[chake]

Hello im rather new to the world of mac servers. I'm a network admin for a rather large school district. We got a huge grant and might be looking at purchasing 500 thousand dollars in mac laptops.

We are a windows environment and the apple rep is coming tomorrow to demo mac server for us. what kind of stuff should i be looking at as far as mgmt of these laptops with an osx server. i know open dir and active dir are somewhat compatible. all our network shares, home dir, and what not are done with DFS on the windows side. my understanding is macs cant use dfs. i assume i can just use the unc path. any advice on what to have him show or tell me would help out greatly?

[zwiebel_]

You may want to look into Comparing ADmitMac with Apple's Mac OS X 10.4 (Tiger) in regards to DFS support.

On the other hand, read this PDF to get some practical insight in OS X server configurations in school enviroments.

[chake]

zwiebel_ thanks for the pdf. i will look it over tonight.

[besson3c]

Originally Posted by chake 

Hello im rather new to the world of mac servers. I'm a network admin for a rather large school district. We got a huge grant and might be looking at purchasing 500 thousand dollars in mac laptops.

We are a windows environment and the apple rep is coming tomorrow to demo mac server for us. what kind of stuff should i be looking at as far as mgmt of these laptops with an osx server. i know open dir and active dir are somewhat compatible. all our network shares, home dir, and what not are done with DFS on the windows side. my understanding is macs cant use dfs. i assume i can just use the unc path. any advice on what to have him show or tell me would help out greatly?

If you are a Windows environment and are tethered to Active Directory, I probably wouldn't recommend getting a Mac server at all.

Active Directory is just an LDAP implementation with a few Microsoft touches that make it slightly different than the standard, but not being open there are a lot of administrative tools that are only available for Windows.

If you are looking to replace your Microsoft servers with OpenLDAP, doing cool things like Kerberos authentication to your Mac server after authorizing the account in Active Directory, or authentication to anything other than Active Directory last I checked won't be possible, as Windows doesn't support this. My information here might be slightly incorrect or out-of-date though, and I'm not sure what Vista might change.

If you are looking for a Mac server to co-exist with Active Directory, all the Mac will be able to do is read the LDAP information from Active Directory, but I believe Apple still recommends authenticating the Macs to the OS X Server machine. The problem with this is, like I said, you can't do things such as create Active Directory groups in OS X - these tools don't exist.

The Macs can authenticate to Active Directory just fine. I personally would leave your Active Directory setup alone and just authenticate directly to it w/o a Mac server. Otherwise, you could replace the Active Directory setup with a fair amount of work, and possibly encountering roadblocks with the Windows machines.



What else were you hoping for this server to do?

[olePigeon]

Without the OS X server attached to the AD Windows server, you're going to run into password problems on the Macs. If you have auto-expire passwords for your AD clients, the Macs will mess up. It's a nightmare, especially with Keychain access.

To avoid the #1 headache with Macs on an Active Directory network, ask the Apple guys about password issues, especially the afore mentioned.

Other than that, they should work great.

Also, what client management system are you using? Altiris? Norton? Because LanDesk (formally Intel) works directly with Apple's built in client management system (Apple Software Restore) and can manage Windows, Linux, UNIX, and OS X Clients for imaging, remote desktop, license management, and software patch management. If you're already using Altiris, LanDesk can use Altiris disk images PXE settings. Altiris and Norton are Windows only.

Also, check this out: Official Google Mac Blog: Taming Mac OS X File Systems

This is rather recent. Macs, by default, can read NTFS partitions, but can't write to them. This is a relatively new port of a kernel extension that gives OS X the ability to read and write to NTFS (as well as many other file systems outside of HFS, FAT12/16/32, etc.)

Also, if you're getting Macs, the following website is a must for any IT:

Mike's Mac OS X Management Software and Tips: Home

This guy is a freakin' genius and his utilities make your life a lot easier for Macs in IT. He also covers advanced topics on integrating Macs into Active Directory.

[chake]

We are going to use the osx server to manage the mac laptops, permissions and what not. i assume that if i dont have an osx server then i cant manager user permissions on the laptops with out physically touching every laptop correct?

We just spent 30k and got landesk in the process of putting it on the pcs. that means i wont need to buy remote desktop for the mac correct since lan desk can interface with it?

[besson3c]

Originally Posted by chake 

We are going to use the osx server to manage the mac laptops, permissions and what not. i assume that if i dont have an osx server then i cant manager user permissions on the laptops with out physically touching every laptop correct?

You can do this via Remote Desktop

We just spent 30k and got landesk in the process of putting it on the pcs. that means i wont need to buy remote desktop for the mac correct since lan desk can interface with it?

Never heard of Landesk, I'm assuming it is some VNC based solution for classrooms?

[besson3c]

OH wait, if by permissions you mean capabilities, this would simply be about coming up with a single image for all the machines, and coming up with a way to deploy this image.

Such options include:

- NetInstall (install/update the image over the network)
- NetBoot (run the student's home directories off the server)
- Manual deployment

Technically, you don't need OS X Server to provide a NetBoot server (I don't think), but even in our university environment we haven't had the bandwidth and resources to justify netboot, so we've gone with NetInstall, which does not require OS X Server.

[besson3c]

THe other problem with something like NetBoot in addition to performance is reliance on the network being up. If the server is down and you don't have an immediate backup, the computers are rendered useless.

[BLAZE_MkIV]

In OS X Server when you create user acounts you can control what applications they can launch, preferences they can change etc. There is no account managment on the individual machines.

[olePigeon]

Originally Posted by chake 

We are going to use the osx server to manage the mac laptops, permissions and what not. i assume that if i dont have an osx server then i cant manager user permissions on the laptops with out physically touching every laptop correct?

You'd definately want an XServe for managing the Mac laptops. Imaging/ghosting is a snap in OS X because you don't need to worry about driver sets or boot partitions like on Windows. As I mentioned before, check out Mike's Mac OS X Management Software and Tips: Home for imaging. He has the best solution for imaging outside of using client management software like Altiris or Landesk. I don't know if you'd need his software or not with Landesk, but it's worth a look anyway.

Windows Policies and UNIX Permissions don't convert very well. OS X clients do their best, but it's hit and miss. With OS X server as a gateway, you'll have more control over the conversion of the policies to permissions. However, there're products for OS X that are geared specifically for converting Group Policies to UNIX Permissions, and vice versa. Centrify's DirectControl looks to be a good option. Even directly addresses the password issues I mentioned before in their features. I think they offer a demo, so it'd be worth checking out.

Originally Posted by chake 

We just spent 30k and got landesk in the process of putting it on the pcs. that means i wont need to buy remote desktop for the mac correct since lan desk can interface with it?

Yes it can. OS X has a built in VNC and Landesk can utilize that.