We have been an all-Mac shop for our student and staff logins, but OD and WGM isn't cutting it any more, so we're moving to Active Directory and SMB servers for network (non-mobile) home folders. We're new to this and would like to find how others are doing it and if there are pitfalls we can avoid.
We're running ExtremeZ-IP on the SMB server to allow AFP access to the home folders and to take better advantage of AFP reconnect. The //share/home folder is accessible either with smb://server/home or afp://server/home. The share and AD servers are running Windows Server 2008 R2 with the forest at R2. They are located at our District Office and accessed over our WAN. We are K-6 School District with 3500 students and a few hundred staff members distributed across 7 school sites. At any given time, there will be no more than 80 students and staff logged in from each site - more typically it's 30-40.
On the home share server, we have the home folder Share Permission set to Everyone (read/write), and NTFS permissions enabled for Enumeration with Everyone access removed. In AD, we create users, populating the Home folder field to H: //server/home/%username%
When a user account is created, a folder in the user's name is created on //server/home/username with access set to the user account.
On the Mac client machines, we bind to our AD server, uncheck Force local homes, set the protocol to afp, and choose our preferred AD server. We can do all of this with a single dsconfigad command. All of our clients will be iMacs running OS X 10.10.3
On first login, we see the Library, Desktop, Documents, and Downloads folder get created and populated, but it seems very slow. When an iLife app like Photos is opened, Pictures, Music, and Movies folders get created. The Dock is populated with generic Apple stuff.
Without Workgroup Manager to lean on, we are trying to figure out the best way to:
- Customize the Dock to contain Apps that may vary based on student grade level and/or school site
- Customize LoginItems to automount a group folder specific to their classroom which is also on the home folder server
We use long names to describe our computers for managing them within Apple Remote Desktop. AD can only take 15 characters and our naming scheme is not unique with the first 15. So, when binding with the dsconfigad command, we'd like to pull the our asset numbers from the JSS and combine it with the site name at time we bind. Anyone have a way to script this at imaging time?
Are people successfully using JAMF's MCX capability? Limited testing here seems like it slows login down quite a bit.
Any other advice on things to watch for? Problems with files getting locked or set to read only? Compatibility issues?
