Active Directory and Open Directory can work quite well together. My servers are set up in the exact opposite way of how you are proposing. My users accounts reside in AD and I use OD to provide the specific MCX data to the desktops that are not supported by the default AD schema.
Here's a word of advice, *do not* modify your AD schema. Sure, its LDAP and we all know you should be able to modify your directories to meet your environmental needs, but that's not always the case with AD. Consider that Apple does update their AD modifications from time to time, as well. In my mind, why modify AD, when you can have a continually updated OD deployment on an XServe, without worrying about properly populating 'unused' attributes with OS X attributes that may change, or be used differently in different builds?
When you consider the cost of an OD Master compared to the professional services and planning that goes into modifying AD, it really becomes easy to see why you should use OD. My AD and OD play very nicely together, but you will give up certain capabilities. If you are using OD in an AD domain, you give up the ability to manage users at the user level, your now dealing with groups. OD groups at that, but there are scripts that can sync your AD groups to your OD groups, to make management easier. Most folks don't find this to be too big of a problem, as they don't have time to manage each user, but rather just groups anyway. Also, remember, you never want to bind your OD Master to an AD. You can use a client machine to administrate your set up quite easily.
Hope this helps! Let me know if there's anything else I can provide info on!
Slashdot Mirror
There's no reason at all to simply 'ditch OD'.
Active Directory and Open Directory can work quite well together. My servers are set up in the exact opposite way of how you are proposing. My users accounts reside in AD and I use OD to provide the specific MCX data to the desktops that are not supported by the default AD schema.
Here's a word of advice, *do not* modify your AD schema. Sure, its LDAP and we all know you should be able to modify your directories to meet your environmental needs, but that's not always the case with AD. Consider that Apple does update their AD modifications from time to time, as well. In my mind, why modify AD, when you can have a continually updated OD deployment on an XServe, without worrying about properly populating 'unused' attributes with OS X attributes that may change, or be used differently in different builds?
When you consider the cost of an OD Master compared to the professional services and planning that goes into modifying AD, it really becomes easy to see why you should use OD. My AD and OD play very nicely together, but you will give up certain capabilities. If you are using OD in an AD domain, you give up the ability to manage users at the user level, your now dealing with groups. OD groups at that, but there are scripts that can sync your AD groups to your OD groups, to make management easier. Most folks don't find this to be too big of a problem, as they don't have time to manage each user, but rather just groups anyway. Also, remember, you never want to bind your OD Master to an AD. You can use a client machine to administrate your set up quite easily.
Hope this helps! Let me know if there's anything else I can provide info on!
Mike D, ACSA