Configure player

Close

WWDC Index does not host video files

If you have access to video files, you can configure a URL pattern to be used in a video player.

URL pattern

preview

Use any of these variables in your URL pattern, the pattern is stored in your browsers' local storage.

$id
ID of session: wwdc2004-625
$eventId
ID of event: wwdc2004
$eventContentId
ID of session without event part: 625
$eventShortId
Shortened ID of event: wwdc04
$year
Year of session: 2004
$extension
Extension of original filename: mov
$filenameAlmostEvery
Filename from "(Almost) Every..." gist: ...

WWDC04 • Session 625

Integrating Mac OS X with Heterogeneous Networks

Enterprise • 1:03:06

Learn how easy it is to integrate your Mac OS X clients and servers into a heterogeneous network. In this session, you will find out what it takes to integrate with UNIX and Windows networks; how to assume the duties of file and print server in an Active Directory domain; how to setup users' home directories on a Windows network served from an Xserve; and other system administration responsibilities. This is an ideal session for the system administrator of a heterogeneous network.

Speakers: JD Mankovsky, Eric Clements

Unlisted on Apple Developer site

Transcript

This transcript was generated using Whisper, it has known transcription errors. We are working on an improved version.

Good afternoon. Well, hopefully all the demo guards are still in the room. We have a lot of demos this afternoon, so hopefully it will all go very well. I can feel a lot of positive karma in this room, so I think we'll be fine. I actually manage the Apple's professional services group for the enterprise, and we do a lot of integration work with a lot of you in the room, a lot of our customers, enterprise customers, people buying Xserves, Xserve raids.

We're helping a lot of our publishing customers migrate from OS 9 to OS X, setup network home directories, integrate with Active Directory. So basically, this session is all about integrating those Macs into your environments, into your corporations, on your networks. And so we'll talk about a lot of that today.

So we kind of see ourselves as like a jumpstart team, right? So we come in for a few days, and we kind of help you do that integration work. JD Mankovsky, Eric Clements We're not a consulting firm that stays for months in your company and spends hundreds of thousands of dollars. We're just in for a week, and we basically help you get all that stuff up and going, and then basically mentor you and help you basically maintain the system moving forward on 10. So this is kind of what our team does.

So, what's really interesting, the reason why we started this team and this enterprise professional services group is because of Panther. I mean, if someone would have given me that job before Panther, I wouldn't have taken it. Panther is really the first operating system that is truly an enterprise operating system. And I feel we're very confident when we go in that we can get the job done in your companies. And so, really, it fits beautifully in a lot of environments.

What we're going to talk about today is kind of review a little bit of the desktop solutions that are out there that make that Mac fit into that enterprise properly. And then we'll talk a lot about the back end, because the back end is also very key, and that's why we have on stage right now, you know, XSERVs, XSERV RAIDs, which will all be part of the live demo. We'll also talk about some third-party solutions. There's tons of third-party solutions, of course.

You've seen a lot of them this week. But I'm just going to focus on a few that I thought were kind of interesting, again, that have come out in the past few months or that will be shipping this month. I'll also talk about some myths versus facts. I meet a lot of people, and there's still some networking terms, and people still think that we're running AppleTalk on our network.

So we'll kind of talk about those as well. And then a lot of people, when we go in, they're like, "Well, you know, I'm running OS 9," or "I'm running 10.2." "Tiger's going to be shipping next month," which, of course, we all know now it's not. "Should I wait to deploy?" And we'll talk about those. So, fitting in, right? The first thing that's important today is for the Mac to fit into your corporations, and we all understand that.

[Transcript missing]

Active Directory support. This has been key. This is something that we shipped in Panther, and we've improved it tremendously since we shipped 10.3. In 10.3.3, we added full support for network home directories. That has to be done. This is not a UI. That has to be done from the command line. You need to edit the Active Directory .plist file.

But basically, it allows you to truly have an SMB network home directory and not just have it mounted on the desktop like what happened when we shipped in 10.3. We just hadn't finished that feature yet. But we have that. Also, very interesting, we even have wireless support when using Active Directory.

So once you're bound or you're setup with your wireless account, you can actually reboot your machine, log in, and we actually have wireless support through AD, which is a feature that some third-party products don't. One feature we are missing that is interesting is DFS support, and love to get feedback on that.

Right now, you have to use the Thursby product for that, and we understand that. Love to get feedback if that is important to you. You'll have my email address at the end, so we'll be glad to receive that feedback. Mobile accounts is also very important. Laptops, a lot of people use laptops today. You want to make sure that your credentials are cached on the laptop so you can log in, log out, reboot your machine. When you're not on the network, you can log in.

So we've got all those features in the AD plugin. Some of the other directories where we are compatible with, because of Open Directory, and if you went to the Open Directory session this morning, you have a better understanding of how our directory system or directory infrastructure is in the OS. We're very open, and we're all based on standards.

A lot of those other directories use LDAP, and so it's really simple to plug in a Mac desktop into a Sun iPlanet backend or into a Novell backend or an IBM directory server backend. So we fit in very, very well, even with some of the other directories that are out there. We've been NIST. For those of you who still use NIST, it might be time to upgrade, but we still have that support in the operating system.

I wanted to quickly touch on a few applications and web browsers. So, of course, Safari is Apple's browser of choice. And, again, we've improved Safari tremendously. And Eric will show some of the cool Safari demos in just a second. A lot of applications are web-based. And you saw some of the announcements this week with, like, PeopleSoft and Salesforce.com, who are also very committed and that are basically fully supporting Safari as the browser of choice. A lot of banking.

We've been talking to all the major banks as well to make sure they fully support Safari as the browser of choice on the Macintosh. We also added in Safari 1.2, we added Live Connect support, which is huge for a lot of customers. And, again, just mentioned some of the few tools that are really useful when you're a Mac user and you need to connect to a PC. You know, a virtual PC, but RDC is a great tool as well. Remote Desktop Connection. It's free. Many people don't know that.

And we'll demo that today as well just so you can get a feeling of what you can do with Microsoft. Microsoft RDC. I say it's free, but it also requires a CAL, of course. Virtual PC 6 and 7 shipping this summer or later this fall. And then PeopleSoft 8, SAP, Java, GUI, people who are using SAP. Also, there's a client on the PC, a Win32 client, but there's also a great Java client that is available and that is compatible with Mac OS X. So we also have SAP availability. And Oracle 11i and Salesforce, of course.

And then 2004, Office 2004, if you read Steven Wolfstrom's quote from Business Week a few weeks ago, he basically said that Mac users now have an Office suite equal to Windows, which is really good. And we actually have even more features than the latest version available on the Windows side.

Hopefully my clicker keeps on working. There we go. Quickly touch on Java and X11. So, again, we've got some great tools available on the Mac, and we're seeing more and more developers actually use Mac OS X as their development platform. Great tools, JBuilder, Sun Java Creator Studio. That was announced this week at the Java 1 conference. IBM Eclipse. There was a session on Eclipse a few days ago.

And Eclipse is really, really important because, I mean, I'm seeing a lot of developers move to Eclipse to write their own applications. And because we have Eclipse on the Macintosh, it's going to help us even get even more applications on the platform because it truly is a cross-platform development environment, and it really helps IBM and others to bring even more applications to the Macintosh. And then JBoss, Macromedia, and, of course, the X11 client. This is great.

I mean, if you've been to... downstairs to some of the vendors, if you went to the vendor fair, a lot of them, the first step, like in the backup area, they bring up the X11 server and the X11 client for the Macintosh, and then it takes them a few months, and then they come up with a really nice native Cocoa GUI. But at least we have X11, and people can actually run their applications through X11 on the Macintosh as well. VPN clients. Just wanted to quickly touch on that.

So we have a native L2TP and PPTP over IPSec client built into the OS, so for small and medium businesses, also on the server side, we have a built-in VPN server that is compatible with Mac and Windows, so make sure you take advantage of that. I mean, if you buy an XServe, it's really very simple to set up as a VPN server, and, again, it'll work with both your Mac clients and PCs, and I still know quite a few accounts that are dialing in using Dial-Up, and the beauty of this is if you set up an XServe with VPN, you can go to pretty much... You're on the road. You can go to any hotel. They all have... They pretty much all have DSL or cable modems, and you can get on your network without using any Dial-Up, which is kind of pretty much outdated.

Cisco as well. Oh, by the way, we also, in 10.3.4, we also improved tremendously our Nortel compatibility, so there was a bug on the Nortel side in their VPN box, which we basically addressed by adding some new functionality on the client to work around the bug, basically, and now you should really look at having your admin, turn on L2TP on your Nortel box, and you should pretty much... It should pretty much just work, so you can actually use the built-in Mac client to connect your Nortel backend. There's some other ones. Netlock has a client for Nortel, Equinox, a VPN tracker, V1, and Grayshawn Software.

So that's kind of a quick summary on the enterprise side and again on the client side. And again, I didn't touch on everything, but I also wanted to focus a lot on the back end and on server solutions and how we fit in into your networks on the server side, especially with Panther and then with Tiger, it'll just get better.

[Transcript missing]

Another thing that we've been doing a lot, pretty much since Panther's shift, is policy management. Now that we have a truly enterprise-level operating system, people want to lock down and manage their policies on the desktop. There's a couple of ways to do that, and that's what this slide talks about.

The first way that usually we go with, and probably 80% of our customers, when we go and talk to the Windows admin, they manage their schemas. Usually, we start talking and say, "Well, the first thing they ask is, 'Are you going to modify my schema?'" It's like, "Don't touch my schema." That's usually the way the IT people behave. That's fine.

We've got no problem with that. We'll work both ways. We can put Xserves in there and basically use the Xserve as a dual authentication. You're still authenticating the user to Active Directory, but you're being managed through the Xserve. That means that you don't have to do any schema extension, and Eric will show you that in the demo in a few minutes.

That's the first way. You put an Xserve, and you're basically still authenticating to AD, but you're being managed through the Xserve using World Group Manager. The other way we can do it is we can actually extend the schema on your Windows server. That's stuff that we also do on the consulting side.

That's also, there's about 30, what is it, Eric? 37? There's 37 attributes you need to modify on your AD server so that basically you could actually run World Group Manager against the Active Directory directly. You can manage users, groups, computers when you're modifying the schema on your AD server. People usually don't like doing that manually, even though we have that. It's all detailed in the Open Directory guide.

But you don't want to make any mistakes, especially on 2000 because you can't delete attributes once you've put them in. We basically developed a script that just goes in and does it all pretty much automatically. That's the other way of doing it. What I want to do now is basically bring up Eric to show you some AD demos and go through a bunch of them. Eric? Thanks, JD.

What I want to do now is basically bring up Eric to show you some AD demos and go through a bunch of them. Eric? It's actually located in your Utilities folder under Every Applications folder. I need to unlock here. So you notice there's a plug-in here called Active Directory.

Double-click on that. It'll ask you for a little bit of information. Pretty easy. Some of your admins have a hard time figuring out what it is, but it's very easy information to find out. You're looking for your force and your domain information. It's already entering here, but I'm not bound yet, so I'm going to actually bind this client to the AD. Now you can use a pre-created computer account, all the kind of stuff you would do on a Windows side. If you've got privileges to do it, it will let you bind to the directory. Return.

Now I'm bound. That fast, it created a computer account and it's bound to the Active Directory. There are a couple of things you've got to do before you're done. You actually want to say I want to use this for authentication. I've already done it in advance here, but you add that to the authentication chain. One very important thing people don't realize, if you've got Exchange, you want to add it to the context one as well. And I'll show you why you want to do that. All you do is switch to custom, click add, and add it to the list.

So that's pretty much how hard it is to bind, but if you launch the terminal, the quick test to make sure it really worked. So I know there's an AD user out there called Okay, that's a user out of Active Directory. You'll notice, partially because his UID, for those with the UNIX IDs, is very large, because that's dynamically generated from Active Directory. You'll also notice a group based off of the domain information. So he's actually part of the engineers group in AD. So now I know AD's working great. Now I'm going to log out. I'm going to log in as that user I just checked.

So I went home. What's important about this user is, I call him WinHome because his home is actually on the Windows server. No changes. It's not running AFP. It's running just regular Windows file services. I'll also show another user where we're connecting to the Xserve, another example of how you can split that up.

One thing that happens for you is one, your home directory on the network gets mounted on your desktop. And I actually put a shortcut In your doc. So I can actually create a folder here, you know, this is from the Mac, this is stuff for home, etc. So those are files that are up in my network home network. I could copy files over, etc. from my local machine if I wanted to.

So you see how that works. It's normal SMB share from a Windows server. But let me go ahead and log out. And now I'll log in as an OS X user. Now what's different here is the home is actually on one of our Xserves in the rack. Now the Xserve is actually integrated to AD as well.

You know, it's the same OS X home added to my dock. And in this case, it's actually using SMB to an Xserve, which is kind of interesting. In reality, as JD mentioned, you can actually switch that. Just to show you real quick, there's a command line tool called DSConfigAD.

If you run that, there's a little option here called Local Home and Mount Style. You can switch the Mount Style to AFP. So if I were to switch to AFP, it would actually use Apple File Protocol to connect to the Xserve instead of SMB, which is more reliable for us. So that's pretty much it for actually logging in. It's amazing how easy that is. But a little more detail people don't realize is I can actually launch Safari. I've actually got Exchange 2003 installed with Outlook Web Access, so let me just click to Outlook Web Access.

You notice I didn't do anything. It signed me in. It used my Kerberos credentials that I got when I signed into the computer and just logged right into Outlook Web Access, just like you do on your PC. I can click on email, read email, send email, etc. And I can show you the fact that I've got credentials from the command line with a simple Kerberos command called K-List. This is the credentials I got when I signed in, and this is the credentials to connect to the Exchange server.

All automatic. But remember that comment I made a little earlier about the Context tab and why that's important. Most of us don't realize once you do that, if you launch Address Book, you can actually look at Active Directory and find users. You know, I want to send an email to somebody. I know there's a demo user out there. Actually, there's three of them. I can double click on the user. You know, this is all kinds of information. All of this is coming out of Active Directory.

I can, for example, I can actually drag that to my personal address book if I want, so I don't have to worry about being on Active Directory and now that user is now in my local directory. All completely seamless for you. So just to prove a couple of things, let me go ahead and log in. Eric, go back to address book and show them the syncing, the iSync with Exchange.

So inside of address book, you can actually go to preferences and you'll notice there's a synchronize with Exchange. So if you actually got an Exchange account and you've integrated your mail as well, launched your mail and set it up, you can actually sync your address book with mail and Exchange back and forth.

So all your addresses are always in sync for your personal address lists. Your GAL, or what people call the GAL on the Windows side, is auto-ready and address book by default. So there's nothing to synchronize. The great thing is if you launch mail and you type in usernames, it will find them in AD automatically. The autocomplete that we have in mail, it works with AD as well. All automatic. This is server number four, please.

So let me actually show you real quick those users in AD. I've actually got the AD administrator up here. Those two users I just logged in as. You'll notice the OS X home. You'll notice his account, just a normal account, but his profile was on the XServe under the Users folder with his OS X home. And same thing on the WinHome. You'll notice the difference is, it's actually on the Windows 2003 server. Now, let me log in on another PC with that same user.

So that's a home folder stored on an Xserve from a Windows box. If I actually click on the short link here, you'll notice that it's actually going to the server and the files are in there. You can also go to my computer and notice that it's actually mounted on the desktop, or on the system as a drive. All transparently, they don't even know it's an XServe on the backend. So that's kind of it for that, but let me now go through some policy examples. Can we go back to number two, please? So I've got a couple other users set up. Actually, number three, please.

Oh, three, sorry. So I've got a couple of the users set up to actually show the policy management. First of all, let me show you a user that has actually been extended directly in AD. So this is a, we've done the schema changes and I've applied a policy to the user in AD using our tools. Nothing special, I log in as user just like I always would.

Now I didn't do anything special here. This actually came from the policy management. I said to put his dock on one side. Actually enable magnification. And this is all coming from the policy management. It's always a slight delay logging in here. Notice the network home isn't listed in the folder.

So I've kind of controlled that user's experience, which is very handy. I could lock out applications. Anything you can do in worker management, you can do to the user right then and there. And I'll show you what that looks like in our tools so you see how I actually set the settings.

Now I'm going to log in as a different user, and this is a group user, and this is because I'm going to control his policies from an OS X server with a separate directory. I want to log in first without anything set up. So you see it's just a normal user, everything exactly the way you would have first time when you signed in. But I'm going to make a slight change. I'm going to add the OS X server to that authentication tab you saw. What that's going to do is find any other groups the user might be part of.

But I'm going to make a slight change. I'm going to add the OS X server to that authentication tab you saw. What that's going to do is find any other groups the user might be part of. Yes, I'm only part of staff, no extra groups. Last director access. Now I'm going to actually add the LDAP server from our server into the list. Now if everything is working right, for us here I should log in with the same user again, and notice everything will look different.

Demo gods aren't with us. Let me double-check to make sure I actually talked to the server. Managed settings are cached, so there was some danger in this, and the fact that it didn't go to the director again because he knew that it didn't have any managed settings that needed to be refreshed. Just open up a terminal and show them that. You'll see that I'm actually part of another group. Actually, it did. Take that back. Oh, there you go.

I have a simple finder. So that was the big change. Boy, Simplifiner is really simple. So it worked. So next thing, let me launch the worker management tool so you can see what this kind of looks like in the directory. Couldn't run it as easy as it is, it's pretty restricted there.

So let me connect to the Open Directory Master. And let me connect to the Xserve that's bound to AD as well. So this is the Open Directory Server. Notice there's some other users. I didn't do anything special. But you'll notice the group called Manage Group. Yes, the group user is in that group. You come over here, this is the XServe, and here's a machine connected to AD.

I can do the same thing under the menu and you'll notice there's a view directories. I see the same list because I'm connected to AD as well as on a client. If I click groups, you'll see the engineers, etc. So the nice thing is, if I click on this extended user and go to preferences, you'll notice he has some preferences set up. Now I can authenticate.

I can actually change some of this some more, but if I click on one of these settings and come in here, say always, even though I didn't make a change, and it just saved that directly to Active Directory. So I'm modifying the user directly. Now if I go to the Open Directory server, I can click on the Manage Group, go to Preferences, and you'll notice the Finder setting that I had set. And I said always make it a simple finder. So that user got that policy from a completely different directory. That's it. Cool. Thank you, Eric.

So see, demo gods are actually with us. It's a good thing. And there's more coming. Next thing that I wanted to talk about is Mac OS X as a PDC. That was pretty interesting. Last year, we did a similar session, not as in-depth as this one, because of course, Panther wasn't shipping at the time. And a customer came at the end and basically told me, "Hey, you know, we've got about 500 Macs and about 100 PCs.

Should I go to Active Directory?" And I said, "Absolutely not. I mean, there's no reason to do that because Panther now has PDC support built in. So really, I mean, you just basically set up an Open Directory master, an Open Directory replica, and you have the PDC built in, so all your PCs can authenticate directly to the Open Directory master box.

So there's no need for deploying any Active Directory server to manage your PCs and log in and so forth and so on. So basically, we've got native support to act as a PDC. And as you saw in the session, we'll also add a backup domain controller in Tiger as well, which is useful when you need to manage the server.

And then what's also interesting is we also mentioned that we were going to come up with a migration tool. But again, Panther is shipping today and Tiger will ship in the first half of 2005. And we understand that the NT support is going away at the end of the year. So I wanted to make sure that people--there are two tools. One is available today. One is coming very shortly. One is from DAS Technology and the other one is from Versora.

And basically, they're going to have a tool that will allow you to migrate your NT servers over to a Mac OS X server, an Open Directory PDC. So those tools are available--or one is available. One will be available shortly by this fall. And then we also have some documentation. So please look at the Windows documentation. It's not as easy. We don't have that automatic tool yet. But the documentation is pretty explicit on how to help with the Windows documentation.

So please look at the Windows documentation. It's not as easy. We don't have that automatic tool yet. But the documentation is pretty explicit on how to help with the Windows documentation. So please look at the Windows documentation. It's not as easy. We don't have that automatic tool yet. But the documentation is pretty explicit on how to help with the Windows documentation. on how to help with the migration. And, again, our recommendation is, you know, if you have about under 400 users, our PDC will work great.

400 to 600, it's a perfect solution for that. So if you have less than 400 to 600 PCs, you'll be fine. Of course, when you go, you know, in that enterprise level, you know, the PDC is, you know, Active Directory or a Sun solution or a Novell solution is probably better for the high-end enterprise. For the small to medium business, it's a great solution. So what I'm going to do is have Eric give you a PDC demo. Yep.

So first on the Mac here, I want to just show you the fact that I have a user in Open Directory. This is a LDAP server. Let me close out the AD one over here. So you notice there's a PDC user, but he's got a Windows setup. I didn't create any profiles, so obviously I don't feel like dealing with creating a login script and profile and such. But you will notice I'm going to map his home to the server or the Mac server. So he's got a typical path. I'm going to map H to our X server. This is number four, please. All right.

So now I'm on XP, and you can see I'm actually bound to the ODPDC. Let me just sign in here. "I typed the right password?" "Actually good, it's actually a security feature in Windows. It doesn't let you in if you don't type the right password." And you'll notice my H drive got mapped.

Automatically. Nothing special. Can I just talk about number three real quick, please? Hold on. Go to the start menu, the start button, just a second. Click on the start button, Eric, just to show them that actually you can see that the PDC user, it's actually the PDC user. And again, the beauty of it, you can change passwords on the PC.

It saves that back to the Mac. You can change it on the admin side. I mean, all that stuff is totally transparent on the desktop and on the server. Number three, please. So you saw what I was looking at in Worker Manager real quick. I just want to actually bring up Server Admin so you can see that particular setting.

As you can see, some of the logons have been a little long, and that's because of our little mini DNS server we set up at lunch, so bear with us. The DNS might not be completely configured properly here. And DNS is extremely important for those of you who have set that up before. So you notice under Windows, there's some settings. I'm going to finish refreshing there. And I'm just configured as a primary domain controller. I set my domain as ODPDC, my computer name, and it's set up. Great. Thank you, Eric.

So I wanted to touch base also on another topic, which is migrating to Open Directory. Well, what's also interesting is we've been talking to a lot of people who have Sun, Sun iPlanet servers. And again, you know, they're spending a lot of money with Sun servers and especially the maintenance support and the support.

And so what I wanted to mention is it's actually pretty simple to migrate if you're only using your Sun for authentication. And again, we're not talking, you know, 500,000 user records, right? I mean, again, you have to, within reason, you know, our server can support today in Panther over, you know, we've tested over 100,000 user records.

So if you're in that area, you know, zero to 100,000, you can definitely use our master replica scenario. And definitely very interesting from a migration from iPlanet. What's also interesting is, again, built into directory services, you can very quickly authenticate to iPlanet, but also you can use Workgroup Manager to help you migrate that. So what you could do is you could basically tie into Workgroup Manager on your Sun box.

You see all the list of users and you basically use the export feature in Workgroup Manager. You save that file and basically you bind to your open directory server and then you import that file and you've got a great way to basically import and export the basic user settings, right? SN, CN, password, definitely not. You know, usually what we recommend there, password migration is not easy for those of you who know that in the audience. But, you know, you can use Workgroup Manager to quickly set up a default password.

And users can come in and change it at first logon. But a lot of, you know, we've talked at least four or five people in the past few months who want to migrate to open directory from Sun and you can do that. Because, again, Sun uses LDAP. We use LDAP. Therefore, we're very compatible.

Next topic I wanted to cover is high availability. And so, again, if you were in the session, you saw some of the announcements around Tiger and Tiger Server where we're basically going to have an active-passive failover mechanism. But, you know, Tiger, again, is shipping next year. And a lot of you in the publishing world or in the enterprise world want, you know, the XServs, you know, they have one power supply.

So I hear that all the time, right? People want to make sure that if the server goes down, my users get back online, you know, immediately, right? And so what we've put together is basically a scenario. This is a simple scenario. And the scenario is I've got a master server serving files, right, or serving network home directories. Again, AFP, SMB, NFS, you know, it doesn't really matter.

And so this master server is actually connected to a fiber channel switch. You know, it doesn't matter. It could be, you know, VXL, Brocade, QLogic. Those are the three that we support and basically the server is connected to an XServ RAID, okay? It could be one, it could be two. In the demo today we have one, but, you know, no big deal. The more ports, the merrier.

And then you've got this failover server. And this failover server is basically in a waiting mode, right? And, yes, the server is not doing much, but at least, you know, you're back up and running. If something happens, you know, that server will pretty much instantly take over. And that's really what people care about.

And, of course, none of the volumes are mounted on the failover server right now, right? That's a big thing that people have run into. They think they can have both volumes mounted from the RAID on both servers. Not at all, right? You don't want that because then that's how you cause corruption.

So all the volumes are mounted on the master server. And when the failure is open, we basically automatically mount all those volumes over to the failover server. And we'll do a demo in just a second. What's also interesting is usually those kinds of solutions are, you know, pretty expensive.

They're, you know, $10,000 to $15,000. And, you know, basically we have a scenario where, you know, we sell it for, you know, probably in the $4,000, which is really, really good using scripting. And so what I want to do is bring up Eric. And Eric is going to basically show you this high availability demo.

To set up the best way, we actually put Apple Remote Desktop on our servers. I've got two windows open here. You notice I've got the master and I've got the failover. You notice the desktops are similar, but all the volumes are set up on the master over here. Let me show you these are really live windows. So I can create a... New window. Sorry, I'm observing. In observed mode. So these are real live windows. And I'll actually connect to, try connecting to the master.

It's going to prompt me. They're actually there. So notice that Eric is connecting. Notice the IP address. He's connecting to 162 and he's connecting to the volumes. And basically, you can see we have 10 volumes, but we've only shared four in this case. So he's connected. Everything is going fine. What I'm going to do now is I'm going to simulate a power failure or a power supply blow-up. So, you can see there's no trick here in this demo. I'm going to turn off the server.

Server is now off. And you can look at the failover server and in a matter of a few seconds, it takes usually, you know, around 10 seconds, you'll see that not only all the volumes mount, but also what we do is we start AFP as well on the services side. And you can see all the volumes mount up.

I'm going to connect to the exact same IP address. And Eric is going to be connecting to the same IP address, right? AFP's probably still launching, so give him a moment. Hopefully. We might not have started AFP. Can you make sure AFP started? Or just run it from ARD? I'll try to connect to it real quick. Yeah, AFP's not running. Yeah, AFP might not be running.

There you go. Just a matter of time for things to come up. So again, we have a little bit of DNS issues here, but usually it's pretty instantaneous. So the user will get disconnected, and there's nothing we can do about that. But the point of it is that anything could happen. Your switch could be going bad, or there might be a power failure or something. And in a matter of 10 seconds, your user will say, oh, I got disconnected.

Let me just reconnect to the server, the same server I was connected to. And it's very transparent for the user they'll be connecting to the failover. But again, the RAID will move underneath the failover server. And then we also have failback. And again, that's for you to decide if you want automatic failback or not.

Our scripts are able to do automatic failback. And so if I start the server again, all the volumes will move back over to the master server. Thank you, Eric. So moving forward, what's also very interesting, as you've all heard and maybe a lot of you have been to the XSAN sessions, and what's interesting is if you deploy this high-availability failover solution that we talked about, you can deploy that today, right? But when XSAN ships later this fall, what's interesting is you could actually install XSAN on a very similar scenario.

Now, granted, I didn't put the metadata switch in there. It's not all fully wired up, but it would be a very similar scenario where you would load XSAN on the master and on the failover. And what's interesting there is because of XSAN, now your RAID volume could actually be mounted on both machines, right? And so you could actually run other services on that failover server, right? So you wouldn't be running AFP, but you could run some of the other services that are out there. You could use it.

You could use that to do Netboot, Netrestore, QTSS. I mean, you name it, right? Anything but AFP or SMB. And when that machine fails, basically you start those services on the failover server. So great migration path. You start with the high availability. Can't really use that second server for now. But when XSAN ships, you can basically buy two copies of XSAN and load it on the master on the failover and basically come up with a really nice little XSAN environment. environment.

What's also very interesting moving forward with Apple XSAN and XSAN is really the whole SAN environment, and we talked about that in the XSAN sessions. But again, what's interesting here is you can have a mixed platform SAN solution using XSERVE RAIDS. And that's really interesting because that gives you true enterprise data management.

And using some of the wonderful tools from ADIC, you could actually have a mixed environment of XSERVs, of Windows servers, and Linux servers. Because of our compatibility, because we're 100% compatible with the ADIC file system, you could actually host XSERVs, Windows servers, Linux servers, and your back end could be all Apple XSERV RAIDS.

What we see in the enterprise a lot is people have EMC storage or Hitachi storage. And what you can do now is you can basically still use that storage. I mean, that storage is really expensive, and usually you don't want hundreds of terabytes of that storage because it will cost you a couple million dollars. Quite a few Porsche GTs.

That's my car. I mean, I'd love to have one. But anyway, so what's really interesting is you can use the XSAN in that middle storage range. So using ADIC's total life. And then you can use the ADIC in the management system. Basically, when the files haven't been touched for a few days or a few weeks, that's for you to set up the policies.

Those files will get migrated automatically to an XSERV RAID. And then if they haven't been touched in another month, then they could be moved to tape. And that's all done totally automatically using ADIC software. And we can integrate with that very, very nicely. So again, just food for thought on the enterprise side using XSAN.

I also wanted to quickly touch base on backup solutions. And, again, we had a great backup solution or backup session yesterday. But, again, I think it's important to mention that, you know, last year, you know, we didn't have a lot of backup solutions available for Mac OS X. And you can see that the list has grown pretty dramatically from IBM to Veritas, EMC, Legato, CA, Backbone, Tolus, Dance, Attempo, Avail Solution.

Actually, a lot of the vendors were downstairs, if you saw them, for the past three days in the vendor fair. So a lot of great backup solutions available for Mac OS X, both on the client and as well as on the client server side. And that's really exciting. And, again, the reason why we have all those is because of, you know, Mac OS X's Unix foundation, is that it's much easier now for developers to come on the Mac platform and write tools because they support Linux, they support Windows. And now it's reproducible. really easy for them to support Mac OS X.

Another big thing is nearline backup. And that's a solution that I wanted to talk about because this is actually a true deployment that we did in Washington, D.C. And basically the customer decided to completely get rid of tape. No tape libraries. They wanted basically true disk-to-disk backup. And basically they bought an XSERV and they bought four XSERV RAIDs. And about 20 miles away or 10 miles away, they have another set, one XSERV, four XSERV RAIDs.

And basically the way they're doing it is they're doing their backups, their daily backups. And they basically kind of segmented the backups, you know, day one, day two, day three, day four, day five, up to day eight. And then at the same time, every day they're mirroring the data over to the off-site, to the disaster recovery site.

And so that's the way they're doing it. And so that's the way they're doing it. And so that's the way they're doing it. And I don't know if you guys can, can you guys actually see the performance, the throughput number right here? Okay, this is 2,720 megabytes per minute. Okay, that's the throughput they're getting when they're doing disk-to-disk backup. Okay, and that's actually using Retrospect on Mac OS X. Retrospect 6 with 10.3.4. Pretty amazing. Now, how many people know how much you get when you backup the tape? Yeah. Yeah. It's a big difference.

And we're not saying that you shouldn't back up to tape. We're just saying that basically the disk-to-disk to tape is a great scenario, and that's what people are moving to, simply because there's not enough time in the day to back up all your machines, right? And in this scenario, they're backing up about 250 to 300 desktops, and they're doing that in less than two hours, okay? So, that's the kind of -- You can't do that. I mean, people leave at night.

They've got about eight to 10 hours to back up their systems, and the users are back up online in the morning, and if the backup is going on, what happens? User calls the IT guy and says, "Hey, my machine is really, really slow." Well, yeah, it's slow because I'm still having to do the backup. Right? I haven't picked up your machine yet.

And so that's the beauty of disk-to-disk. You back up the disk, and then you can take whatever time you want to back up that disk over to tape, right, and then take that tape offsite. But disk-to-disk is a great scenario, and again, with the XSERV RAID, for those of you who don't know this, an XSERV RAID is $3 per gigabyte. Okay? That's our cost, $3 per gigabyte. It's unbeatable, and the performance is absolutely stunning. I mean, you're looking at 350 to 400 megabytes per second on the throughput on the XSERV RAID sustained, and so we've got a really great solution for nearline backup.

Quickly talk about Apple imaging technologies. And that's because, again, a lot of you are migrating from 9 to 10 or from 10.2 to 10.3 or from 10.3X to 10.3.4. And basically you tweak your Mac OS X image and you want to basically reload it on your desktops. And we did that actually at a customer probably about six months ago. And they had about 600 Macs.

And in less than five hours, we basically loaded a three gigabyte image on each desktop. Less than six hours, all those machines were upgraded from 10.2 to 10.3. And that's using some of the great imaging tools we have in there, using network image utility. We used a little bit of net restore as well. We used disk utility. So you use disk utility to make your image. And then we used ARD as well to basically set up the machines to net boot.

And the machine would net boot in this net install mode. And it would basically load in less than 10 minutes, would load the image on the desktop. And that's how we were able to achieve that migration. And so for those of you who are in the room, just wanted to give you a little heads up.

So as you know, network image utility today does not support block copy. And so it usually takes 20 to 30 minutes to load an image. And again, this is a confidential session, right? So you don't repeat that, of course. But in a very near future software update. Network Image Utility will now support block copy.

I knew I would get applauses for that and I asked the product manager, "Can I say that?" I said I really wanted applause around that. So he said, "Yeah, you can do it. Just have fun." So quickly talk about third parties. And this is a very interesting few products here.

We have a couple of really big ISPs who are now using XSERVs to basically make sure that they're not being attacked or not being hacked into their network. And the XSERV is a phenomenal box for doing that. This customer, which I can't name, basically did a lot of testing. They tested, you know, Dells with Red Hat. They tested Sunboxes.

They tested Computer Associates, $100,000 systems that basically do, you know, check their network and make sure that you're not being, you know, hacked into. And when they did all their testing, we also shipped them an XSERV. And what they did is they used Snort, which is an open-source tool, and they installed Snort. And the XSERV was the only machine, and you're talking, you know, ISPs, so you're talking a lot of packets going on. And the XSERV was the only machine that did not drop a single packet.

And any solution under $100,000 couldn't even come close to the XSERV. So they were really blown away. And that was last year. And in the past six months, there's been two, you know, enterprise-level solutions that are now available. Symbiot, which is a company based in Austin, and not only they defend your network, but they'll go and attack.

They'll attack back at the hackers. So that's kind of cool. And then ArcSight is another solution available. It's available as well on Mac OS X. So it's two great solutions to put XSERVs in your environment and basically secure your network. You know, another really fun one, I talked to this developer on Monday night, and he told me that basically he's, you know, he's working on some solution that runs on the Mac that'll basically go and find the worms that are living on the PCs. And it was funny because a few years ago, another big account, they were using PowerBooks.

All their Windows servers were down because they were all on Mac. They were all hit by the code red worm. And so they were using PowerBooks to go in and shut down all the servers and find the servers that were infected. That was pretty funny. Another solution that was announced this week from Versora is called Progression Web. And that is basically a migration tool, and it sells for under $300, which will basically migrate from IIS, from Microsoft IIS, over to Apache.

And as you know, Apache is pretty, you know, well used on the web browsing, on the web serving side, you know, over 60% market share. And this is an automated, a tool to migrate from IIS to Apache. And then one that I thought was really interesting, that was announced this week, and they'll be shipping by the end of the month, is Cario. And Cario 6, Cario's been around for about four years now, and they've shipped quite a few versions of their email solution.

But what's really missing, right, I mean, you all know that, what's really missing on the Mac is calendar, right? There is no email, there is no solution today that has really good, that is kind of medium-sized business, right, that has good calendaring and good email, and that is cross-platform.

And so what Cario saw that, and what they did is they basically developed their version 6, which basically allows you, they have a migration tool, which allows you to totally migrate from Exchange over to Cario, and it's very seamless on the back end. So you just migrate the server over to a next serve.

Also very interesting is that you don't have to touch any of the other servers, you don't have to touch anything on the client, you just load this Mappy connector on the Windows side, but on the Mac side, they're totally compatible with Entourage 10 and 2004, right? So basically, you've got a really nice solution that is cross-platform, and they support FreeBusy, and they've got all that nice Microsoft stuff.

And so really, for small to medium business, they've got a really good solution. Their pricing is amazing. I mean, you're talking, you know, with the antivirus, with the McAfee antivirus, and the spamming, and the backup, all that stuff, you're talking $700 for 25 users, and you're talking, you know, $5,000 for an additional 1,000 users. So that's $5 per mailbox, right? That's pretty cheap.

If you know how much Exchange is, you know, it's usually $100 to maybe $200 per mailbox, so it's not cheap. But again, you know, this is not... I wouldn't go beyond a thousand users on the product yet. We're working with them on adding XSAN support as well for clustering.

But for small to medium business, great, great solution, all running on Mac OS X and great migration tool. And they also tie right into AD and Open Directory. So on the back end, you can keep your AD infrastructure and you just basically migrate your Exchange 5.5 or 2000 over to Kerrio.

And then finally, I want to quickly talk about myths versus facts. And, you know, it's pretty funny because I talk to, you know, again, some pretty large companies. And, you know, there's a lot of people think that AFP, the Apple Filing Protocol, is basically Apple Talk. And just, again, to make sure that, you know, we've gone away from Apple Talk years ago, right? So there is no more Apple Talk running on the network.

So AFP is like SMB for the PC, right? It's pure TCP IP protocol. There's no Apple Talk going on on the network. So that's just, you know, for you, if your network person, you know, tells you, you know, we don't like Macs because they still run Apple Talk, we really don't.

SMB is faster than AFP. That is not the case. And, you know, really, we've tuned AFP. Because our customers work with really large files, you're always better using AFP when you can. And even today on the Mac OS X side, it's always better to use an XServe to serve your network. Simply because the protocol has evolved throughout the years.

You still, you know, Microsoft still uses AFP 2.2 on their servers. And that is just not the, it's just not a good protocol to use, especially when people are running Photoshop, InDesign, and all those big applications on a daily basis. And then they still have to deal with resource and data forks. So really, it's better to have the Mac connect to AFP than SMB. AFP is chatty, not at all. That, you know, that used to be the case with Apple Talk.

But, you know, NetBIOS was also very chatty. But AFP is not chatty. Okay, again, people confuse Apple Talk with AFP. And then Rendezvous is proprietary or chatty. Well, this week, we basically announced Rendezvous support for Windows. You've got a Rendezvous browser for Windows and for Linux, which is available if you saw that. And it's open standard and open source. And since we announced Rendezvous, I mean, you've seen how many printer manufacturers and game manufacturers and devices are now supporting Rendezvous. rendezvous, and, and so it is not a proprietary standard whatsoever.

So what about Tiger, right? So, you know, should you wait for Tiger? Well, you know, we don't think so. We think that, you know, Panther is a phenomenal release on the desktop, on the server side. And really, when you look at the maintenance plan that we have, we've got this three-year maintenance plan where you buy for $1,000, you're covered for three years on the server side. And we've got a similar maintenance plan on the desktop.

And when you see all the stuff that we're basically announcing in Tiger Server with no more 16-group limitations, full ACL support, nested group support, software update server, you know, high availability, iChat server, WebLock server, full syncing of my home directories, you know, it's really important that you plan ahead and that you get that maintenance. Because, you know, you will want to upgrade, no doubt, to Tiger Server when it's available because of all that functionality. So make sure you get that. You get the maintenance plan. You're covered for three years.

You know, Tiger ships first half of 2005. Get the maintenance today, and you're covered. You get your software when we ship it. And it's just the best way to do it. So, you know, today we've got a great solution. Tomorrow is looking, you know, a ton better with ACLs and no more group limitations.

So as a wrap-up, I just wanted to kind of review again that, you know, Apple has made great strides in the enterprise, right? I mean, if you look at all the solutions that are available today from key enterprise developers like IBM, Microsoft, Oracle, I mean, you saw all those people today or this week. We've got phenomenal solutions on the enterprise side, and they keep coming, right? Every week, every month, we get new solutions on the platform.

And the reason we have that is because the server, our server product is so affordable, and our storage is so affordable. Those developers don't have to fight for the hardware. They can focus on selling their software solution, and the hardware is now, you know, it's nothing. I mean, a $4,000 server is nothing compared to a 16-way, you know, HP Superdome or some other box like that.

And then in summary, I just wanted to say, you know, we've done a lot of work. We've done a lot of work in Panther, Panther Server around the enterprise. We keep moving forward with Tiger in that direction. Pick your directory wisely. If you haven't gone to AD and you're still on NT, please consider Open Directory. I think it's a great alternative to AD, much less expensive. Deploy technologies around open standards. And if you need help to set up those environments, that's our email address, consultingservicesatapple.com. And we'll be glad. Send us an email. We'll be glad to help you with your integration.

We'll be glad to help you with your integration projects and help you get started. So this is my email address, jd.apple.com. And Chris Bledsoe, who's the Enterprise Alliance Manager on the developer side. And, you know, more information. We've got a lot of documentation. You've got all your CDs. So all that is available. Great server documentation, which is available for free off our website. And of course, a lot of information on the Apple RAID and Exan and ARD available as well.