Server for a new school

[LK LAW]

I've been tasked with setting up the entire IT for a newly founded school and I would like to use OS X Server for the sake of ease of use and because I'm already familiar with OS X server so I can deploy it rather quickly

Now as it is a new school the budget isn't really so high and I was thinking on buying a Xserve 2009 with 48GB of ram, 8core and 3TB storage this would cost us €700 which I think is a fair deal.
I could also purchase a mac mini but I'm afraid the storage won't be fast enough and 16GB of memory will not be suitable (I'm not to familiar with how to know what hardware you need).

There will be around 120 students + teachers and they'll need the following services:
- WebDav
- Internal website hosting
- Calendar Service
- Profile Manager
- LDAP for teachers
- Profile Manager
- RADIUS Server
- File Sharing
- Firewall
- ...

I hope some of you can help me with determining what hardware/software I could use

 

[DJLC]

First I'll say: Apple positions the Mac Mini as capable of supporting up to 750 clients. I think the Xserve you describe may be overkill, and you definitely take a risk using older hardware like that where parts are significantly less available.

Second, I've supported OS X Server in a school for 4 years now. Choose very carefully which services you actually want to use, because IMO OS X Server is a flaky mess. Works great today, comes crashing down without warning tomorrow. I think WebDav, hosting, calendar could all be handled by Google Apps for Education (free). Otherwise it will do fine for file sharing, LDAP, and Profile Manager. Depending on what your user device is, I'd also enable Caching. It should do fine for RADIUS, although I've never tried to use that with OS X — we had it set up on our Windows server in the past, but it seemed to me it was overkill for our environment. I'd also recommend a hardware firewall / router.

At this point, I've got Windows Server running AD for LDAP, OS X Server for Profile Manager and file sharing for legacy documents. Pretty much everything else is handled by Google Apps for Education. We have a Cisco ASA provided by the state for a firewall.

 

[LK LAW]

First I'll say: Apple positions the Mac Mini as capable of supporting up to 750 clients. I think the Xserve you describe may be overkill, and you definitely take a risk using older hardware like that where parts are significantly less available.

Second, I've supported OS X Server in a school for 4 years now. Choose very carefully which services you actually want to use, because IMO OS X Server is a flaky mess. Works great today, comes crashing down without warning tomorrow. I think WebDav, hosting, calendar could all be handled by Google Apps for Education (free). Otherwise it will do fine for file sharing, LDAP, and Profile Manager. Depending on what your user device is, I'd also enable Caching. It should do fine for RADIUS, although I've never tried to use that with OS X — we had it set up on our Windows server in the past, but it seemed to me it was overkill for our environment. I'd also recommend a hardware firewall / router.

At this point, I've got Windows Server running AD for LDAP, OS X Server for Profile Manager and file sharing for legacy documents. Pretty much everything else is handled by Google Apps for Education. We have a Cisco ASA provided by the state for a firewall.

Does a mac mini have enough I/O capabilities (like is the storage fast enough) ? How would you recommend we spec it ?

We're trying to get the google apps for education but because we're a new school it's quite hard to to get it, hope we'll have it by August though

What firewall do you recommend we'd get, I don't think the Belgian provides firewalls :')

 

[DJLC]

It depends on how much file sharing you expect to do. But I think a midrange Mac Mini with maxed RAM would be a good starting point. Maybe add a Thunderbolt RAID array if you really need space and speed. Could also add a Thunderbolt -> Gigabit Eth adapter and bond it with the built in Ethernet to score more throughput. We really don't do much file sharing in the traditional sense; most of our stuff either goes thru Google Apps or thru Canvas (the most awesome LMS I've ever seen).

Prior to the state firewall we had Cisco Meraki. A little pricey, but the ease of use is awesome and the dashboard can be very handy. You could also go with a Sonicwall or something like that; cheaper and arguably better in some ways. I'd steer clear of pure Cisco gear unless you have experience using it (I don't; but luckily the state of North Carolina is ahead with one thing: connectivity services for schools, including their managed firewall service where they do all the work for us).

Best of luck!

 

[LK LAW]

It depends on how much file sharing you expect to do. But I think a midrange Mac Mini with maxed RAM would be a good starting point. Maybe add a Thunderbolt RAID array if you really need space and speed. Could also add a Thunderbolt -> Gigabit Eth adapter and bond it with the built in Ethernet to score more throughput. We really don't do much file sharing in the traditional sense; most of our stuff either goes thru Google Apps or thru Canvas (the most awesome LMS I've ever seen).

Prior to the state firewall we had Cisco Meraki. A little pricey, but the ease of use is awesome and the dashboard can be very handy. You could also go with a Sonicwall or something like that; cheaper and arguably better in some ways. I'd steer clear of pure Cisco gear unless you have experience using it (I don't; but luckily the state of North Carolina is ahead with one thing: connectivity services for schools, including their managed firewall service where they do all the work for us).

Best of luck!

Great I'll order a mac mini with maxed out RAM !

I do have some Cisco experience from a company where I did an internship, so I think I could learn it quite quickly
The ISP does have some sort of firewall and blocks all ports except the ones I tell them to (right now the only open ports are 500 and 1701). Would the IceFloor (software) firewall be a good option or should we really use a hardware firewall ?

A lot of thanks for the help

 

[guzhogi]

I agree, a 2009 Xserve is probably a bad idea. Due to its age added to the fact that Apple doesn't make Xserves any more, it may be better to stick to a Mac Mini. Sonnet also makes a rack mount for Mac Minis (http://www.sonnettech.com/product/xmacminiserver.html). I've never used one myself, but it may be worth looking into it.

Also, Google Apps for Education is pretty good, too. We use it in my school district. It's free, plenty of services, Google Classroom works pretty well. Plus, you can set it up so that students can send/receive e-mails to/from people in your school's domain (e-mails ending in something like @myschoolstudents.org).
[doublepost=1464717661][/doublepost]

The ISP does have some sort of firewall and blocks all ports except the ones I tell them to (right now the only open ports are 500 and 1701).

Nice to know that the Enterprise can still get through. Ba dum tsss. (Sorry, had to.)

 

[hobowankenobi]

I agree, would limit any Mac Server to the fewest services possible, and look at others for wanting to approach 99.99 uptime reliability for network services (FW, NAT, RADIUS, etc.). The Mini setup with SSD and robust external TB storage is best leveraged as Profile Manager and File Server IMHO.

If it were my choice, I would be looking at a FW through a dedicated network solution. If you are looking for a low cost solution and are comfortable with building your own firewall via CLI, it is hard to beat the cost, performance, and robustness of some of the Ubiquiti gateway appliances. Be warned though, configuration is NOT for the novice or Prosumer last time I looked at it.

Oh, even if their gateway is not the right fit, look very hard at their Unifi WAPs, and compare to maybe Open Mesh as another lower cost but easy to manage enterprise wifi solution.

If you need and easy to manage GUI for perimeter security well beyond a firewall, at a manageable cost, you might look at something like Untangle.

 

[DJLC]

Great I'll order a mac mini with maxed out RAM !

I do have some Cisco experience from a company where I did an internship, so I think I could learn it quite quickly
The ISP does have some sort of firewall and blocks all ports except the ones I tell them to (right now the only open ports are 500 and 1701). Would the IceFloor (software) firewall be a good option or should we really use a hardware firewall ?

A lot of thanks for the help

I would say you definitely want a hardware router / firewall to handle not only security but also DHCP and any VLANs you might want. Again, as @hobowankenobi said, you really want to limit OS X Server to doing things that only OS X Server can do. Plus that'll make it easier to grow later. Plus if the server explodes your students / teachers will still be able to get online at the very least.

If you have the experience, go Cisco! Although I'd bet Ubiquiti is good stuff as well, and if you're going to them for wireless you might as well go with their gateway appliances too. FWIW, I would suggest something like Ubiquiti, Open Mesh, Xirrus, or Meraki for your WLAN infrastructure.

Also — just a note — if you're planning to use Profile Manager for iPads, don't. Look into something like Mosyle Manager instead (free for K-12 and our Apple reps say it's 100x better than PM, but it only works to manage iPads).

 

[LK LAW]

I would say you definitely want a hardware router / firewall to handle not only security but also DHCP and any VLANs you might want. Again, as @hobowankenobi said, you really want to limit OS X Server to doing things that only OS X Server can do. Plus that'll make it easier to grow later. Plus if the server explodes your students / teachers will still be able to get online at the very least.

If you have the experience, go Cisco! Although I'd bet Ubiquiti is good stuff as well, and if you're going to them for wireless you might as well go with their gateway appliances too. FWIW, I would suggest something like Ubiquiti, Open Mesh, Xirrus, or Meraki for your WLAN infrastructure.

Also — just a note — if you're planning to use Profile Manager for iPads, don't. Look into something like Mosyle Manager instead (free for K-12 and our Apple reps say it's 100x better than PM, but it only works to manage iPads).

I love all the ideas you guys are giving me
We will be using Google Apps as much as we can but we still didn't get access from google :'(
For the other services such as DHCP, Open Directory for the teachers laptops, profile manager (probably just the mosyle manager), RADIUS and file sharing we'll use the mac mini.

I'm a computer science student so I'm quite handy with computers and programming/configuring a bunch of stuff, so I think I can pick up cisco pretty quickly

Again I love all the help and suggestions !
[doublepost=1464770574][/doublepost]Is all this available outside of the US (the school is in brussels), I can order everything from the US (special address) but I don't think that works for services

 

[satcomer]

I love all the ideas you guys are giving me
We will be using Google Apps as much as we can but we still didn't get access from google :'(
For the other services such as DHCP, Open Directory for the teachers laptops, profile manager (probably just the mosyle manager), RADIUS and file sharing we'll use the mac mini.

I'm a computer science student so I'm quite handy with computers and programming/configuring a bunch of stuff, so I think I can pick up cisco pretty quickly

Again I love all the help and suggestions !
[doublepost=1464770574][/doublepost]Is all this available outside of the US (the school is in brussels), I can order everything from the US (special address) but I don't think that works for services

The future is smaller business and most them use Linux Servers and older Microsoft Servers! Most business are jumping go Linux Servers because of the draconian yearly fees on new Microsoft Servers! So learn Linux servers might be a better option in college!

 

[hobowankenobi]

I love all the ideas you guys are giving me
We will be using Google Apps as much as we can but we still didn't get access from google :'(
For the other services such as DHCP, Open Directory for the teachers laptops, profile manager (probably just the mosyle manager), RADIUS and file sharing we'll use the mac mini.

I'm a computer science student so I'm quite handy with computers and programming/configuring a bunch of stuff, so I think I can pick up cisco pretty quickly

Again I love all the help and suggestions !
[doublepost=1464770574][/doublepost]Is all this available outside of the US (the school is in brussels), I can order everything from the US (special address) but I don't think that works for services

I would not do DHCP, NAT, RADIUS....or anything else on an OS Server box if at all possible. If (when) it hiccups....your entire network pukes. Not worth the headache, and it will happen. What if (when) you have a hardware failure? No DHCP for.....days???

You have been warned.

FWIW, any enterprise setup will usually limit how many services run on a single box or VM. At some point you need to reboot/update/rebuild a service, and all the rest will be interrupted. Not so much a knock against OS X Server, as it is a design requirement: Make everything as robust, and independent as possible within budget constraints.

Even in the big iron shops with huge budgets, you don't see one giant MS Server running every service. It is just too risky, and causes too much down time.

At the very least, get a network appliance, so you are "only" running: File Sharing, AD, and Profile Manager on the Mini.

And for just a few bucks, you can run a second or third virtualized OS, so each OS can be a single, robust, dedicated service. Each can be rebooted/updated/rebuilt independently. Heck, I used to support a shop that ran 12 Linux VMs on a single Xserve: 1 dedicated VM for every service. And, bonus: VMs are typically much faster to clone and spin up from a backup then a native OS install. Minutes instead of hours for disaster recovery.

Worth the time to check out virtual servers, regardless of platform.

 

[DJLC]

I love all the ideas you guys are giving me
We will be using Google Apps as much as we can but we still didn't get access from google :'(
For the other services such as DHCP, Open Directory for the teachers laptops, profile manager (probably just the mosyle manager), RADIUS and file sharing we'll use the mac mini.

I'm a computer science student so I'm quite handy with computers and programming/configuring a bunch of stuff, so I think I can pick up cisco pretty quickly

Again I love all the help and suggestions !
[doublepost=1464770574][/doublepost]Is all this available outside of the US (the school is in brussels), I can order everything from the US (special address) but I don't think that works for services

Mosyle, AFAIK, is available anywhere. The company is based out of the UK IIRC. As far as gear, no clue.

Best of luck! I stumbled into this job 4 years ago as a fresh computer science dropout. Definitely an interesting niche of IT... I love the cat and mouse games with the kids; as fast as I can block something bad, they find something new for me to shut down.

 

[greenmeanie]

You could run Office 365 for some of it for free the Security drama alone is worth it.
My wife runs 150 VM's on a Data Center for a College she works at so I know a little about this.
And no way are you picking up Cisco overnight if you're talking enterprise gear.
Is this a K-12 or Higher ED School? I don't think you know what you are getting into you have to abide by CIPA,DMCA,HIPAA, Email Archiving ETC ETC. Even if it is a Private School you are not exempt from these laws.
AFAIK if you are not a accredited School System you will not get Google Apps or Office 365 for free.

 

[LK LAW]

You could run Office 365 for some of it for free the Security drama alone is worth it.
My wife runs 150 VM's on a Data Center for a College she works at so I know a little about this.
And no way are you picking up Cisco overnight if you're talking enterprise gear.
Is this a K-12 or Higher ED School? I don't think you know what you are getting into you have to abide by CIPA,DMCA,HIPAA, Email Archiving ETC ETC. Even if it is a Private School you are not exempt from these laws.
AFAIK if you are not a accredited School System you will not get Google Apps or Office 365 for free.

Belgium doesn't really have any rules for private schools
I'm a student and I'm just helping my parents out getting the basics of the ground, after that they can hire proper IT people !

 

[greenmeanie]

Might want to put where you are from when asking questions LOL.

 

[Altemose]

@LK LAW I have done a few OS X Server implementations for both schools and businesses alike and I would like to share a couple of tips. The more services that you can offload to a third party cloud solution like Microsoft Office 365 and Google Apps for Education the better. Ensuring a reliable experience across that many services stretches a school IT department thin, and furthermore there may be issues which have a domino effect. I would leave firewalls and routing up to a independent hardware solution. The cost of equipment these days is down dramatically from what it once was, and a solid router will only run you a couple of hundred bucks. In fact, Ubiquiti actually offers a very fantastic router in the sub $100 category, the EdgeRouter X and EdgeRouter Lite! If you are doing a wireless implementation then we can discuss that further, but a lot of people get a false sense that generic APs will work fine.

As for hardware, the Mini is going to be your best bet. Apple has a very strict vintage support policy, and a 2009 Xserve will NOT be serviced by Apple any longer. Furthermore, any AASPs will not service it either. While you are probably quite brilliant at computer repair, you do not want to be playing roulette with eBay parts that "worked when pulled" on a system that your school environment depends on. In today's education system, technology reliability is a must, and as a result AppleCare is a non-negotiable must.

With the advent of connectivity like USB 3.0 and Thunderbolt, you will have whatever speed you need. You can get a Thunderbolt drive enclosure or even a nice USB 3.0 model and it will suffice for File Sharing purposes. Keep in mind that your server's boot drive and configs are just as important as any user data, so ensure that you have a two-step backup procedure in place for both the server itself and the data stored on it.

OS X Server is a fantastic solution which I recommend and work on all the time. That being said, the solution is only as good as the environment that it is put in and it is imperative that you have the other hardware to support a reliable solution. A good corporate class router, enterprise class network switches, etc. are all fundamental in making this run smoothly. Throwing a seven year old server in is a bad idea simply for longevity sake, the Mini will do all that you want as long as the school pays the money to get the model that they need. I recommend getting the full 16 GB of RAM and enough external drives for backup purposes.

Once you and your team gets the ball rolling and parts ordered, if you need any help you can always PM me. I am more than happy to give you a hand over VNC or TeamViewer to get everything running smoothly for you.

 

[LK LAW]

Ok guys, so I've installed UniFi AC PRO access points through the building and they're connected to a ToughSwitch PRO.
Set up was absolutely beautiful and everything is working perfectly !

Now I need some sort of DHCP server, because the ISP only supplies 10 IP addresses, does anyone have any suggestions on what I should use ?
Hardware firewall with DHCP server or via the Mini ?

As for all the software we'll use I'll give an update in a bit, I just need the get the basic network running first

Many thanks for all the help, it's really resourceful

 

[Altemose]

Now I need some sort of DHCP server, because the ISP only supplies 10 IP addresses, does anyone have any suggestions on what I should use ?
Hardware firewall with DHCP server or via the Mini ?

Ubiquiti EdgeRouter is what I suggest.

 

[LK LAW]

Ubiquiti EdgeRouter is what I suggest.

All right I'll order that
I guess the basic one will be sufficient ?
I love their products tbh :')

 

[Altemose]

All right I'll order that
I guess the basic one will be sufficient ?
I love their products tbh :')

I have not had an issue with the EdgeRouter Lite for schools with about 200 concurrent clients. I have not tested the EdgeRouter X so I cannot comment.

 

[peroddmund]

I agree with this guy. I have been running an OS X server for our business for 4 years. In the beginning we were basically running all the services (email and everything), but after a couple of nasty crashes I gave up. Now we are just running LDAP, caching, update server, file sharing. The other stuff is running on Google Apps (until apple makes their own iCloud for work)

First I'll say: Apple positions the Mac Mini as capable of supporting up to 750 clients. I think the Xserve you describe may be overkill, and you definitely take a risk using older hardware like that where parts are significantly less available.

Second, I've supported OS X Server in a school for 4 years now. Choose very carefully which services you actually want to use, because IMO OS X Server is a flaky mess. Works great today, comes crashing down without warning tomorrow. I think WebDav, hosting, calendar could all be handled by Google Apps for Education (free). Otherwise it will do fine for file sharing, LDAP, and Profile Manager. Depending on what your user device is, I'd also enable Caching. It should do fine for RADIUS, although I've never tried to use that with OS X — we had it set up on our Windows server in the past, but it seemed to me it was overkill for our environment. I'd also recommend a hardware firewall / router.

At this point, I've got Windows Server running AD for LDAP, OS X Server for Profile Manager and file sharing for legacy documents. Pretty much everything else is handled by Google Apps for Education. We have a Cisco ASA provided by the state for a firewall.

[doublepost=1467266095][/doublepost]

Does a mac mini have enough I/O capabilities (like is the storage fast enough) ? How would you recommend we spec it ?

We're trying to get the google apps for education but because we're a new school it's quite hard to to get it, hope we'll have it by August though

What firewall do you recommend we'd get, I don't think the Belgian provides firewalls :')

When I was setting up our office I was considering using a thunderbolt RAID + 2x 10Gbe - thunderbolt adapters on the mac mini connecting it to 10Gbe switch with Gbe to each client, but thats expensive. I ended up using a USB 3 Raid and normal Gbe switch to the clients. Worked fine with File sharing but were only 10 clients.

 

[grahamperrin]

@LK LAW what will you do for home directories? FileSync – Support for portable home directories has been removed. …

Generally, aim for hardware that is likely to be compatible with OS X 10.13.

Given what's known about APFS, plus optimised storage in Sierra and the Location independent files patent: I wonder whether 2017 server-oriented software from Apple will allow iCloud-like things to be done with out reliance upon iCloud, and with more local control over privacy. But that's highly speculative.

 

[DJLC]

Ok guys, so I've installed UniFi AC PRO access points through the building and they're connected to a ToughSwitch PRO.
Set up was absolutely beautiful and everything is working perfectly !

Now I need some sort of DHCP server, because the ISP only supplies 10 IP addresses, does anyone have any suggestions on what I should use ?
Hardware firewall with DHCP server or via the Mini ?

As for all the software we'll use I'll give an update in a bit, I just need the get the basic network running first

Many thanks for all the help, it's really resourceful

Strongly suggest a hardware firewall that can handle DHCP as @Altemose said.

@LK LAW what will you do for home directories? FileSync – Support for portable home directories has been removed. …

Generally, aim for hardware that is likely to be compatible with OS X 10.13.

Given what's known about APFS, plus optimised storage in Sierra and the Location independent files patent: I wonder whether 2017 server-oriented software from Apple will allow iCloud-like things to be done with out reliance upon iCloud, and with more local control over privacy. But that's highly speculative.

Strongly suggest local-only home directories if at all possible. You'll save yourself a headache. Network homes work, but I wouldn't say they work well.

 

[Cineplex]

I've been tasked with setting up the entire IT for a newly founded school and I would like to use OS X Server for the sake of ease of use and because I'm already familiar with OS X server so I can deploy it rather quickly

Now as it is a new school the budget isn't really so high and I was thinking on buying a Xserve 2009 with 48GB of ram, 8core and 3TB storage this would cost us €700 which I think is a fair deal.
I could also purchase a mac mini but I'm afraid the storage won't be fast enough and 16GB of memory will not be suitable (I'm not to familiar with how to know what hardware you need).

There will be around 120 students + teachers and they'll need the following services:
- WebDav
- Internal website hosting
- Calendar Service
- Profile Manager
- LDAP for teachers
- Profile Manager
- RADIUS Server
- File Sharing
- Firewall
- ...

I hope some of you can help me with determining what hardware/software I could use

Like others have said...buying obsolete Xserves is not a good idea. Apple will likely drop support for the OS really soon on that, and may even kill OS X Server as well down the road. It is just not a sound investment.

As far as roaming/mobile home directories...RUN...run far far away. I have done several Open Directory installs in the last 10 years and none were flawless. When something goes wrong...everything goes wrong. Using NetBoot to manage images and reinstalls works great, though. Apple Remote Desktop is great for deploying installation packages and other small items. If I use Mac servers, I usually use OD to manage just the machines...not the users. Your phone will ring once a day with random problems from mobile home directories. It is just not worth it to me.

Buy a router and firewall. An OS X box is not great for this. If you had a rack of Xserves...one for each service...that is one thing. But one or two boxes...it never ends well in my experience. Routers, access points, and firewalls are great at what they do...no need to have a server do the tasks.

The last install I did, I bought a couple of Dell Servers (with a giant raid) and installed ExtremeZ-IP for AFP (which can support hosting the mobile home directories if you really need to go that route),print serving, & Spotlight Indexing. I used the Dells with Active Directory to do single sign-on as well. Pretty neat package, not complicated.

At the end of the day you need to think what is best for the users. It is always exciting to do a project like this, and you always have a desire to use your favorite obsolete technology. But it is usually not beneficial to the users. OS X Server seems to get worse every year and it is more like an after thought to Apple. It is not growing, if anything it is shrinking.

 

[Altemose]

OS X Server seems to get worse every year and it is more like an after thought to Apple. It is not growing, if anything it is shrinking.

I would not believe that OS X Server is shrinking. Though Apple eliminated their enterprise class hardware systems for Server, the software has been improving with each iteration. I really do like Server 5, and it is much more compact and clean compared to Windows Server, though it lacks the full features of Windows Server.