Introducing a Windows Domain Controller into an all mac-client network

A company is about to hire me to be their I.T. Admin. (They currently have no Admin). In the interview, they stated one of the things they want me to do is put in a MS Domain Controller. The thing is, they are a graphic design company with about 100 Mac Clients and maybe 5 Windows Clients. So other than login-credentials and network shares, what is the benefit of this? Should I just tell them to use the OSX equivalent of AD? How hard is it to learn whatever OSX's AD is?


You're probably better off taking a "Golden Triangle" approach here. That means having Open Directory on some OS X servers, Active Directory on Windows ones, and configuring Kerberos to forward auth requests from the OD servers to the AD ones.

This way, you get authentication and authorization centralized on a Windows platform, and you can still use Apple specific tools like WGM (think Group Policy, but lacking) for the OS X machines, since they'll be bound to both directories.

With only 5 Windows clients, you might even just want to do OD and skip AD all together until your number of Windows clients grows.

Products like ADmitMac also exist to help ease this management burden (nightmare), though it's more meant for integrating Macs into a largely Windows environment - which is the opposite of what you're doing.

One final option is to run some Apple-specific schema updates on your Domain Controllers, which will let you use WGM to manage OS X clients without the need for Open Directory at all. Some people do this, and have no problem. Other people are really really scared to run a schema update from Apple in a production forest - I'm one of those people, so I've never tried this.


Apple's inconsistency with their AD client is a nightmare. Every version of OSX changes their approach and it's hard to maintain a consistent design. The best solution I ever found is/was called LikeWise Enterprise. It allows for complement management from the AD side of things. There is a free version that provides just user authentication and single-sign on, and the paid for version gets you support and policies.

http://www.beyondtrust.com/

http://www.beyondtrust.com/Products/PowerBrokerIdentityServicesADBridge/

This is the company that bought likewise and continues to develop the software. The golden triangle approach is still workable, but in my experience has been a nightmare to manage.