Mac OS X Server v10.6, Pros and Cons? Can we get rid of Windows Servers?

[J32P]

Hi,

I've recently been hearing about Mac OS X Server v10.6. I have a co-worker stating we should get rid of all Windows Servers(everyone wants off of AD anyway) and go with servers running this. I'm new to Mac OS X Server v10.6 so I haven't yelled out, that's a stupid idea, yet, but it sounds that way to me.

Does anyone have experience with it and does it compare to Windows Server 2008?

I'm kinda new to Servers OS's so I'm just mainly trying to learn if it can even compete with the Windows platform. Maybe it is a good idea to go the Apple route since I'm hearing licensing is cheaper too.

 

[DeaconFrost]

What do your client systems use for an operating system?

 

[swatbat]

Why do you want to get rid of active directory?

 

[TechieSooner]

Why do you want to get rid of active directory?

QFT, exactly.

Apple ABSOLUTELY SUCKS at enterprise-anything. iPhone, Mac, you name it: enterprise sucks. There's a reason why Microsoft is king in the market (heck, they have even continued to take share away from *nix distros when it comes to servers).


Only thing I'd ever evaluate using an Apple product with is for personal use.


That said, if you've got a dominately Mac installbase, you might have an advantage there... But still, for control over any kind of a business network: Windows is king.

 

[J32P]

What do your client systems use for an operating system?

Everything, but right now, Windows still rules 55-45, but Mac is supposedly/expected to make a strong rise.

Why do you want to get rid of active directory?

Everyone hates it. Staff want control over there OS(I say give people VDI's off of a win server). We always feel like our systems are behind the people we support because ours are locked down and theirs(student/client) are more up to pdate.

Example_1: We have IE-7 on our AD machines, most people needing IT support have IE-8(makes it very hard to support).
Example_2: We have XP on our AD machines, most users are either are on Mac's 10.5.8 or higher or Windows Vista with a smaller amount on XP.


To be honest, a few of us have preemptively made the jump to Windows 7 Enterprise or Ultimate just to stay in the game. So now, everyone that matters wants the same.

Here's a somewhat accurate depiction of our network

 

[4saken]

you will have even more issues if you move away from AD. You will be replacing one problem with another.

 

[TechieSooner]

We always feel like our systems are behind the people we support because ours are locked down and theirs(student/client) are more up to pdate.

So you're knowingly decreasing the security of your systems in order to make things "easier". Welcome to the Apple mantra.

Here's what I'd do. Keep the Windows backbone (servers). Obviously, assign server resources restricted.

Then (since you want to make things "easier") just lessen control over the workstations. Just give everyone Administrator control over their own machines.

Only thing that'd really be locked down would be server resources (shares, applications, etc) which is what AD is great for. End result is both Windows and Mac people have control over their local computer, and the server resources are still secured.

 

[Juic3]

I hate OS X Server with a great feeling when it comes to enterprise apps.

It falls short on every single feature.

I use Tiger on the server though.

 

[swatbat]

So you're knowingly decreasing the security of your systems in order to make things "easier". Welcome to the Apple mantra.

Here's what I'd do. Keep the Windows backbone (servers). Obviously, assign server resources restricted.

Then (since you want to make things "easier") just lessen control over the workstations. Just give everyone Administrator control over their own machines.

Only thing that'd really be locked down would be server resources (shares, applications, etc) which is what AD is great for. End result is both Windows and Mac people have control over their local computer, and the server resources are still secured.

What he said. You can also deploy wsus on the windows server and get it to force updates down like ie8. Windows 7 will work fine in an AD enviroment.

 

[heatlesssun]

Okay, sounds like you're trying to rearchitect your network. I think maybe you need a meeting or three before you can make an informed decision.

 

[J32P]

Okay, sounds like you're trying to rearchitect your network. I think maybe you need a meeting or three before you can make an informed decision.

Not really. The question came up and I'm trying to become more informed on the topic. No meetings necessary for this process.

I'm also against using Mac's for anything more then looking pretty so I don't believe you're correct. What I am doing though is trying to get a general consensus on weather or not the Apple Server OS can even compete at all(more then some guys outburst/dream).

Because, as my first post stated, I'm new to this sorta conversation.

 

[DeaconFrost]

Are you on the I.T. Staff? Is the co-worker who suggested moving to Apple servers on the I.T. Staff?

Moving away from AD, for whatever reason, would involve rearchitecting the network, like it or not.

 

[J32P]

Are you on the I.T. Staff? Is the co-worker who suggested moving to Apple servers on the I.T. Staff?

Moving away from AD, for whatever reason, would involve rearchitecting the network, like it or not.

Yes, we both are. But I don't make decisions so therefore my question was only hypothetical at best. I apologize, I must have not explained myself well enough.

 

[TechieSooner]

Not really. The question came up and I'm trying to become more informed on the topic. No meetings necessary for this process.

I'm also against using Mac's for anything more then looking pretty so I don't believe you're correct. What I am doing though is trying to get a general consensus on weather or not the Apple Server OS can even compete at all(more then some guys outburst/dream).

Because, as my first post stated, I'm new to this sorta conversation.

Does it offer any advantages? No. It has some Mac-specific stuff, but like I've said: Windows is king.
Considering Macs can use the AD credentials, the majority of machines are Windows, and the servers in place are already paid for and running... It makes absolutely no sense to change what you're doing.

 

[heatlesssun]

Yes, we both are. But I don't make decisions so therefore my question was only hypothetical at best. I apologize, I must have not explained myself well enough.

It just sounds like people in your office don't like the IT bureaucracy. The average user just SHOULDN'T be doing updates and stuff to their machine willy nilly. As far as AD, that's a LOT of work to setup and replacing it isn't easy in a big environment.

I guess I don't really see what people are thinking they are going to get with OS X servers other than less centralized control, which really has nothing to do per se with the servers.

 

[TechieSooner]

OS X server is exactly like Mac. Just leave it like that for the decision-makers. Yea, it has some nice features that work in the proprietry Apple environment. But you deal with all the rest of the PITA you have with Macs, terrible terrible management capabilities, terrible security, etc, etc.

Microsoft knows this stuff alot better than Apple ever will.

Kindof like a one step forward three steps back kind of thing.

 

[xenios]

Getting rid of AD would be a huge mistake. Decentralization of your IT infrastructure is going in the wrong direction. Allowing people to install whatever they want will result in more work for you and more down time for them when they install some viruses.

I work for a university and over the past two years we have gone from 100% decentralized to about 95% centralized. Sure people complain, but its our job to protect them, and make sure they can do their job.

It sounds like you do alot of front lines helpdesk work where you have to support students but dont really have any control over there systems per say. I dont know how structured your environment is but If your staff users want upgrades, pass it along to your higher ups. I would be highly surprised if they are not already looking at and planning for windows 7 as most everyone skipped vista. I have been planning our windows 7 deployment strategies for months now and i am only probably halfway done writing all the scripts and docs. Alot of work goes into making large scale deployments go smoothly. Changes in IT are slow.

 

[ameoba]

I work for a university and over the past two years we have gone from 100% decentralized to about 95% centralized. Sure people complain, but its our job to protect them, and make sure they can do their job.

I can't imagine taking control away from users when I worked at the university - shit, the head of the department was giving control of routers to his damned grad students until we put our foot down. It might be different if you're working with public labs or a non-technical department but in the research-driven EE/CE department I was in pulling that would never fly.

 

[IntelOwnz]

Getting rid of AD would be a huge mistake. Decentralization of your IT infrastructure is going in the wrong direction. Allowing people to install whatever they want will result in more work for you and more down time for them when they install some viruses.

I work for a university and over the past two years we have gone from 100% decentralized to about 95% centralized. Sure people complain, but its our job to protect them, and make sure they can do their job.

It sounds like you do alot of front lines helpdesk work where you have to support students but dont really have any control over there systems per say. I dont know how structured your environment is but If your staff users want upgrades, pass it along to your higher ups. I would be highly surprised if they are not already looking at and planning for windows 7 as most everyone skipped vista. I have been planning our windows 7 deployment strategies for months now and i am only probably halfway done writing all the scripts and docs. Alot of work goes into making large scale deployments go smoothly. Changes in IT are slow.

I agree with centralization, in fact I specialize in virtualization mostly for just that factor alone. If all the computing is done on just a select number of machines it's easier to manage.

Perhaps they're complaining about Roaming Profiles being slow, or network logins being slow, but AD really is a great resource.
Going to OSX server is a bad move imo, even with such a large base of Mac machines on the network.

 

[xenios]

I can't imagine taking control away from users when I worked at the university - shit, the head of the department was giving control of routers to his damned grad students until we put our foot down. It might be different if you're working with public labs or a non-technical department but in the research-driven EE/CE department I was in pulling that would never fly.

We have alot of research groups in our department as well, for them if they need there own network they get a locked down VLAN where they do can whatever they want, but nothing gets out. If they need to install things we give them a window in which they can install and configure their software, once they are done the accounts are disabled. ALOT of initial bitching but once they got used to it they where fine.

 

[J32P]

I mentioned VDI's earlier hoping someone might comment on it. Is giving users VDI's not a good alternative to an AD account? We could roll out the initial preconfigured image, then they could do with them as they please until they're trashed, then they get a new image.

Seems like a good alternative to me. Am I missing something?

 

[xenios]

for a user base of your size, a VDI infrastructure like that would cost, bigtime (but i am no expert on the subject). And in effect it is no different than what you have now, instead of the OS being on the machine it is on the server. You would still want AD, probably even more so with the ability to use your "desktop" anywhere. Just think about userdata, using VDI makes having roaming profiles or folder redirection even more important than before. The ability to easily rebuild a desktop is added but if you use any management software like ConfigMgr or Landesk you in effect already have this ability, its just slower.

Even if you wanted to give everyone admin access, allowing them to install everything that they wanted (very bad idea). You would still want to use AD as it does way more than just lock down the user.

 

[IntelOwnz]

I mentioned VDI's earlier hoping someone might comment on it. Is giving users VDI's not a good alternative to an AD account? We could roll out the initial preconfigured image, then they could do with them as they please until they're trashed, then they get a new image.

Seems like a good alternative to me. Am I missing something?

or a terminal server farm, when someone trashes their profile, just make a new one and drop in their documents/favorites

 

[Deimos]

Here is a quick lesson for you.

I work in a %90+ Mac environment, we have a mac server (10.4, old I know) and 2 Windows servers.

Giving users control over anything system level is a mistake, When I strated in my role, pretty much all staff on site had the local admin password, I was contracted to work a 20 hour week and frequently found myself over worked, or exceeding my weekly hours.

There was a policy change at some stage and staff were no longer allowed to know the admin password.

This actually increased my workload for a brief period of time, and while we still have the odd problem due to users not having admin passwords, in general my workload has dropped off significantly.

As far as AD is concerned, having a server for authentication is critical, the last thing you want to be doing is creating a local user account for every machine you install, unless you are on a small network (5 users) this is not a practical way to go at all, OSX server has somethign similar but AD is probably the best, and OSX integrates itself with AD quite well, so there is no reason not to use AD.

And finally, cost wise, Windows servers are a lot cheaper.

 

[blackhand1001]

Mac servers are honestly a joke. I know it sound harsh, but they are overpriced, less powerful. and they don't have anything that enterprises need. Active Directory is a godsend and there really is nothing that comes close to it.

 

[PWMK2]

The environment I work in is 50% Windows and 50% Mac OS X. We have Windows, Mac and Linux servers. Our Mac server we use for imaging, but that's pretty much it.

If you went with a Mac OS X server, what would you be going with? Open Directory? Good luck with that. OD is good (at least compared to many open-source directory services solutions), but AD is just so much better. And it isn't a pain in the ass to bind a Mac to an AD network. Binding a PC to an OD network, on the other hand...

Or do you want to abandon directory services entirely (big mistake)? In that case, why in the heck wouldn't you just disable AD... no sense in switching over to a Mac server unless there's a very specific reason why you need one, IMO.

Like others have said above me, AD is king.

Example_1: We have IE-7 on our AD machines, most people needing IT support have IE-8(makes it very hard to support).
Example_2: We have XP on our AD machines, most users are either are on Mac's 10.5.8 or higher or Windows Vista with a smaller amount on XP.


To be honest, a few of us have preemptively made the jump to Windows 7 Enterprise or Ultimate just to stay in the game. So now, everyone that matters wants the same.

OK. Why not just update your AD machines? It's not that hard. Took my organization running AD less than a month to migrate from IE7 to IE8, testing included. And now we're doing Windows 7 testing (sounds like we're shooting for a July 2010 migration date).

 

[TechieSooner]

To me, they obviously don't care about locking the individual workstations down. He's mentioned it several times...
So just unlock EVERYONE. Both PCs and Macs. Solves your problem right there, with minimal effort.

This actually increased my workload for a brief period of time, and while we still have the odd problem due to users not having admin passwords, in general my workload has dropped off significantly.

I've got some apps that unfortunately require admin permissions... It's really a PITA.

So I'm not sure if he'd be good with doing that or not.

Obviously, though, Macs won't play with GPOs like PCs will. So regardless of what you do, you're limited in how much you can actually control things.

 

[IntelOwnz]

So just unlock EVERYONE. Both PCs and Macs. Solves your problem right there, with minimal effort.

lol this will NOT solve his problem, after a week or two malware and viri will run rampant in every machine and continue to spread. I've worked at many companies that allowed end users to run as admins and I was reimaging computers left and right, tons of people lost their profiles and important documents when things were being stored locally, it was a nightmare.. things like this pushed me to thrive on 100% centralized computing

 

[TechieSooner]

lol this will NOT solve his problem, after a week or two malware and viri will run rampant in every machine and continue to spread.

Only if you give user Bob, Administrator permission on every machine on the network. I'm not suggesting that.