The Challenges Facing Macs


While Mac computers can be configured to authenticate users to Active Directory (AD) by obtaining and managing Kerberos tickets in much the same way Windows clients do, Mac computers themselves don’t typically authenticate to the directory. This creates a disconnect between the management capabilities between Windows and Macs, and can significantly impact the ability to create a single sign-on environment. Mac computers may have to authenticate multiple times in multiple-domain environments, and maintain their own local user accounts used to secure resources on the Mac computer.

Both first- and third-party solutions exist to better integrate Macs into AD. Utilities from Apple, included in Mac OS 10.5 and later, focus primarily on user authentication. Many third-party utilities also focus entirely on authentication and don’t extend many AD benefits to Macs. For example, they may not support access control or password policy; in some cases, they may not even permit users to change domain passwords from a Mac. They also may not work in complex, multi-forest environments.

Some third-party solutions do provide broader capabilities than authentication, but are often just as Mac-specific as Apple’s utilities. If Macs are your only non-Windows platforms, these third-party solutions may be acceptable. However, if you also want to integrate Unix and Linux systems, then having a single “non-Windows integration system” that accepts all of these types of computers can significantly reduce management overhead and cost.

The importance of achieving a single sign-on capability cannot be overemphasized. Maintaining a single credential for each user vastly simplifies not only identity management (which in turn simplifies overall security, compliance, and maintenance), but also simplifies users’ lives, helps prevent forgotten passwords (and the resulting help desk calls), and improves both user productivity and satisfaction.

Policy-based Management

Microsoft’s solution for policy-based management is Group Policy, an integrated part of Active Directory that requires significant client-side support from within the Windows operating system. Apple offers a parallel technology called Apple Workgroup Manager; it requires at least one Mac OS X Server-based computer and requires Mac clients to authenticate to that server in order to obtain policy information. Neither of these systems necessarily requires the server to be within the same secure network; in fact, Apple’s Group Policy application is itself a server.

These first two examples of Mac-to-Windows conversions can be done manually; in many cases, you would need to be a fairly senior IT person to understand the nuances of each system and to be able to work your way through the recommendations. Both Apple and Microsoft provide assistance documents and step-by-step tutorials for their utilities.

Obtaining either a Macintosh- or PC-based migration strategy will require you to integrate both management and processes. For example, Microsoft’s method requires you to integrate bothPrincipals of SecurityandSystem Developmentin a wizard. You’ll also need to balance between Citrix and Microsoft SharePoint Services, which are separate but related to each other in the overall process. Finally, you’ll need to carefully monitor and bill each Mac user as they migrate to Windows.

The best approach is to perform a “test drive” before beginning the migration phase. In this way, you’ll be able to determine which features and benefits are best suited for your environment, and your VPS provider can ensure that you’ll be able to deliver the highest value and limit the impact to your tenants or clients.

Mac users will need to determine whether to preserve or replace MS Exchange mailboxes prior to the move to Windows. exhaustive, complicated, and time-consuming documentation effort should be avoided. The goal is to eliminate the need for extreme attention to detail.

identify the most common problems experienced by your existing users-who might be Outlook users, Microsoft Outlook users, Adobe users, and so forth-who might be directly affected by the migration approach.

c) Determine what information will be required to “migrate” your organization. For example, a migration of an entire Exchange Server database from 2003 to 2008 might require some of the following:

o Exchange mailboxes from 2003 to 2008 that are primarily analytical in nature or are mailboxes that do not contain confidential information will be required. mailbox determines the integrity of your environment.o Migration software and off-site replication of mailboxes needs to be programmed.o repeating deployments of the same templates or data would be problematic.o Squeeze page file sizes to bring down the number of NICs required on each server. This issue could be remedied by tuning the template compactness but this needs to be addressed with a suitable adaptation and modification to the existing NAS environment.o Additional management services such as disk and page file monitoring will be required.