How to join a Mac OS X computer to Active Directory Windows Server 2008 R2


This tutorial explains how to bind or join a Mac OS X Mac (OS X 10.5 or OS X 10.6) computer to an Windows Server 2008 Active Directory domain.

A picture of Timothy Warner By Timothy Warner – Wed, March 2, 2011 – 18 comments
Timothy Warner is a Windows systems administrator, software developer, author, and technical trainer based in Nashville, TN.

Given Microsoft’s historically contentious relationship with Apple, it never ceases to amaze me at the relatively high degree of interoperability that does exist between a Mac OS X workstation and an Active Directory Domain Services (AD DS) domain.

Mac OS X Active Directory Join - .Other

For instance, a domain-joined Mac workstation allows users to enjoy the following privileges:

  • Kerberos authentication and delegation, including Single Sign-On to local, AD, and Open Directory resources
  • AD password policy enforcement
  • Support for AD user and group accounts
  • Windows home folders

Of course, Mac computers do not have a Windows Registry and so therefore cannot be managed by Group Policy (the password policy issue previously mentioned is a notable exception). If you desire an even tighter coupling between Mac workstations and Active Directory resources, then check out nifty third-party solutions like Centrify.

In this tutorial I will show you how to bind a Mac computer to a Windows Server 2008 R2 Active Directory domain. Specifically, I will assume that your Macs run either Mac OS X 10.5 Leopard or Mac OS X 10.6 Snow Leopard. Let’s get to work!

Mac OS X network configuration

Before attempting a domain join from a Mac computer, we need to make sure that we have our server- and client-side networking correctly configured. This means, in a nutshell, that our Macs have:

  • An IP address and subnet mask
  • A DNS hostname
  • A connection to a Windows DNS server

You can specify a DNS hostname for your Mac either by using Terminal or by using the Sharing Preference Pane. Of course, a properly configured Windows Dynamic Host Configuration Protocol (DHCP) server will assign your Mac workstations a correct IP address, subnet mask, and preferred DNS server address.

Finally, and this should come as no surprise to Windows server administrators, you will need to perform the domain join either as a domain administrator, or as a user account that has been delegated the privilege to join workstations to the domain.

Add a Mac OS X computer to Active Directory

Without any further ado, let’s turn our attention to the specific steps required to accomplish our chosen task. The following procedure is essentially identical between Mac OS X Leopard and Mac OS X Snow Leopard systems; where there is a difference, I will note it.

1. Open the Directory Utility program. In Mac OS X 10.5 Leopard, run a Spotlight search for Directory and click Directory Utility.

Mac OS X Active Directory Join - Directory Utility

NOTE: In Mac OS X Tiger and earlier, this utility is named Directory Access. Believe me, the renaming of Directory Access to Directory Utility in Leopard has caused many Mac administrators headaches!

The above single step is all that’s required to open Directory Utility on Leopard. Unfortunately, in Mac OS X 10.6 Snow Leopard, the same procedure is a little more cumbersome (the pane is not searchable via Spotlight, for instance).

To open Directory Utility on Snow Leopard, open System Preferences and then click Accounts from the System row.

Mac OS X Active Directory Join - Accounts

In the Accounts prefpane, click Login Options. Then, next to Network Account Server:, click Edit….

Mac OS X Active Directory Join - Login Options

2. Okay, now we are on the same page regardless of our recent version of Mac OS X. In Directory Utility, navigate to the Services tab. Next, select Enable for the Active Directory plug-in. Then click the Pencil icon.

Mac OS X Active Directory Join - Enable Active Directory Plugin

3. At this point we really get down to business. At the very least, the two pieces of information that are required in order to join a Mac workstation to Active Directory are:

  • Active Directory Domain: Use the DNS name of the domain, not the NetBIOS short name
  • Computer ID: This is the DNS hostname of the workstation

Mac OS X Active Directory Join - Active Directory Name

Before you click Bind, let’s click the Show Advanced Options disclosure triangle to review some of the advanced binding options.

4. The most important choice in the User Experience panel is deciding whether or not you need to create a mobile account at the user’s first domain login.

In my experience, mobile accounts are necessary only when you manage Mac OS X laptop computers and need your users to be able to log in from work and from off-campus locations.

Mac OS X Active Directory Join - User Experience

5. The Mappings panel enables us to optionally bind three key UNIX (and, by extension, Mac OS X) attributes to associated Active Directory schema attributes.

Mac OS X Active.Directory Join - Mappings

6. Finally, the Administrative panel allows us to specify a preferred Active Directory domain controller. Also, and this is important in most implementations, we can assign the Active Directory global groups that are allowed administrative access to the Mac workstation.

Mac OS X Active Directory Join - Administrative

7. When you click Bind in Directory Utility you are prompted for Active Directory credentials with privilege to add computers to the domain. Verify also the location in AD where you want the Mac computer created. In the following screen capture, we are placing the host Macbox in the default Computers container in AD.

Mac OS X Active Directory Join - Administrator and Password

Verification and Login

1. You can verify that the Mac is successfully bound to the AD domain by reviewing the Directory Servers tab in Directory Utility. The window shows both graphically, by virtue of the colored circle icon, and in text the status of the binding.

Mac OS X Active Directory Join - Directory Servers

2. Now it’s time to log in! At the Mac OS X login screen, simply select Other from the user list (this assumes that the computer is configured in this way; you can make these changes in the Accounts Preferences Pane).

Mac OS X Active Directory Join - .Other

Users can employ any of the standard username conventions supported by Active Directory. For instance, if the user Zoey wanted to log into the 4sysops.local AD domain, then she could use the following forms for her username:

zoey

4sysops\zoey

zoey@4sysops.local

For Further Study

There is so much more to learn in the realm of Mac-Windows integration. Expect several more blog posts on this subject in the future. In the meantime, please have fun studying the following links to related resources:

Advertisements

ឆ្លើយ​តប

Fill in your details below or click an icon to log in:

ឡូហ្កូ WordPress.com

អ្នក​កំពុង​បញ្ចេញ​មតិ​ដោយ​ប្រើ​គណនី WordPress.com របស់​អ្នក​។ Log Out / ផ្លាស់ប្តូរ )

រូប Twitter

អ្នក​កំពុង​បញ្ចេញ​មតិ​ដោយ​ប្រើ​គណនី Twitter របស់​អ្នក​។ Log Out / ផ្លាស់ប្តូរ )

រូបថត Facebook

អ្នក​កំពុង​បញ្ចេញ​មតិ​ដោយ​ប្រើ​គណនី Facebook របស់​អ្នក​។ Log Out / ផ្លាស់ប្តូរ )

Google+ photo

អ្នក​កំពុង​បញ្ចេញ​មតិ​ដោយ​ប្រើ​គណនី Google+ របស់​អ្នក​។ Log Out / ផ្លាស់ប្តូរ )

កំពុង​ភ្ជាប់​ទៅ​កាន់ %s