Mac OS X integration into your Active Directory domain.

...well this is how *I* did it. Your specific site setup may differ depending on your needs.

***site update in progress 7/28/04 keep checking back for new details denoted by the red text***

First, our existing setup.

We have about 100 Macs and 250 PCs in our classrooms & computer labs that students and teachers login to. All PCs are running Windows XP and our PC servers are Windows Server 2003. When users login from a PC, they authenticate against Active Directory and they are presented with their roaming profile - that is also stored on a W2K3 server. All Macs are running MacOS X 10.2.8. When users login from a Mac, they authenticate against an XServe running MacOS X 10.2.8 Server that also stores their home folders and is the MCX parent. All users who login on Macs and PCs have 2 separate places to find their files but neither is accessible from the other platform - which is fine for our purposes. And they have 2 separate logins to remember. We try to start every user off with the same ID & PW for each system and we tell the users that if they change the password, it does not change it on the other system. The PCs are primarily used for typing up Word documents and Excel spreadsheets, surfing the web, and doing PC-specific class work (which is MS Office and web surfing) so their storage requirements aren't very large. PC logins are limited to 30MB. The Macs are used for a larger variety of programs and files (Photoshop, QuarkXPress, Illustrator, MovieWorks, InDesign, Dreamweaver...) so we limit Mac space to 100MB each with the exception of certain students who are taking specific Senior level classes - they get 200MB.

Second, our requirements.

1. We absolutely needed to unify our userlist so that Faculty, Staff, and students only have to remember a single ID & PW to login to any of the computers on campus.
2. We needed to maintain the functionality of managing the Macs via MCX and retain the Windows security policies and login scripts on the PCs.
3. We REALLY didn't want to have to modify the AD schema.
4. Keep Mac and PC file space separate.
5. PC roaming profiles have to stay working as they are.
6. Macs authenticating with AD should be able to print to print queues hosted on our W2K3 server and have their print counts managed via Print Manager Plus.

Third, our fallbacks (Plan B).

1. we are not totally opposed to unifying the file storage space BUT it would require moving ALL user files to an OSX server because W2K3 server does not support AFP 3.1. And it would involve a LOT of footwork on the Windows side to transfer all the user files & folders and retain all the proper permissions. We may actually unify the storage space in the future but not this year.
2. Don't use AD and just keep things the way they are but just update clients and servers to OS X 10.3.x. I'd rather not think about doing this one but it would allow me to have an improved setup over what we have now for the Macs. Right now if my main mac server goes down all the macs go down. But this option would let be have LDAP replicas that can still authenticate and manage users. I'd just have to make sure the server with the home folders doesn't go down.
3. THERE IS NO 3RD OPTION