007, and some of the newer BO products, and Windows 2003. Upgrading to the next version of Windows Server [2008] required updating SHCEMA objects, etc. Where as OpenLDAP you upgrade, and move on. Everything stays as it should...

My 2 cents.

 

[foidulus]

Windows can indeed connect to OD.

Yes and no, what actually happens is that Apple did a lot of the legwork in integrating the LDAP(OD) database into the Samba database. Windows is really connecting to the Samba, not the OD, but for the mostpart thats pretty much invisible to the user.

 

[bartzilla]

Hi guys - thanks for your inputs; as to the AD server doing DNS and DHCP, why wouldn't a site just migrate completely to OS X Server?

Possibly the sysadmin has worked with Mac OSX server before and therefore knows what a bad idea that is.

While there are some great parts to Mac OSX server, OD, etc, it's by no means as mature and comprehensive as the alternatives, yes including windows server/AD.

 

[RedTomato]

While there are some great parts to Mac OSX server, OD, etc, it's by no means as mature and comprehensive as the alternatives, yes including windows server/AD.

Agree. I would love it if the Windows Server systems I work with were more like OSX, and while I happily use my macbook to fix network issues, the fact remains that server deployments of 1000+ macs are extremely rare. I know of Apple itself, and a few universities, and that's it. I'm sure there's a few more but not many.

Wheras with Windows and the various UNIX flavours, enterprise / multi-national level deployments are extremely common, so the code's been tested a lot, there's many experts, gurus, consultancies and guides out there, the code's battle tested (irrespective of whether it's actually any good or not).

I'd probably go for OSX server for a small company, just to see what it was like, and I'm sure it'd work well but I don't know about larger companies.

 

[JGruber]

At my school, we actually use both.

We have all of our staff computers, and student computers on a Windows/AD network, and we are talking about 1300+ PCs, and 8 Servers.

We also have a Mac lab, with 50 iMac's, and 3 OS X Servers.

Of course our Windows network handles all the DNS/DHCP services for all computers connected to our network, PC's and Mac's. Our Mac servers handle all the login and file sharing for all the Mac's on campus.

Working in a mixed mode network has it's problems, but for the 4+ years we have had our Mac lab up and running, we have had little problems.

I guess the thing to do is find out what works for you. Some people are just die-hard Windows for AD, and some are not.

 

[Les Kern]

.... the fact remains that server deployments of 1000+ macs are extremely rare. I know of Apple itself, and a few universities, and that's it. I'm sure there's a few more but not many.

Nah,
I have 1,200 Macs on two campuses, 25 PC's and 27 XServes using Open Directory and 4 PC servers. The only issues I have at ALL are some HP POE-AP units making logins slow (but that's solved now).
Also, most every school in this area are Mac but for one or two districts. One went with Citrix so you know that there isn't a whole lot of creative work going on there. South of me there's one with 1,000, and my hometown district has about 1,000 total. Heck, it's a no-brainer... TCO analysis from a capable brain demands Macs.
I had an AD server for 25 PC's and it took more time and resources to tweak that than the Mac setup combined.
As for "Windows offers more back-office and enterprise level applications / functions / utilities than OSX" I can't totally disagree with that. What I DID see was 1,219,990 different settings that could be done on the WIN box, of which any normal person might use a few dozen. I'm not in this to impress with my director skills... we need computers to work, work all the time, remain secure, and not impede creativity. And that's exactly what AD doesn't do. That AD box now serves up Anti-Virus Enterprise for my handful of HP desktops.

 

[DeepIn2U]

What about scalability over a global domain? It's very complex but over larger and multiple forests it seems to do very well. Still have to learn a lot though.

To the thread starter, where as in wht business are you seeing this primary server setup??

The only "Back Office" integration I'm aware of with a Windows Environment is the integration with specific MS products. Granted, there are some that are non-MS, and integrate okay. But if you look at Exchange as an example; the integration is that the user in AD can be associated with a Mailbox on Exchange. They'll also authenticate to the network/Exchange with said account.

But the same can be said for non AD environments, and using OSX, or any other LDAP network. A good example of that is Novell, and their LDAP and GroupWise. Or a Linux LDAP deployment, and say an Opensource Mail product.

I think the biggest reason for AD is that they have the market share at the moment. More businesses use AD vs. others. That doesn't mean it's better, just that there's more out there, and more to support it. I happen to think the integration of OSX LDAP and Linux is FAR superior to AD, personally. I support AD, and it's far too complex, and doesn't need to be. The tools for all their products are also fragmented greatly. Especially with Exchange 2007, and some of the newer BO products, and Windows 2003. Upgrading to the next version of Windows Server [2008] required updating SHCEMA objects, etc. Where as OpenLDAP you upgrade, and move on. Everything stays as it should...

My 2 cents.

 

[zippyfly]

To the thread starter, where as in wht business are you seeing this primary server setup??

Hi there - I see this for an academic network of K-12 schools. Multiple campuses.

 

[bartzilla]

Nah,
I have 1,200 Macs on two campuses, 25 PC's and 27 XServes using Open Directory and 4 PC servers. The only issues I have at ALL are some HP POE-AP units making logins slow (but that's solved now).
Also, most every school in this area are Mac but for one or two districts. One went with Citrix so you know that there isn't a whole lot of creative work going on there. South of me there's one with 1,000, and my hometown district has about 1,000 total. Heck, it's a no-brainer... TCO analysis from a capable brain demands Macs.
I had an AD server for 25 PC's and it took more time and resources to tweak that than the Mac setup combined.
As for "Windows offers more back-office and enterprise level applications / functions / utilities than OSX" I can't totally disagree with that. What I DID see was 1,219,990 different settings that could be done on the WIN box, of which any normal person might use a few dozen. I'm not in this to impress with my director skills... we need computers to work, work all the time, remain secure, and not impede creativity. And that's exactly what AD doesn't do. That AD box now serves up Anti-Virus Enterprise for my handful of HP desktops.

I had an AD server for 25 PC's and it took more time and resources to tweak that than the Mac setup combined.

Without wishing to be rude, AD doesn't cause me or anyone else I know that much trouble, neither does OD. Your problems with AD - could it simply be that you're not very familiar with it?

 

[Les Kern]

Your problems with AD - could it simply be that you're not very familiar with it?

I can agree to that... there was some time spent learning the GUI and truth be told I am no AD expert! But one HAS to admit it's perhaps the least intuitive interface in history. Here's one example, and please tell me if I missed something: On OD if I want to have an icon on the desktop, a link to a server on the Dock or an application icon placed somewhere else, it was literally one mouse click to accomplish this. On AD there is no one-click solution? To me its the TIME... I have little, and I hate bloat-ware.

 

[bartzilla]

I can agree to that... there was some time spent learning the GUI and truth be told I am no AD expert! But one HAS to admit it's perhaps the least intuitive interface in history. Here's one example, and please tell me if I missed something: On OD if I want to have an icon on the desktop, a link to a server on the Dock or an application icon placed somewhere else, it was literally one mouse click to accomplish this. On AD there is no one-click solution? To me its the TIME... I have little, and I hate bloat-ware.

Hmmm.. And how many mouse clicks did it take you to get to the "one mouse click" in OD? This is the familiarity issue right here isn't it? You have to authenticate to OD, open the group of machines or users whos dock preferences you want to tweak - bit more than one click methinks.

Having said that...
AD isn't the easiest thing in the world to get to grips with. I think its far more powerful than OD but it is also considerably more work. To install an app, for example, you just publish its installer to the machines or users you want to have it, and it will take care of placing the shortcuts as part of the install. Not exactly one click... but not really that difficult once you know AD...

I think in both cases you have to understand the philosophy of the product as well as having knowledge of the interface before you can even hope to make sense of what is going on. I've seen a lot of Windows admins come unstuck on a Mac (and a few going the other way), not because they can't understand the interface (we can all read & use help/google, right?) but because they don't take the time to understand the underlying approach behind the tool.

I think knowing both makes you a better sysadmin too (Which is why I made the effort to learn about Apple stuff coming from a Microsoft background as I did). On the server part of my ACSA courses I was talking to the instructor about something he thought was a big problem with OD, and which I hadn't realised was a problem at all because the solution had been carefully documented and planned and I had carried it out dozens of times when the exact same issue occurred in windows AD & NT4 domains. I honestly thought he was going to break down and cry when I explained the solution and how easy it was...