This white paper has been broken into three parts
- Active Directory Integration
- Centralised Mac workstation management
- Mac workstation deployment
In this first installment we are discussing how to successfully integrate Macs into Active Directory.
Centralising your directory of user credentials in Active Directory has very clear benefits. What is not so clearly documented are the range of issues establishments face when they attempt to integrate Macs for the first time.
The things to consider are:
What tool / product will you use to facilitate the Active Directory connection?
There are a range of free and commercial tools that you can use to connect with Active Directory. These include offerings such as ADMitMac from Thursby, the free Centrify Express plugin or Apple’s built-in Active Directory connector. Each have desirable features and functionality and the choice you make here can have a huge impact after the deployment.
How will you provide personal home folders for the users?
Mac OS X client requires a valid home folder for each logging in user. A common pitfall is to configure the Active Directory connector to store these home folders on a central file server. Unfortunately, in practice, this type of configuration does not work well at all. At sites where we have seen this system used, the symptoms have been (to name just a few):
Intermittent login reliability – Some users get blocked at the first step and Mac OS X refuses to grant them access to the computer, advising that the users home directory cannot be located
Poor application performance – Were not just talking about video editing and graphic design programs. Most applications are affected by this issue which typically leads to classes failing to start, crashing applications and lost students work
Operating system instability – In addition to application performance, the Finder, responsible for the file system navigation, is greatly hindered. Simple tasks such as opening a “save as…” dialog can cause the system to freeze, resulting in more lost time
Other options available include local home directories with selectively synchronised data. Unfortunately there are no established tools on the market to accomplish this and so the only real solution here is to develop UNIX scripts.
Will the users be logging on to Macs and PCs with the same accounts?
In this scenario, you need to consider that the users home folder (depending on its configuration) may be shared by Windows operating systems. Mac OS X clients have quite a different folder structure from Windows clients and so users logging into multiple systems (which most will do), will be faced with a large number of folders populating their home directories. It will also be quite unclear where they should store their files.
So what is the Ultimate Solution?
It is true that there is no “one size fits all” solution design for education environments but we would suggest that the following characteristics should be present:
- Network logins need to be consistent, fast and reliable
- The users network home needs to be available on the desktop (not just the share that contains the home folder)
- Network home needs to be derived from any specified data stored in AD, not just the SMBHome attribute
- Users files need to sync at login, during use and at logout (reliably)
- Sync failures need to be reported to the I.T. team
- When the workstations hard drives start to fill up, the I.T. team need to be notified as early as possible so they can take action
- The Mac OS X sub-folders need to be synced either to the Windows alternative folders or to a separate sub-folder