Joining a Mac OS X to an Active Directory Domain
Written by Sam Moffatt   
Tuesday, 03 February 2009 02:11

This document covers instructions on how to join a Mac OS X machine to a domain. This documentation is only relevant for 10.4 as 10.5 renames a few items however where possible notes have been made. The basic concepts should be the same, however getting access to them might be a tad harder.


Step 1) Login as an Administrator

Edit section

By default the first account created on a Mac is the administrator account. If this Mac has been acquired elsewhere there may be other users on it. Login in as an administrator and create a new admin account named 'administrator' if there isn't one already. You can use the standard Administrator password here (see the one in Password Manager for 'corpcomm-mac'). Additionally you may wish to configure a second administrator account and provide the credentials to the primary user of the machine. Doing so is perhaps a policy decision but it will allow the user to call helpdesk less - and they probably have a better idea of what needs doing.

If you were logged in under a user account, log out at this point log out from it and then login using a generic administrator account "administrator".

Note: If at any point you seem unable to change the settings click on the padlock icon that is typically located at the bottom left corner of the screen with the text "Click the lock to make changes". Logging in as an administrator should avoid requiring to do this task however if the preference panels or similar have been locked (which they can be to require a password even if you are logged in as an administrator to prevent unauthorised tamporing). As the instruction suggests, clicking the lock will present a login screen and you can enter the credentials of an administrator account to unlock the panel. Once unlocked the padlock should appear unlocked with the panels now all enabled and the text "Click the lock to prevent further changes." At other points the system may request authentication to proceed with different tasks, again logging in as an admin should absolve the need to do any of those problems.


Step 2) Configuring the Mac's networking

Open up "System Preferences" on your Mac. This can be done by using either Spotlight (magnifying glass in the top right), selecting the Apple menu and then "System Preferences" or if you're using a standard dock there should be an option to select it there (the icon is an Apple with a switch next to it; in 10.5 the icon is a set of gears).

Launch "System Preferences" and navigate to "Network". It should be the second icon on the third row. Selecting this should display the results for the built in ethernet device. Select the interface you are interested in (typically built-in ethernet) and click "Configure". This should display a set of tabs with different options, including TCP/IP and Proxies.

In the TCP/IP tab there should be familiar settings there. Typically the Mac's within Council have been assigned static IP addresses due to the people that use them. At present I don't see any particular reason to not follow this tradition as the number of Mac devices within the organisation is small. With the "Configure IPv4" option set it to "Manually" and enter in the details as requested. In the search domains section, add the normal domains as well as a special domain called 'local'. The 'local' domain is a specific autoconfigured MDNS domain that allows zero configuration of devices within the local context. It is used for any device supporting Bonjour on the network, which includes both Mac and Linux machines as well as Windows desktops with the Bonjour services enabled. Doing this may improve networking resilience in certain situations. IPv6 is an option here however given at the present point in time Windows XP is the dominant system it is safe to leave IPv6 autoconfiguration at its defaults. Linux and Mac services will connect using IPv6 where possible presuming the underlying network links support it.

The "AppleTalk" tab controls AppleTalk settings. AppleTalk is one of Apple's earliest forays into networking technology and today lives on with AppleTalk over TCP/IP. Unfortunately AppleTalk is a rather chatty protocol so its best to disable it since we have provide no AppleTalk based services and the Mac devices have no need to communicate with each other. AppleTalk is used for the Apple Filesharing Protocol which is probably not installed on any of our servers and is disabled by default on most Macs. Whilst an incredibly cool technology in some aspects due to its autoconfiguration, it is pointless in our enterprise environment. Untick the "Make AppleTalk active" to disable.

The "Proxies" tab controls system wide proxy settings. Unlike Windows, Apple has the concept that the proxy settings are actually location based and the location of the device is in fact a system setting. One may argue the wisdom of this in a true multiuser environment however given the devices typically don't move and we enforce proxy settings on almost all users one could consider that they've made the right decision. One may specify a "PAC" file to handle autoconfiguration similar to the way that IE handles configuration. Pointing this at the present PAC file will apply all of the same settings that any standard Wndows desktop in the organisation is saddled with. One may also manually configure different settings including an automatic configuration option. This allows individual control of the device which may be useful for configuring it to receive updates.

Once we've done all of this click "Apply Now" to save the configuration updates. This is one of the few places where confirmation is required on the Mac to alter settings. Once you have saved and applied the settings click the "Show all" option at the top of the "System Preferences" window and then look for "Sharing" (it has a folder and person in a yellow square as its icon; fourth icon on the third row). In here change the computer name to match what you want the computer to be called. This section also controls the services that are available and in 10.4 the Firewall options (10.5 locates the Firewall under the Security section, the house with a combination lock on the top row, sixth icon). Where possible disable all options as they are probably not required to be enabled on the machine. One may wish to enable "Remote Login" which is actually "SSH". "Windows Sharing" is a control interface for Samba, however I suggest that whilst enabling it would be good unless you are willing to manually configure it the item isn't worth enabling.

Since there shouldn't be accessing the machine locally, enabling the Firewall with its default restrictive settings should be more than fine. If you have enabled a service it will be added to the exclusion list by default.

Step 3) Bind to Active Directory

Warning: At this point if you already have an entry in the DNS tree for the Mac, you may find that you have issues binding it to the tree. It is perhaps safer to remove any DNS entry that references the IP address of the Mac until it has been bound to the tree.

At the bottom of the screen will be the Dock, move down to it and click on the two tone blue face to open a new Finder window. If a windows doesn't appear there may already be a window open, alternatively you can double click on the "Macintosh HD" icon on the desktop to open a new window. Finder is Mac OS's file browser, an equivalent of Explorer. On the left hand pane of the Finder window select "Applications" and in the view that appears select "Utilities" and then double click "Directory Access". Note: In 10.5, the name of this application has changed, to what I can't quite recall however the icon should still look like a compass overlayed on a map; instructions past this point may only apply to 10.4!

Launching Directory Access should present a list of available "services", one of which being "Active Directory". If the "Active Directory" checkbox is presently checked and the configure screen presents the "unbind" option, then everything should be working fine and continue to step 4 of this document. If items aren't working properly, work back through these instructions.

Select "Active Directory" and the "Configure..." option should become available. Clicking this will open a new window requesting the Forest and Domain. Unless we've moved to a new forest structure, simply entering the domain should find the appropriate defaults for the network. Ensure the computers name matches what you set earlier (it should be correct by default) and then click "Bind". It will then request for a username and password of a domain administrator to add the Mac to the domain. Once it has done this the "Bind" button should then change into a "Unbind..." button. If this hasn't happened, restart the Mac, login again and check that it is still saying "Bind" and then attempt to rebind the Mac to the domain. In the situation where you are doing a second bind it may alert you that a computer account already exists, if so just accept that you want to join that existing account.

Once you've managed to bind the computer to the domain, click on the button next to "Advanced Options". The defaults for the first tab shouhld be acceptable (until we get Active Directory set home directories, using local home directories is the safest option) however the "Administrator" tab should tick the "Allow Administration By" option and the default groups (Domain Admins and Enterprise Admins) should be fine for the organisation. The last option "Allow authentication from any domain in the forest" should permit forwards compatiblity should we move to a different infrastructure. One may also enable the "prefer this domain server" and set it to the master AD server, however this is only optional and isn't required.

Once this has all been configured, check the box next to "Active Directory" in the initial "Directory Access" screen to enable Active Directory authentication.


Step 4) Changing the login screen

By default the Mac uses a friendly screen that displays a list of local users to login with. This is fine in a smaller environment however it doesn't work well in the enterprise. In "System Preferences" go to the "Accounts" option (first option, fourth row; two people) and select "Login Options". If the "Automatically log in as" box is ticked, disable it and under "display login window as" select "list of users" from the radio buttons. Fast user switching may be enabled but if the Mac is unlikely to be used by more than one person there isn't much point enabling it. Mind you enabling it doesn't actually major detriment system performance and in some administrator situations may be desirable (it will permit the user to retain their session whilst an administrator logs in on the console).


Once this is done, restart the Mac (for good measure more than anything) and attempt to login using your domain credentials. Keep in mind that if you are a domain administrator the Mac will treat this account differently and may not properlly store all information about it for security reasons.
Last Updated on Tuesday, 03 February 2009 02:19