Mac Mini OS X Server Limitations

You give us no information on how much data will be accessed on the Mac Mini from the clients

I have seen schools host login accounts for entire classrooms from a Mac Mini (30 or so workstations, sometimes multiple classes too), however most of the data was cached on the local HD with a few files saved to a share on the Mini. Another business has managed to strain an older Mac Pro by accessing many large Photoshop and design documents & with a handful of clients. You could overload a Mac Mini with one client if you tried streaming tons of data to and from it in addition to using other services. I don't think there is a hard & fast rule that applies to every use case.

You should probably explain what you plan to host - network logins, network based accounts, just file sharing etc? What are the Windows users going to access? I don't know how well Windows works with OS X Server, sorry. I don't think the internet bandwidth is a concern, unless you plan to host the server off site?

'Mobile accounts' in the sense that the users home files are synced back to the server and user can login on any machine & pull down their changes automatically?

I have rarely seen that work well (I saw it around OS 10.5 - 10.7), however that was with 30+ iMacs on gigibit ethernet. There were many sync issues normally due to network throughput compounded by kids that tried to login on one Mac, got bored of waiting & moved to another… Logging in & out can take minutes to sync work back to the server. It always worked OK testing a handful of Macs so you may be OK with a dozen or so users. Occasionally they were handling large media files in Garageband & iMovie so it was destined to be difficult.

I'd attempt to keep things simple, network managed accounts (each Mac is bound to OpenDirectory on the server) but with no changes synced back if possible. Work should be kept on the server or NAS etc.

I suspect you want to have the clients all on wifi, if you are on a slow network or have patchy reception it can be a chore to keep some users in sync. Ethernet is normally better but wires & USB ethernet dongles make the MacBooks look clunky.

I think Windows support has got better but I haven't looked at it recently so I can't say if they can login and roam as Open Directory users.

Hopefully you will get some other posts here with other opinions, I'm not up to date so take my posts with a pinch of salt.

P.S. You may want to consider setting up Deploy Studio too, it can make imaging the Mac clients easier, depending on how often you need to erase & reinstall the OS.

http://deploystudio.com/

vane0326 wrote:

HI,

Just learning how to use the OS X Server.sorry for the little information.

Yes, the data will be cached on to their local HD. I would like to set them up as Network Login Accounts BUT enable mobile account on their Macs. Don't know if Windows compatible with mobile accounts, probably not.

Windows will access a small 3tb NAS device.

My goal is to have the users use WPA2-Enterprise so they can access files, printers and the internet.

Mobile Home Directory Syncing for Macs is notoriously unreliable but the facility is there, by the way this is more properly termed a 'Portable Home Directory' and a non-synced locally stored home directory in this case would simply be called a Mobile Account/Home Directory. While Windows itself does have a similar feature Apple do not support it in their software. The reverse is however possible in that a Windows server could do this for both Mac and Windows clients.

• Network Home Directory - stored purely on the server
• Mobile Account - stored purely locally
• Portable Home Directory - stored on both the server and locally and synced automatically

Sadly even basic Network Home Directories with them purely stored on the server and not synced locally is also less than perfect. (I am still using this though.)

Note: Apple used to support Windows 'Roaming Profiles' when they still used SAMBA as the software but this was last available in Mac OS X 10.6.8 Snow Leopard Server and not available in 10.7 aka. Lion and later.

With regards to speed/capacity no current Mac has room for multiple internal drives anymore, for the quantity you describe there would be effectively no benefit to replacing the Mac mini with a Mac Pro - both would have to use external storage typically via Thunderbolt or USB3. Many people use an external Thunderbolt RAID box for 'server' storage.

The Mac server software can setup RADIUS for Enterprise WPA2 security for only Apple's own AirPort Extreme basestations. Other than that you could in theory do this manually as the software Apple use is FreeRADIUS and can be (manually) configured to support non-Apple basestations.

It is not clear from your messages but -

• Don't try doing either Network Home Directories or Portable Home Directory syncing over the Internet these should only be done on a local LAN or WiFi connection
• For remote i.e. Internet users consider instead portable home directories which are not synced to the server but are purely stored locally, but the user account i.e. password is synced to the server
• WPA2 Enterprise is not for remote access, it is purely for securing your local WiFi network
• For remote access you need a VPN server
• RADIUS authentication may be used to secure both WiFi in the form of WPA2 Enterprise, and for securing a VPN system
• Apple's own VPN server does not support RADIUS

vane0326 wrote:

A couple of more questions...

1.) Can a Windows PC/Laptop be joind to the OS X server? Like joining a PC/MAC to the Windows domain.

2.) Can a Windows user account use OS X server OpenDirectory to authenticate usernames & passwords?

3.) If I have a Cisco ASA firewall and use their AnyConnect VPN, can it be tied to the OS X server Radius for authentication?

4.) When do you use a Mac Desktop? 50, 80, 100 users to purely authenticate?

With Snow Leopard Server it used to be possible to join a Windows PC to a Mac Open Directory network. This worked using the old Windows NT 'Domain' model. Newer versions of Apple server software no longer support that and no version of Apple's software has supported acting as an Active Directory system server. So the answer to 1 is no.

A Windows PC user can login to a Mac server for example to access a file share and will get asked for a user name and password and this will work. So to put things simply the answer to 2 is yes.

As mentioned Apple's server software itself can only setup RADIUS for Apple's own AirPort Extreme. It cannot via Apple's server software be setup for even Apple's VPN server and cannot be setup for other manufacturers products. However as I also mentioned you could in theory manually configure by hand editing the config files of the FreeRADIUS software that is builtin and hidden inside OS X. So the answer to 3 is 'sort of'.

In terms of Open Directory alone a single Mac mini can easily handle hundreds of users. In terms of Network Home Directories it will depend on how many are logged in at once and what they are doing but perhaps you would limit it to about 50 per server. Rather than just getting a Mac Pro and doing more it would be more typical to either add additional Mac mini computers i.e. two Mac minis vs. one Mac Pro or with even bigger numbers get a real server such a Windows Server or Linux.

I prefer using a separate server to do Network Home Directories and dedicating a Mac mini for Open Directory, although also running DNS on the Open Directory server is fine.

Pgina will help in logging in to a Mac server but still will not let a PC bind to a Mac server.

vane0326 wrote:

Does the PC has to be bind to a Mac server?

Will a PC still function properly not being bind?

In order to just access the Mac as a file server you do not need to bind to it and remember you cannot bind a PC to a current Mac server. However if you did want to use roaming profiles you would need to bind to it, and there are some other facilities - none of which the Mac can provide which would also need binding capability.

So basically don't worry about it unless you are a significant user of PCs in which case you should have Windows servers anyway.