Given Microsoft’s historically contentious relationship with Apple, it never ceases to amaze me at the relatively high degree of interoperability that does exist between a Mac OS X workstation and an Active Directory Domain Services (AD DS) domain.
For instance, a domain-joined Mac workstation allows users to enjoy the following privileges:
- Kerberos authentication and delegation, including Single Sign-On to local, AD, and Open Directory resources
- AD password policy enforcement
- Support for AD user and group accounts
- Windows home folders
Of course, Mac computers do not have a Windows Registry and so therefore cannot be managed by Group Policy (the password policy issue previously mentioned is a notable exception). If you desire an even tighter coupling between Mac workstations and Active Directory resources, then check out nifty third-party solutions like Centrify.
In this tutorial I will show you how to bind a Mac computer to a Windows Server 2008 R2 Active Directory domain. Specifically, I will assume that your Macs run either Mac OS X 10.5 Leopard or Mac OS X 10.6 Snow Leopard. Let’s get to work!
Mac OS X network configuration
Before attempting a domain join from a Mac computer, we need to make sure that we have our server- and client-side networking correctly configured. This means, in a nutshell, that our Macs have:
- An IP address and subnet mask
- A DNS hostname
- A connection to a Windows DNS server
You can specify a DNS hostname for your Mac either by using Terminal or by using the Sharing Preference Pane. Of course, a properly configured Windows Dynamic Host Configuration Protocol (DHCP) server will assign your Mac workstations a correct IP address, subnet mask, and preferred DNS server address.
Finally, and this should come as no surprise to Windows server administrators, you will need to perform the domain join either as a domain administrator, or as a user account that has been delegated the privilege to join workstations to the domain.
Add a Mac OS X computer to Active Directory
Without any further ado, let’s turn our attention to the specific steps required to accomplish our chosen task. The following procedure is essentially identical between Mac OS X Leopard and Mac OS X Snow Leopard systems; where there is a difference, I will note it.
NOTE: In Mac OS X Tiger and earlier, this utility is named Directory Access. Believe me, the renaming of Directory Access to Directory Utility in Leopard has caused many Mac administrators headaches!
The above single step is all that’s required to open Directory Utility on Leopard. Unfortunately, in Mac OS X 10.6 Snow Leopard, the same procedure is a little more cumbersome (the pane is not searchable via Spotlight, for instance).
To open Directory Utility on Snow Leopard, open System Preferences and then click Accounts from the System row.
In the Accounts prefpane, click Login Options. Then, next to Network Account Server:, click Edit….
2. Okay, now we are on the same page regardless of our recent version of Mac OS X. In Directory Utility, navigate to the Services tab. Next, select Enable for the Active Directory plug-in. Then click the Pencil icon.
3. At this point we really get down to business. At the very least, the two pieces of information that are required in order to join a Mac workstation to Active Directory are:
- Active Directory Domain: Use the DNS name of the domain, not the NetBIOS short name
- Computer ID: This is the DNS hostname of the workstation
Before you click Bind, let’s click the Show Advanced Options disclosure triangle to review some of the advanced binding options.
4. The most important choice in the User Experience panel is deciding whether or not you need to create a mobile account at the user’s first domain login.
In my experience, mobile accounts are necessary only when you manage Mac OS X laptop computers and need your users to be able to log in from work and from off-campus locations.
5. The Mappings panel enables us to optionally bind three key UNIX (and, by extension, Mac OS X) attributes to associated Active Directory schema attributes.
6. Finally, the Administrative panel allows us to specify a preferred Active Directory domain controller. Also, and this is important in most implementations, we can assign the Active Directory global groups that are allowed administrative access to the Mac workstation.
7. When you click Bind in Directory Utility you are prompted for Active Directory credentials with privilege to add computers to the domain. Verify also the location in AD where you want the Mac computer created. In the following screen capture, we are placing the host Macbox in the default Computers container in AD.
Verification and Login
1. You can verify that the Mac is successfully bound to the AD domain by reviewing the Directory Servers tab in Directory Utility. The window shows both graphically, by virtue of the colored circle icon, and in text the status of the binding.
2. Now it’s time to log in! At the Mac OS X login screen, simply select Other from the user list (this assumes that the computer is configured in this way; you can make these changes in the Accounts Preferences Pane).
Users can employ any of the standard username conventions supported by Active Directory. For instance, if the user Zoey wanted to log into the 4sysops.local AD domain, then she could use the following forms for her username:
For Further Study
There is so much more to learn in the realm of Mac-Windows integration. Expect several more blog posts on this subject in the future. In the meantime, please have fun studying the following links to related resources:
- Apple White Paper: Best Practices: Integrating Mac OS X with Active Directory
- Apple Seminar on Mac OS X-AD Integration