Comparing any Mac OS release with Windows is often like comparing aphids and orangutans. That is particularly true when looking at Apple’s Mac OS X Leopard Server and Microsoft Corp.’s Windows 2003 Server. Although they ultimately provide very similar features — directory services, file and print services, various Internet services, and so forth — the two platforms seem to be designed from completely different mind-sets.
An excellent example of this is the two companies’ vastly different approaches to software licensing. Windows Server is available in around half a dozen different variations, each with different pricing and feature sets aimed at specific environments. By contrast, there is only a single version of Mac OS X Server that makes all features available to anyone who buys it.
Also, Mac OS X Server comes with only two license variations, a 10-client version and an unlimited client version. Leopard Server doesn’t add the complication (or expense) of client access licensing. This is when administrators must buy licenses for each user or device that connects to the server, as well as a license to install and run the server operating system itself. Windows requires client access licensing.
Although the 10-client version of Leopard Server simply will not respond to more than 10 file-sharing clients at a time, other services are not actually restricted to 10 clients, according to Apple’s specs. Costs aside, this makes licensing of Mac OS X Server far simpler and more predictable than Windows Server.
Despite their differences, the systems have a number of underlying similarities. Both Microsoft’s Active Directory and Apple’s Open Directory rely on a customized Lightweight Directory Access Protocol (LDAP) database as a repository for directory services, and both use Kerberos for secure authentication. Both Active Directory’s Group Policies and Apple’s Managed Preferences allow administrators to secure workstations and predefine many settings of the user experience of the operating system and applications.
Both also allow for replication of their directory services among multiple servers to boost fault tolerance and performance, particularly in organizations with multiple work sites connected by slow network links or with many users and workstations within individual sites.
Both offer file and printer sharing that can support multiple protocols, including the Windows native SMB/CIFS (Server Message Block/Common Internet File System), Mac native AFP (Apple Filing Protocol) and the Unix NFS (Network File System). Apple’s support is somewhat easier to implement because options for all three protocols are automatically installed with the server operating system rather than being components that require additional installation. And both offer Web, e-mail, calendaring and other collaborative tools.
Directory Services and account management Thanks to their reliance on LDAP and Kerberos, both systems have unique schemas that can be extended. Although Apple relies primarily on LDAP for authentication queries, Windows Active Directory clients natively prefer the proprietary ADSI (Active Directory Service Interface) protocol, though Active Directory supports LDAP as well. Both systems provide for secure authentication, and one can integrate Active Directory with Open Directory in a single network environment. In this integrated scenario, servers and clients of both systems can rely on a single directory services environment for authentication and management, or they can be part of a more complex environment combining multiple directory systems.
Active Directory is, however, more robust in some aspects. Although both systems support directory server replication, Active Directory traditionally sports better replication options. As one example, each domain controller can accept changes to records and accounts that are then propagated to all the others. Open Directory has always functioned in a single master server with many replicas, similar to the Windows NT primary domain controller (PDC) and backup domain controller (BDC) model, in which changes other than password updates must be made on the master and then copied to each replica.
This situation creates a single point of failure; replicas will process authentication and other requests if a master fails, but updates other than password changes can’t be made until the master is restored or replaced by promoting a replica. It has also traditionally had the potential to reduce performance because all replicas must update their information from a single source — the master.
To some extent, this is changing with Leopard Server, which provides for two-tiered or cascading replication. This is when first-level replicas receive updates from the master, and a second level of replicas can update from the first-level replicas (referred to as relays when two-tiered replication is in use). This relieves some of the replication performance issues, but doesn’t address the fact that the master remains the single point of modification for most accounts and records. As a result, in enterprise deployments, Active Directory still supports more complex replication topologies than Leopard Server.
Other ways Active Directory is more flexible includes the concept of forests, a method for grouping multiple Active Directory domains, each with its own namespace and set of accounts for users, groups and computers, and trusts, which allow accounts in one domain to access to resources in another domain. The ability to establish relationships among domains allows accounts in one domain to access resources managed by a different domain within the organization’s infrastructure. This allows for a great deal of flexibility within a larger enterprise network.
Leopard Server offers some multidomain capabilities, particularly by introducing cross-domain authorization to let a single Open Directory domain to be subordinate to another domain in either Active Directory or Open Directory. It remains to be seen, though, just how much more flexible this will make Open directory when compared with Active Directory.
Despite the historic benefits of Active Directory, Leopard Server’s Open Directory is still very viable for larger multisite infrastructures where Mac OS X Server had previously not been an optimal choice. It includes the ability to host a Windows NT-style domain, seamlessly responding to requests from Windows clients with the master server acting as a PDC and replicas acting as BDCs. Leopard Server also provides a great deal of dual-platform client support, including the ability to host roaming profiles.
It’s not perfect, however. Active Directory provides little built-in support for Mac clients. However, Apple’s use of Samba and LDAP means that Mac OS X can authenticate against Active Directory.
File and print services Both server operating systems provide file sharing and print services. In a default installation, Windows Server support is limited to SMB/CIFS file sharing aimed at Windows clients, though optional installs of Services for Mac and Services for Unix provide support for other client types. Mac OS X Server, by contrast, includes full support for sharing over Apple’s native AFP, SMB for Windows clients and NFS for Unix/Linux clients. Leopard Server also supports secure NFS access via Kerberos. File Transfer Protocol access is also included as a file service in Mac OS X Server, though it is somewhat difficult to consider it in same ballpark as the other three.
Configuring file services is arguably easier under Mac OS X Server. Certainly, the built-in support for multiple file- and print-sharing protocols gives Mac OS X Server a leg up in multiplatform environments. The support for all three protocols is much more streamlined and intuitive to manage than is relying on Microsoft’s Services for Mac and Services for Unix under Windows Server.
In particular, Services for Mac has never been well-regarded, and there are multiple third-party AFP servers that deliver better Mac configuration options and performance for Windows Server. Extremez IP is the best-known of these third-party tools. In a number of situations, it can simply be easier to rely on Mac OS X’s built-in SMB client than to rely on Windows’ Services for Mac.
Internet and Web-based collaborative services Both Windows Server and Mac OS X Server come with built-in Web servers (Internet Information Server and Apache, respectively). Long-standing comparisons exist between these two systems, and I won’t bother to repeat that debate. Beyond basic Web services, however, Microsoft has offered Windows SharePoint Services as a free add-on for some time.
Until now, Apple has not readily embraced collaborative Web tools beyond basic blogging support. Leopard Server promises a greatly enhanced collaborative tool set, including easy-to-configure blog and wiki support. This will be incredibly easy to administer and integrates with directory services very well. So, it appears that these features will be on similar ground, with Leopard having a slight edge in ease of administration.
E-mail, messaging and calendaring Both Windows Server and Leopard Server ship with basic e-mail capabilities. Advanced messaging and related collaborative tools for shared contacts, calendaring and instant messaging are available from Microsoft in the form of Exchange Server. Leopard Server also ships with a secure instant messaging server — the Jabber-based iChat Server. Also, shared contacts in Open Directory are available for Mac OS X’s Address Book and other products that support LDAP-based contact lookup.
Exchange has always had a leg up in offering a variety of tools beyond e-mail, such as shared calendaring, which users commonly rely upon. Leopard Server’s iCal Server, however, is poised to level that playing field significantly. iCal Server is based on the open CalDAV standard and is supported by a number of clients on various computing platforms. Not being directly integrated as Exchange is with Outlook makes iCal Server somewhat more flexible — as does the variety of e-mail and calendar applications available for Leopard Server clients.
What makes Leopard Server particularly attractive on this front compared with Exchange is that it includes most of the functionality of Exchange without requiring the investment in two server products — Windows Server and Exchange Server — and two sets of client access licenses (CAL). Leopard Server does lack shared-note and to-do features, though.
Deployment services Both Windows Server and Mac OS X Server offer remote deployment and update services. It isn’t truly possible to compare them because they are aimed at their respective native client platforms. The closest one could get would be to consider the options for deploying a dual-platform Mac client using Apple’s Boot Camp or virtualization tools from Parallels or VMware.
Client management As mentioned earlier, robust client management features are available to both Windows Server and Mac OS X Server. Like deployment services, they are very much specific to their own platforms. Still, Mac OS X’s client management options are significantly easier for new administrators to grasp, and it is often easier to predict how managed preferences will interact with one another than trying to do so for Windows group policies.
Third-party systems and mechanisms for using both Mac OS X Server and Windows Server within a single network — each for managing the preferences of their native clients — do exist. The tools implement managed preferences on Mac OS X clients from Windows Server and Active Directory. At this time, however, there are no comparable offerings for advanced management of Windows clients via Mac OS X Server.
Virtualization As with clustering and storage-area network (SAN) support, Leopard’s support for server virtualization is limited to certain Windows Server Enterprise editions and above. In a change from its previous antivirtualization approach, Apple’s end-user license agreement for Leopard Server does permit virtualization. Since this news is so recent, tools to actually implement virtualization under Leopard Server aren’t yet available. VMware and Parallels have both indicated interest in developing such tools.
Both VMware Fusion and Parallels Desktop can run server and client operating systems, though the current focus of both products has primarily been on virtualizing client systems, including Windows XP and Vista. This means that, at the moment, you can theoretically virtualize one or more instances of Windows Server or any other platform on Mac OS X Server. So there are some significant virtualization possibilities already. In particular, this allows you to have the benefits of Mac OS X Server and Windows Server on one machine, which could be useful if you’re looking to roll out a multiplatform environment.