Enterprise computing with OS X: Panther server and Active Directory

Computerworld - In previous columns, I've written about how to use Panther server as a Primary Domain Controller and host both Macintosh and PC clients. This is an excellent solution for small offices looking to support a mixed-client environment with limited resources, for large installations using mostly Mac clients or for any installation that doesn't have a PC server in place.
Before going further I'd like to say a bit about enterprise computing and the education market. I've worked in Fortune 100 firms and currently work at a large college in New York. We have 40,000 students, 3,000 faculty, 2,000 administrators and staff, plus untold adjunct professors who come and go each semester. Much of our labor is seasonal (which creates another rights/access management issue), and our resources are limited. Our computing needs are very much on the level of many Fortune 500 companies.
For the majority of enterprise IT shops, Windows is the primary operating system flavor, and even in shops that have numerous Linux/Unix servers, Windows Active Directory is their choice for directory and Domain Name System (DNS) services. AD scales easily to 50,000-plus users and doesn't suffer latency or response degradation at this level of use.
Over the past few weeks, I've taken a close look at Apple's Open Directory (OD) and Microsoft's AD, and here's what I found: If you have fewer than 10,000 users, the difference in response from either is negligible and you can be comfortable that OD is rock-solid and secure. It is also easier to manage in a simple setup, and with its Unix underpinnings, you can do extensive customization if you choose. But be aware that the Workgroup Manager GUI just stops working at 19,999 users.
While AD is much more complex at the onset, once the learning curve flattens you'll find that you have all the tools you need. The only downside is that it requires you to use the Microsoft DNS that is part of AD. It is true that Microsoft states that the Microsoft DNS component is not required, but AD still requires a DNS server that supports dynamic updates (unlike many other directory services which do not require a dynamic update component). No other DNS product will integrate easily, is guaranteed to work through update patches and will be supported by Microsoft in the event of a troubleshooting issue.
So for all but the truly intrepid, Microsoft DNS and AD are tied and to fully implement AD you either need to create a separate domain or turn over your