Best way of integrating Mac OS X clients with Active Directory

In addition to the options @churnd listed, you can also extend your AD schema to directly support Mac-style managed preferences. Apple has white papers on how to extend the schema to support OS X v10.5 and OS X v10.6 (the differences aren't very important -- the 10.5 instructions include a bunch of object classes and attributes that nobody used and were removed/obsoleted in 10.6; the 10.6 instructions include a new computer attribute that you don't need either. tl;dr either set of instructions work for either OS X version). They also have a video showing the extension process.

I have no idea how well the resulting schema extensions will work with OS X 10.7 (Lion).

Some notes and gotchas on the process:

• You need an OS X server set up so you can diff its schema against your AD domain.
• Run the schema extension on a test system first, and make sure it works right.
• In the 10.5 instructions, the settings for apple-computer-list at the top of page 7 are wrong (they list apple-computer-list-group twice), as is the following text (it lists apple-generateduid twice); you should follow the list at the bottom of page 7 instead.
• The UI in AD Schema Analyzer is very confusing. Each class has two boxes next to it: one to hide (minus sign) or show (plus sign) related attributes, and another to exclude (blank) or include (heavy plus) it in the export. Related attributes have one box, which can implicitly include (plus on gray background) or explicitly exclude (heavy X) it from the export. You have to click to select the classes to include, and then under each of those, click to exclude the attributes that you don't want.
• If you cut-and-paste any of the LDIF from the white paper (e.g. the auxiliaryClass and possSuperiors stuff) from the PDF, you may wind up with spaces at the beginning and end of each pasted line; these must be removed, or you'll get import errors. Also, make sure the LDIF file has DOS-style line endings (CR+LF), not Unix style (LF only).
• The white paper describes changing the objectClassCategory of some of the objectClasses to 3; depending on which version of the ADAM tools generated the LDIF, you may also need to set the rest of them to 1 (for some reason, it can export them with an objectClassCategory of 0, which is semi-invalid).
• The white paper doesn't detail how to index the macAddress and apple-hwuuid attributes, which is a good idea to speed computer record lookups.

Here's the LDIF file I came up with to do the extensions. These are based on a stock Windows Server 2008 R2 AD domain and OS X 10.6 server, with the 10.6 instructions from Apple and my own additions to index the macAddress and apple-hwuuid attributes. I think these same extensions will work with Windows 2003 R2 or later (note: they will not work with the Windows Server 2003 schema; you really need the 2003 R2 extensions), but they aren't very well tested with any version. Whether you use these or generate your own, test thoroughly before importing anything to your live domain controllers.

# ==================================================================
# 
#  This file should be imported with the following command:
#    ldifde -i -u -f AD-Schema-Win2k8-10.6.ldif -s server:port -b username domain password -j . -c "dc=X" "dc=example,dc=com"
#  (replace "dc=example,dc=com" with your actual AD domain.)
#  LDIFDE.EXE from AD/AM V1.0 or above must be used.
#  This LDIF file should be imported into AD or AD/AM. It may not work for other directories.
# 
# ==================================================================

# ==================================================================
#  Attributes
# ==================================================================

# Attribute: apple-category
dn: cn=apple-category,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.10.4
ldapDisplayName: apple-category
attributeSyntax: 2.5.5.12
adminDescription: Category for the computer or neighborhood
oMSyntax: 64
systemOnly: FALSE

# Attribute: apple-computer-list-groups
dn: cn=apple-computer-list-groups,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.11.4
ldapDisplayName: apple-computer-list-groups
attributeSyntax: 2.5.5.12
adminDescription: groups
oMSyntax: 64
systemOnly: FALSE

# Attribute: apple-computers
dn: cn=apple-computers,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.11.3
ldapDisplayName: apple-computers
attributeSyntax: 2.5.5.12
adminDescription: computers
oMSyntax: 64
systemOnly: FALSE

# Attribute: apple-data-stamp
dn: cn=apple-data-stamp,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.12.2
ldapDisplayName: apple-data-stamp
attributeSyntax: 2.5.5.5
adminDescription: data stamp
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE

# Attribute: apple-group-homeowner
dn: cn=apple-group-homeowner,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.14.2
ldapDisplayName: apple-group-homeowner
attributeSyntax: 2.5.5.5
adminDescription: group home owner settings
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE

# Attribute: apple-group-homeurl
dn: cn=apple-group-homeurl,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.14.1
ldapDisplayName: apple-group-homeurl
attributeSyntax: 2.5.5.5
adminDescription: group home url
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE

# Attribute: apple-hwuuid
dn: cn=apple-hwuuid,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.19.7
ldapDisplayName: apple-hwuuid
attributeSyntax: 2.5.5.12
adminDescription: Hardware uuid of computer
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1

# Attribute: apple-imhandle
dn: cn=apple-imhandle,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.1.21
ldapDisplayName: apple-imhandle
attributeSyntax: 2.5.5.12
adminDescription: IM handle (service:account name)
oMSyntax: 64
systemOnly: FALSE

# Attribute: apple-keyword
dn: cn=apple-keyword,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.1.19
ldapDisplayName: apple-keyword
attributeSyntax: 2.5.5.12
adminDescription: keywords
oMSyntax: 64
systemOnly: FALSE

# Attribute: apple-mcxflags
dn: cn=apple-mcxflags,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.1.10
ldapDisplayName: apple-mcxflags
attributeSyntax: 2.5.5.12
adminDescription: mcx flags
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE

# Attribute: apple-mcxsettings
dn: cn=apple-mcxsettings,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.1.16
ldapDisplayName: apple-mcxsettings
attributeSyntax: 2.5.5.12
adminDescription: mcx settings
oMSyntax: 64
systemOnly: FALSE

# Attribute: apple-networkview
dn: cn=apple-networkview,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.10.3
ldapDisplayName: apple-networkview
attributeSyntax: 2.5.5.12
adminDescription: Network view for the computer
oMSyntax: 64
systemOnly: FALSE

# Attribute: apple-service-url
dn: cn=apple-service-url,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.19.2
ldapDisplayName: apple-service-url
attributeSyntax: 2.5.5.5
adminDescription: URL of service
oMSyntax: 22
systemOnly: FALSE

# Attribute: apple-user-authenticationhint
dn: cn=apple-user-authenticationhint,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.1.15
ldapDisplayName: apple-user-authenticationhint
attributeSyntax: 2.5.5.12
adminDescription: password hint
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE

# Attribute: apple-user-class
dn: cn=apple-user-class,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.1.7
ldapDisplayName: apple-user-class
attributeSyntax: 2.5.5.5
adminDescription: user class
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE

# Attribute: apple-user-homequota
dn: cn=apple-user-homequota,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.1.8
ldapDisplayName: apple-user-homequota
attributeSyntax: 2.5.5.5
adminDescription: home directory quota
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE

# Attribute: apple-user-homesoftquota
dn: cn=apple-user-homesoftquota,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.1.17
ldapDisplayName: apple-user-homesoftquota
attributeSyntax: 2.5.5.5
adminDescription: home directory soft quota
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE

# Attribute: apple-user-mailattribute
dn: cn=apple-user-mailattribute,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.1.9
ldapDisplayName: apple-user-mailattribute
attributeSyntax: 2.5.5.12
adminDescription: mail attribute
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE

# Attribute: apple-user-picture
dn: cn=apple-user-picture,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.1.12
ldapDisplayName: apple-user-picture
attributeSyntax: 2.5.5.12
adminDescription: picture
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE

# Attribute: apple-user-printattribute
dn: cn=apple-user-printattribute,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.1.13
ldapDisplayName: apple-user-printattribute
attributeSyntax: 2.5.5.12
adminDescription: print attribute
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE

# Attribute: apple-webloguri
dn: cn=apple-webloguri,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.1.22
ldapDisplayName: apple-webloguri
attributeSyntax: 2.5.5.12
adminDescription: Weblog URI
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE

# Attribute: apple-xmlplist
dn: cn=apple-xmlplist,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.17.1
ldapDisplayName: apple-xmlplist
attributeSyntax: 2.5.5.12
adminDescription: XML plist data
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE

# Attribute: apple-mountDirectory
dn: cn=apple-mountDirectory,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.8.1
ldapDisplayName: apple-mountDirectory
attributeSyntax: 2.5.5.12
adminDescription: mount path
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE

# Attribute: apple-mountDumpFrequency
dn: cn=apple-mountDumpFrequency,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.8.4
ldapDisplayName: apple-mountDumpFrequency
attributeSyntax: 2.5.5.5
adminDescription: mount dump frequency
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE

# Attribute: apple-mountOption
dn: cn=apple-mountOption,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.8.3
ldapDisplayName: apple-mountOption
attributeSyntax: 2.5.5.5
adminDescription: mount options
oMSyntax: 22
systemOnly: FALSE

# Attribute: apple-mountPassNo
dn: cn=apple-mountPassNo,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.8.5
ldapDisplayName: apple-mountPassNo
attributeSyntax: 2.5.5.5
adminDescription: mount passno
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE

# Attribute: apple-mountType
dn: cn=apple-mountType,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeId: 1.3.6.1.4.1.63.1000.1.1.1.8.2
ldapDisplayName: apple-mountType
attributeSyntax: 2.5.5.5
adminDescription: mount VFS type
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE

dn: 
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-


# ==================================================================
#  Classes
# ==================================================================

# Class: apple-computer
dn: cn=apple-computer,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: classSchema
governsID: 1.3.6.1.4.1.63.1000.1.1.2.10
ldapDisplayName: apple-computer
adminDescription: computer
objectClassCategory: 3
systemOnly: FALSE
# subclassOf: top
subclassOf: 2.5.6.0
# rdnAttId: cn
rdnAttId: 2.5.4.3
# mayContain: apple-category
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.10.4
# mayContain: apple-computer-list-groups
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.11.4
# mayContain: apple-hwuuid
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.19.7
# mayContain: apple-keyword
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.19
# mayContain: apple-mcxflags
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.10
# mayContain: apple-mcxsettings
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.16
# mayContain: apple-networkview
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.10.3
# mayContain: apple-service-url
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.19.2
# mayContain: apple-xmlplist
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.17.1
# mayContain: macAddress
mayContain: 1.3.6.1.1.1.1.22

# Class: apple-computer-list
dn: cn=apple-computer-list,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: classSchema
governsID: 1.3.6.1.4.1.63.1000.1.1.2.11
ldapDisplayName: apple-computer-list
adminDescription: computer list
objectClassCategory: 1
systemOnly: FALSE
# subclassOf: top
subclassOf: 2.5.6.0
# rdnAttId: cn
rdnAttId: 2.5.4.3
# mayContain: apple-computer-list-groups
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.11.4
# mayContain: apple-computers
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.11.3
# mayContain: apple-keyword
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.19
# mayContain: apple-mcxflags
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.10
# mayContain: apple-mcxsettings
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.16
# possSuperiors: organizationalUnit, container
possSuperiors: organizationalUnit
possSuperiors: container

# Class: apple-configuration
dn: cn=apple-configuration,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: classSchema
governsID: 1.3.6.1.4.1.63.1000.1.1.2.12
ldapDisplayName: apple-configuration
adminDescription: configuration
objectClassCategory: 1
systemOnly: FALSE
# subclassOf: top
subclassOf: 2.5.6.0
# rdnAttId: cn
rdnAttId: 2.5.4.3
# mayContain: apple-data-stamp
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.12.2
# mayContain: apple-keyword
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.19
# mayContain: apple-xmlplist
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.17.1
# possSuperiors: organizationalUnit, container
possSuperiors: organizationalUnit
possSuperiors: container

# Class: apple-group
dn: cn=apple-group,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: classSchema
governsID: 1.3.6.1.4.1.63.1000.1.1.2.14
ldapDisplayName: apple-group
adminDescription: group account
objectClassCategory: 3
systemOnly: FALSE
# subclassOf: top
subclassOf: 2.5.6.0
# rdnAttId: cn
rdnAttId: 2.5.4.3
# mayContain: apple-group-homeowner
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.14.2
# mayContain: apple-group-homeurl
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.14.1
# mayContain: apple-keyword
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.19
# mayContain: apple-mcxflags
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.10
# mayContain: apple-mcxsettings
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.16
# mayContain: apple-user-picture
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.12

# Class: apple-user
dn: cn=apple-user,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: classSchema
governsID: 1.3.6.1.4.1.63.1000.1.1.2.1
ldapDisplayName: apple-user
adminDescription: apple user account
objectClassCategory: 3
systemOnly: FALSE
# subclassOf: top
subclassOf: 2.5.6.0
# rdnAttId: cn
rdnAttId: 2.5.4.3
# mayContain: apple-imhandle
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.21
# mayContain: apple-keyword
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.19
# mayContain: apple-mcxflags
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.10
# mayContain: apple-mcxsettings
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.16
# mayContain: apple-user-authenticationhint
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.15
# mayContain: apple-user-class
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.7
# mayContain: apple-user-homequota
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.8
# mayContain: apple-user-homesoftquota
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.17
# mayContain: apple-user-mailattribute
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.9
# mayContain: apple-user-picture
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.12
# mayContain: apple-user-printattribute
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.13
# mayContain: apple-webloguri
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.1.22

# Class: apple-mount
dn: cn=apple-mount,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: classSchema
governsID: 1.3.6.1.4.1.63.1000.1.1.2.8
ldapDisplayName: apple-mount
objectClassCategory: 1
systemOnly: FALSE
# subclassOf: top
subclassOf: 2.5.6.0
# rdnAttId: cn
rdnAttId: 2.5.4.3
# mayContain: apple-mountDirectory
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.1
# mayContain: apple-mountDumpFrequency
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.4
# mayContain: apple-mountOption
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.3
# mayContain: apple-mountPassNo
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.5
# mayContain: apple-mountType
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.2
# possSuperiors: organizationalUnit, container
possSuperiors: organizationalUnit
possSuperiors: container

dn: 
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-


# ==================================================================
#  Updating present elements
# ==================================================================

# Add the new class to the user object
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: auxiliaryClass
auxiliaryClass: apple-user
-

# Add the new class to the computer object
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: auxiliaryClass
auxiliaryClass: apple-computer
-

# Add the new class to the group object
dn: CN=Group,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: auxiliaryClass
auxiliaryClass: apple-group
-

# Index the macAddress attribute for faster searches
dn: CN=macAddress,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 1
-

It depends on whether or not you want to install 3rd party software on your AD controllers. If you go with Thursby or Centrify, you will have to do that to get GPO. This adds the necessary attributes to your AD schema to make it more OS X aware. I'm not sure if it'd include everything you'd want, so you'd have to ask the vendor.

If you don't (a lot of people don't), you'll need an OS X Server and set up a golden triangle configuration. You'd make the OS X server an OD Master (standalone), join it to AD, then use MCX to apply "GPO" to the computer object in AD. Then you'd join the computer itself to AD & OD. What it doesn't get from AD, it'd get from OD (if you configured it correctly). Things like password policy work with AD by default, with some minor caveats (reminders of expiration). Things like accessing System Preferences would be managed in OD. If you go the golden triangle route, you should consider getting two servers for master & replica. This doesn't require modifying or installing anything in AD that's not already there.

The only downside to the golden triangle setup is Lion is around the corner, and I'm really not sure if it'll continue to support this type of thing. I'm not sure how much longer you'll be able to buy Snow Leopard Server. Also, you can no longer get Apple's Xserve brand new... you're stuck with a Mac Pro or Mac Mini.

"Which of the solutions do you think is the best way to go?"

Xserve is end of life. Apple no longer offers a server class machine so Open Directory / Magic Triangle aren't really viable enterprise solutions. Judging by forum traffic, many organizations struggle with deploying and maintaining the various natives approaches, especially with updates and upgrades. OS X AppleCare support from Apple is also quite pricey.

Both Centrify and Thursby offer free trials. I'd try them both in your environment rather than take anyone's word for it.

• Centrify's business model is based on Windows AD server software, giving it the edge for UNIX/Linux integration along with the UNIX AD market leader Likewise. In Centrify's partner materials, the implication is that they don't want accounts with less than 2-300 machines.

• Thursby is a Mac specialist and requires no Windows AD server software (one of the other answer posters was mistaken in that). It also includes deployment tools and support for storage integration (DFS and CIFS) that are extras with Centrify (Absolute and ZIP respectively).

Again, best approach is to request trials and verify claims.

Shakespeare: GLENDOWER - I can call spirits from the vasty deep!

HOTSPUR - Why, so can I, or so can any man; But will they come when you do call for them?