PDA

View Full Version : Can Snow Server replaces a Microsofts Active Directory/Domain?




deepdark
Aug 22, 2010, 09:56 AM
i want to know about this issue ??? is this possible to replace Microsofts Active Directory/domain with Snow Server ???

thanks..



Les Kern
Aug 22, 2010, 11:47 AM
Yes,No,Maybe.
Not enough information, so you may not get many answers.

hmmfe
Aug 22, 2010, 11:59 AM
Rule of Thumb answer: If you have mostly OS X clients and a few Windows clients, then yes. If you have mostly Windows clients and a few OS X clients then kinda yes - but you definitely shouldn't.

AD support is there for compatibility reasons and not for replacement.

deepdark
Aug 22, 2010, 03:56 PM
so here is the situation...

i have a one mac mini with snow server and around 60 pc's with Windows OS ... so i don't want to implement a Windows server because i want to stay on OSX server ... So i want to control users and some restriction on PC's can osx server do this??

thanks...

Eric-PTEK
Aug 22, 2010, 04:03 PM
so here is the situation...

i have a one mac mini with snow server and around 60 pc's with Windows OS ... so i don't want to implement a Windows server because i want to stay on OSX server ... So i want to control users and some restriction on PC's can osx server do this??

thanks...

No.

How are you going to manage 60 machines without active directory?

Who is going to manage updates?
Password policies?
Login policies?
file share access restrictions?
data backup?

I could go on and on.

A lot of people don't like MS but their server software, management tools, and that are second to none.

The additional cost of managing those machines manually would be more than your salary.

Peace
Aug 22, 2010, 04:05 PM
No.

How are you going to manage 60 machines without active directory?

Who is going to manage updates?
Password policies?
Login policies?
file share access restrictions?
data backup?

I could go on and on.

A lot of people don't like MS but their server software, management tools, and that are second to none.

The additional cost of managing those machines manually would be more than your salary.

Have you played with Windows Home Server Beta ?

deepdark
Aug 22, 2010, 04:11 PM
so i must pay for a server 2008 and to implement a Active Directory ... i found some other free open source solution like Samba4 and Apache Directory Studio but i don't know if this solution will have a success...

Eric-PTEK
Aug 22, 2010, 04:13 PM
Have you played with Windows Home Server Beta ?

Not the new one but I've worked a little with the old one. It is still not a true business solution.

Windows servers are not about file sharing, if all you wanted was a simple file share, buy a NAS or a cheapo Linux box with a bunch of space, or as you mention WHS.

AD is about management of an IT infrastructure. A properly setup AD environment(and not many are setup correctly) will reduce costs massively in managing a larger infrastructure.

60 machines is a huge number to manage. When you start to look at compliance and legal requirements that are becoming the norm today you need a management tool, and a good one.

Massachusetts passed a law that became effective on March 10th. Business owners that manage people's personal information not only have to encrypt the data but they also are required to keep their infrastructure up to date.

Security updates, security policies, antivirus updates, all of those things the business owner now must keep record of in case of a breach.

A solid AD setup makes those kinds of things a breeze. The server manages the updates, makes sure all the machines are compliant, makes sure users don't do what they are not supposed to do, etc.

Look at something as simple as WSUS(Windows Server Update Services) on a domain controller. He has 60 machines and a 35mb patch is released. Imagine 60 machines in a business all trying to download the same patch at the same time.

Now what if that business was on a VOIP system, traffic havoc.

WSUS gets the update once, disperses it to all the machines, overnight with WOL if you want, then reports back if any failed. No users telling it not to do the update, no checking 60 machines to make sure they were all done, etc.

There are 20 situations like that in a company with 60 computers.

Eric-PTEK
Aug 22, 2010, 04:17 PM
so i must pay for a server 2008 and to implement a Active Directory ... i found some other free open source solution like Samba4 and Apache Directory Studio but i don't know if this solution will have a success...

See above...yes.

A company with 60 computers the cost to implement AD is nothing compared to the management cost.

Of course if your looking for someone to consult and help out with implementation I might know someone who does it :)

Seriously if Apple offered a comparable alternative, sure...this may sound extreme but any solution besides AD in an environment that large borders on negligent.

If your job is to support the system then you need to do what will best serve the company and its employee's.

If you haven't figured it out this is what I do for a living. AD will pay for itself in under a year with your size company.

PM me if you'd like some pointers(free).

Third party solutions are IMO, useless. So you save 10K implementing a 'free' solution, the first time that 'free' solution takes down 30 PC's and suddenly you find out the answers your looking for to fix it are non-existent, you'll blow through 30K in labor and downtime easily.

Focusing on TCO(total cost of ownership) and ROI(return on investment) will put AD right at the top. You'll be amazed how much easier it is to manage things with AD.

BTW, with 60 users you will probably want more than 1 server too, that many machines I'd want a backup DC or at least a smaller box with backup DNS/DHCP on it.

Depending on what you do with those 60 PC's and where they are in their product life cycle Remote Desktop Sevices aka Terminal Services might be something to look into. The electrical savings alone would pay for the hardware in a year.

thejadedmonkey
Aug 22, 2010, 04:27 PM
so here is the situation...

i have a one mac mini with snow server and around 60 pc's with Windows OS ... so i don't want to implement a Windows server because i want to stay on OSX server ... So i want to control users and some restriction on PC's can osx server do this??

thanks...

If you want to use Snow Leopard Server, than you should look into replacing the 60 PC's with iMac's then. There's no reason in hell that you would want to use a server OS that wasn't designed with the client OS in mind; be it a linux server with Windows clients or an OS server with linux clients.

Also, if you're just trying to avoid paying the premium for a Windows Server license, forget about it. Any software premium you spend will save you in headaches later down the road.

deepdark
Aug 22, 2010, 04:55 PM
Thanks to all of you for this kind full help so my situation is little strange right now i am an consultant and manager in State University with 14.000 students and 1000 stuff so i must see a prices from Microsoft for this kind of server and if is to much i must find a solution with open source alternatives

balamw
Aug 22, 2010, 05:15 PM
Just to echo what thejadedmonkey said. Match the client and server technologies where possible.

If you want to keep the 60 Windows based clients, you should be looking at Windows Server solutions (i.e. Windows Server/Active Directory). When looking at costs don't forget though that on top of the server license, you need CALs for each of the machines.

If you want to keep the Mac server, consider switching most if not all the clients to OS X (Mac mini, iMac, ...).

If you are seriously considering an OSS solution, consider switching the clients to OSS (Linux, ...)

B

Eric-PTEK
Aug 22, 2010, 07:16 PM
Thanks to all of you for this kind full help so my situation is little strange right now i am an consultant and manager in State University with 14.000 students and 1000 stuff so i must see a prices from Microsoft for this kind of server and if is to much i must find a solution with open source alternatives

MS's educational pricing will blow Apple's pricing out of the water.

Check out www.techsoup.org to see if your school qualifies. We work with a lot of non-profits.

I get 2008 Server licenses for $60, Office for $20, Win7 licenses for $7 and RDP cal's are $3.

Then its just hardware from there.

Others have echo'd what I've said and I'll reiterate it. What ever up front costs you save will come back to bite you in the rear later on.

Support for MS enterprise products are awesome, not only directly from MS but from the community in general. Look at MS's approach to the iOS4 Exchange bug. Apple went around saying "not me" and denying there was a problem. Even though it was totally Apple's problem the MS community got together, released a fix, that Apple then stole and called their own, just to get it done, no finger pointing.

My big beef with Apple and being a reseller is the point of being a Apple reseller is to make Apple money, MS is a partner approach. Apple has done a great job with their App Store model, if they took that model down to their Enterprise/Business solutions they would find greater market penetration.

When Microsoft overtook Novell in the server market, it had little to do with technology, because MS's server products were a mess at the time, but they made sure that MS Server techs were well paid, while Novell was trying to cheapen the market for the people who supported their products.

As I said, shoot me a PM and I give some more specifics and I can point you in the right direction.

ChrisA
Aug 23, 2010, 04:51 PM
i want to know about this issue ??? is this possible to replace Microsofts Active Directory/domain with Snow Server ???

thanks..

Of course you can use a UNIX based server. That is all you get when you buy Mac OS server. All the tools you need are available.

People say "what happens when 60 users all try to download the same Windows patch"? I say "the same thing that hapens when 60 uers all look at CNN -- your proxy server has it cached so the 2nd through 60th users see a very fast download.

The real trouble is that if you are asking this question you are no even close to being able to set up and run a UNIX based server. It takes years of experience to pull that off but if you pay for Windows server it is all pretty much automatic and point and click.

60 user is a small network and you can't justify the staff required for a roll your own server and you are best off buying the Windows server. But larger networks, like ourshere have thousands of desktops and can afford a full time staf. For a few hundred or less users I'd say the out of the box solution is best.

hakuryuu
Aug 23, 2010, 05:05 PM
If you have 60 windows machines there is almost zero reason to try and replace AD. Is it possible? It really depends on what you want to control on the machines and how granular you want your permissions control. If all you need is file sharing and basic accounts then it shouldn't be too difficult. But, take it from me (a self described OS X client and server evangelist) stick with using MS Server 2008 for directory services.

balamw
Aug 23, 2010, 05:38 PM
if you pay for Windows server it is all pretty much automatic and point and click.

A properly setup AD environment(and not many are setup correctly) will reduce costs massively in managing a larger infrastructure.

The bolding is mine. I wonder why that is? :rolleyes:

IMHO This is the problem with Windows, it's easy ubiquitous and almost invisible, but because of that it also ends up being weak insecure and poorly configured in many/most cases.

I wonder how many lazy AD admins still have their users as local admins on their boxes or turn off UAC by policy in order to cut down on support calls.

60 nodes isn't a very large network, and there are many, many ways to skin that cat. AD is just the easiest and if implemented correctly most appropriate if the clients are all Windows based.

B

Eric-PTEK
Aug 23, 2010, 07:13 PM
The bolding is mine. I wonder why that is? :rolleyes:

IMHO This is the problem with Windows, it's easy ubiquitous and almost invisible, but because of that it also ends up being weak insecure and poorly configured in many/most cases.

I wonder how many lazy AD admins still have their users as local admins on their boxes or turn off UAC by policy in order to cut down on support calls.

60 nodes isn't a very large network, and there are many, many ways to skin that cat. AD is just the easiest and if implemented correctly most appropriate if the clients are all Windows based.

B

Well thats why you pay to get it setup right.

If UAC if your defense against attacks to your network then you've got bigger problems.

We go with a whole system approach, IPS/WAF on the outside, complete monitoring by AD, full reporting and email alerts, etc. Perimeter defense is first, server 2nd, desktop/AV is last.

But you are right a lot of people do things like leave the local admin account on the SERVER, forget the desktops. They forget that when you setup the server initially, then setup the AD environment the local admin account is still there and rarely change the password to it. They leave the sa password on SQL set to default, don't implement password policies, have scripts setup to broadcasts anomalies in the security logs, don't change SQL/RDP ports, etc...its here no evil, see no evil.

We spent a lot of time designing our setup but we cookie cutter it one after another, just depends on how big of a server(s) we go with.

We do it right but then again if we're not getting the entire job, we don't do it, we offer a complete solution or no solution.

If a business understands the last sentence then are a great customer usually.

balamw
Aug 23, 2010, 08:53 PM
Well thats why you pay to get it setup right.

And how do we as your(*) clients know that it is setup right?

(*) I don't mean you in particular, just anyone selling a turnkey black box server with AD set up "right".

Lazy, uninformed folks are in IT just as they are in other fields.

My only point is that AD is a tool, not a solution, it can be used properly or not, and it is definitely not the only solution to every situation involving 60 nodes.

Presuming the clients share a common configuration, something like DeepFreeze http://www.faronics.com/en/Products/DeepFreeze/DeepFreezeCorporate.aspx might actually be more appropriate depending on the situation.

B

Supa_Fly
Aug 24, 2010, 09:52 PM
so i must pay for a server 2008 and to implement a Active Directory ... i found some other free open source solution like Samba4 and Apache Directory Studio but i don't know if this solution will have a success...

What?! No you do NOT have to pay for a Windows Server 2008 to implement AD; it could be Windows Server 2003, or even 2000 - it all depends on the OS of the particular clients in his environment & also what applications, policies, 3rd party tools (ie: VM's, Citrix, etc) that will be implemented.

you CAN use OSX Server Snow Leopard and setup Open Directory as the root, with Windows Server in a VM with AD, Exchange Server, etc setup as the primary. OSX can manage the DNS, domain - yet when distributing IT Policies, GPO's etc that is what the Windows Server (again version dependent on what you're rolling out) is for.

There is a company featured right on Apple's OS X Server site that has such an implementation - specifically similar to your loose example.

I'm not certified nor fully qualified to guide you - but I believe what you want IS possible; quick shot off the dome answers are not definitive enough to assist you - even mine - without full knowledge of what you plan to roll-out.

ALSO ... what implementation do you have for rolling out a VPN solution for your 60 Windows clients - RSA, CISCO/AT&T/IBM, etc, or Microsoft's Win7 implementation (which does require WinServer 2008).???!!

There is just so many variables.

NOTE:
http://support.apple.com/kb/ts3235
Mac OS X Server: Cannot join Windows 7 to a Mac OS X PDC Domain

I did a really basic search on Apple's site but I'm unsure if the results are beneficial or point to what you're after:
http://support.apple.com/kb/index?page=search&src=support_site.kbase.search&locale=en_US&q=hosting%20Active%20Directory%20in%20OS%20X

Last but not least ... check out this O'Reilly article
Part 1:
http://www.oreillynet.com/pub/a/mac/2003/08/05/active_directory.html

Cheers & don't flame me if I'm totally wrong and off the wall, please.

These next links are the opposite of what you're after but may shed some light:

http://www.apple.com/business/solutions/it/directory.html

Eric-PTEK
Aug 24, 2010, 10:47 PM
I'll stick with AD is the only solution for enterprise level up times and management.

There is a reason in the enterprise you stick with a certain well supported product. It is not about what people like, it is about what works.

If the person is not familiar with AD or Microsoft products in general then 2008, and most likely R2 is the only way to go. 2003 is more cryptic and difficult to use.

It's setup is mindless. XP needs updates, so does Vista to work with the GPO's but those are well documented.

Hardware requirements are much lower too.

That example you say is on Apples site is doing it just for the sake of doing it. That setup makes no sense at all.

If you need osX for something specific then fine, use osX for something specific but running AD in a VM without it managing DNS/DHCP is 100 percent against the rules for AD. You say you don't have the experience in AD, and neither does whomever wrote that article. AD does not work properly unless it is tied into the DNS, in fact it is required during AD installation.

Server 2008 is more than just a directory, it is a management tool. WSUS for smaller installations and SMS for larger.

Plus where are you going to go for support? Apple? Hardly. I've called their enterprise team, even paid for a Enterprise call, as soon as they heard Windows they were all just drooling.

Apple has a long way to go before they truly understand what it takes to support a business the way MS and their partners do.