Trench Tales (Part 3) - Apple in the Enterprise

by [Published on 31 May 2012 / Last Updated on 31 May 2012]

The third article in this series of real-world stories deals with managing Apple devices in Windows-centric environments.

If you would like to read the other parts in this article series please go to:

Introduction

This series of articles leverages the expertise of IT pros from around the world who have shared their stories me through my role as editor of WServerNews, the world's largest newsletter focused on system admin and security issues for Microsoft Windows Servers, and also through several other channels such as my connections with IT pros through my activities as a Microsoft Most Valuable Professional (MVP). These stories have been edited for length and clarity where needed.

Tip:
If you haven't subscribed yet to WServerNews you should do so today!

Apple in the Enterprise

To set the stage for the stories that follow, you should begin by reading my editorial Apple in the Enterprise in the February 20, 2012 issue of WServerNews. Then read the From the Mailbag section of the March 5th issue where some newsletter readers respond by sharing their own tips for managing Apple devices in Windows-centric environments. Some of the stories readers sent me however were too long or detailed to include in my Mailbag column, so here is a selection of them for your education and enjoyment.

A Red Herring?

First comes a reader who questions whether the whole question of managing Apple devices in a Windows-centric environment isn't simply a clever marketing device put forward by Apple to push their products into the enterprise space. Conspiracy theorists beware!

First and foremost, to hook an iPhone to an exchange server requires no magic, no special tools, just go into settings and it's pretty simple.

Now for the real question: Why would anyone want to integrate? Any company I have worked for supplies employees with a computer, they don't bring their laptops from home (Windows or otherwise) and iToyblets or any other toyblets aren't even as useful as netbooks were/are, and once again, the Enterprise didn't make room for those devices. This BYOD is merely Apple's attempt to get the enterprise presence they haven't been able to attain on their own because their server platform stinks (fact, not a prejudicial statement) and their desktops/laptops are too expensive for the lack of what you get compared with a Windows machine. They aren't any better, faster, or less prone to attack (that's the ID10T keyboard connection) than a Windows PC.

I don't understand why so many, the tech researchers (Forrester, IDC, etc.) tech bulletins (Network World, Computer World, CIO, etc.) are trying to buy into this garbage. I read the many letters and articles relating how Apple is taking over the Enterprise, yet I work daily in the trenches, for a variety of companies large and small, and I am not seeing this BYOD (bring your toys to work as I call it) phenomenon occurring, except for a few iPhones, and their arte some Blackberries and Droids also. This is not happening the way it's being put out, which furthers my suspicions regarding it as an Apple push to get into the enterprise.

I think the above reader's skepticism is justified to a degree because the "IT press" does look for "hot issues" they can use to attract eyeballs to their news sites. Is BYOD becoming an issue for the IT department at your own organization, or is the issue mostly a red herring? Send me feedback at wsn@mtit.com if you have an informed opinion on the matter.

A Recommended Third-Party Product

Next, a technology coordinator for a school district in the US shared the following story with me:

Hello, I read the technet article at http://technet.microsoft.com/en-us/magazine/2008.12.mac.aspx and did see one oversight: ipconfig is actually ifconfig on a Mac - something the author should have noted.

I worked as a Windows Network admin for ten years before switching jobs and now work in a school district that is 95% Mac-based. One of the first things I did was replace the old Apple Servers the district had because I was rebooting them at least once a day to keep things working. The AFP protocol (Apple File Protocol - not to be confused with Apple Talk) would bug out that often and clients would experience slowness.

In order for this to work for us I did have to buy a third party app that I can't recommend enough - it is expensive but worth every cent - ExtremeZ-IP (sold by Group Logic). Since we switched to AD and Windows based servers - things have improved 100%.

All our students and staff authenticate to AD and all Macs are joined to the domain.

I asked James to share more about why/how he felt Group Logic's product had been helpful in his environment and he continued as follows:

I honestly haven't tried going without it (when we switched from Apple servers to Windows) but it came highly recommended because of how it handles the problems listed on the website - dot score underline files, resource forks, long file names - and yes the dreaded file names containing " / " even work. Try as I might my teachers are too ingrained in their ways for me to get them to reliably stop using characters in file names they shouldn't. With ExtremeZ-IP I can restrict this ... just haven't yet because of all the previous files that way - I'd have mutiny if I just did it. I keep trying - eventually I hope to sway them to the light.

Oh and I can't say enough good things about Group Logics tech support. They really went the extra mile with us when I was learning this and getting things set up. Any problem I could come up with they had the fix.

What are some lessons can we learn from this story?

  • Sometimes you just need to bite the bullet and spend some extra money to implement a good third-party solution, especially when integrating together platforms from different companies like Apple and Microsoft.
  • If you are going to be managing Apple devices in a Windows-centric environment, you might want to check out Group Logic's ExtremeZ-IP at http://www.grouplogic.com/enterprise-file-sharing/mac-windows-file-sharing/

Macs in a WAN Environment

Chris Brandow from Invision also had good things to say about ExtremeZ-IP (and about Group Logic's support team) and shared these thoughts concerning implementing Macs in a WAN environment:

Here is the general info I composed after a recent event at a client. We had to make some network changes there when they upgraded to Windows Server 2008 and lost the SMB support for Macs they were used to in Server 2003. There is a third party application out there called ExtremeZ-IP that we implemented after doing some research on the SMB issue. ExtremeZ-IP wasn't the cause of their issues, in fact, the support people there were most helpful in helping us to determine what the issue was. It is mentioned below in the Miscellaneous section (the 1.8GB resource fork data).

The OSX operating system is not great in a WAN environment. But that sounds like a PC person just being nasty toward the poor Mac. I assure you that is not the case. Let's take a look at how the Mac works in general to see what I mean.

DIRECTORY LISTINGS (ENUMERATION)

When you get a directory listing in OSX, there is a process that is called Offspring Count that takes place. This process enumerates the subfolders and files in a folder and all subfolders and files under those subfolders one additional layer deeper. So if you are requesting a folder listing that you know has 10 subfolders in it and those subfolders have 100 files each in them. The Mac enumerates 10*100 = 1000 plus the original 10 items to get a final number of 1010 items before it returns the results. But it isn't as simple as just getting the file names and displaying a list.

The Mac file system holds four main pieces of information for every file. The Data fork, the Resource fork, the Finder information and the Extended attributes. When the Mac starts to enumerate the folder, the Finder collects file system metadata on each and every item so it can "enhance" the user experience. This data may contain icons, display previews or other information that might even need to be obtained by opening the file and reading the beginning. So in displaying this folder of 10 subfolders, all that information has to be gathered on 1010 items before you get that listing. The demand it puts on the back-end server, as you can see, is quite large for just a directory listing. Then you click on the next subfolder down and the process starts all over again.

Now move this process away from your wired gigabit LAN and venture out into the wireless WAN environment where speeds are up to 5000 times slower (based on 200Kbps average speed experienced on common 3G wireless providers--thanks to Charles Kim for additional information) and imagine how long just getting a folder listing can take. That isn't counting the random latency that wireless introduces or the SSL encryption used by the VPN on top of your data. Add all of that up and you are bound to experience a less than desirable outcome.

LATENCY

When a mac makes a connection to an AFP network resource, a measurement is made of the latency at the time of connection. If that time is measured at more than 30ms, by default, it is assumed that the server is either not local or on a slow connection. Once it makes that determination, it stays that way until the connection is re-established. So if heavy network traffic is occurring at the time the AFP request is made by the client, causing delays in the server's response on the LAN to the AFP request, it is possible to incorrectly set the mac into "WAN" mode even though you are on the local network. If you are in fact on a WAN, then the same mode will be experienced. This mode changes the data chunk size, or packet size, to a smaller value in an effort to slow the amount of data at one time into more manageable amounts. The problem is that by decreasing the amount of data sent per packet, the number of packets needed to accomplish the same task increases. In turn, it increases the amount of processing done by the server and decreases the overall throughput speed to accomplish the same request. So the one-time incorrect speed determination made at the time of connection costs you in slower overall network performance for the life of that connection. So if some days the mac users report that the server seems slower than the day before, have them restart the machine and see if it is better.

MISCELLANEOUS

Other minor things can cause huge delays or even complete failure in small tasks like folder enumeration. If the 'Calculate all sizes' or 'Calculate folder size' is selected in the Finder preferences, you could see slow directory browsing while the entire disk is enumerated.

If the user has custom folder icons to display something more "personal" and the user has chosen a file that is rather large in size (like a 10MB PNG file or BMP) for that custom icon, each time that folder is displayed, it has to load that large custom icon file.

The .ds_store files can become corrupted causing delays in displaying the problem folders. We saw this with a bugged version of Adobe Illustrator. Every file save of a 60KB .AI file was corrupting the resource so it was saving 1.8GB of data into that .ds_store portion of the file. 100 of these files being copied to another folder should have been a quick 60MB copy but was actually taking 10s of minutes because it was actually copying 180GB+. We experienced symptoms from the backup failing to taking forever to copy files and display the contents of the folders.

What's the lesson here? The detailed information provided by the above reader may definitely make one pause before trying to use Macs to connect to Windows Server-based networks over a WAN connection.

Conclusion

I've received some other helpful advice and recommendations from readers about integrating Macs and other Apple devices into Windows-centric networks and will share these in the next article in this series. But meanwhile, feel free to send me an email if you'd like to contribute your own troubleshooting "trench tale" for an upcoming issue of WServerNews or for a future article here in my column on WindowsNetworking.com.

Cheers, Mitch Tulloch
Senior Editor, WServerNews

If you would like to read the other parts in this article series please go to:

Advertisement

Featured Links