Mac OS 10.5 consistently resisted most attempts to bind to Windows domain controllers with all kinds of errors and connection problems. Fortunately, the process has been greatly improved in Snow Leopard, the latest version of Mac OS X. Anyone wishing to integrate a Mac with an existing Windows based network is highly encouraged to upgrade to 10.6.5. Along with the many other useful updates and improvements it is $30 well spent.
Creating a Computer Account
The first step is to create a computer account on the Active Directory domain controller:
- In the domain controller’s Server Manager, navigate to Roles → Active Directory Domain Services → Active Directory Users and Computers
- Select the domain that the Mac should join to, right-click Computers and click New → Computer
- In the New Object – Computer dialog window, enter a name for the Mac computer, make it a member of the desired group and click OK.
The new entry for the Mac computer should now be displayed in list of registered domain computers. The computer’s description can be added by opening its properties (right-click).
Joining the Mac
The Mac can be configured from the command line interface using the dsconfigad command, but for most purposes it is generally easier to use the Directory Utility graphical user interface that is integrated into Mac OS. Please note that the Directory Utility, which previously used to be located in /Applications/Utilities/ can now be found in /System/Library/CoreServices/.
- Launch the Directory Utility and unlock it as a local administrator, if necessary
- In the list of directory plug-ins, select Active Directory and click the pen button at the bottom left to configure the plug-in
- In the configuration dialog, enter the names of your Active Directory domain, as well as the Mac computer. The Computer ID field should match the name of the entry that was previously created on the domain controller. Then click the Bind… button
- Enter a user name and password credentials for a domain user that is authorized to join computers to the Active Directory domain. If this is also the account you will be operating the Mac under, you may leave the Use for authentication and Use for contacts boxes checked
- In the next step, the Directory Utility will detect the existing computer account previously created in the Active Directory. Click OK to join the Mac to the existing account.
The Mac should now be bound to the Windows domain.
Supporting Multiple Domain Controllers
If multiple domain controllers are present on the local network, as is often the case in enterprise and corporate networks, the Directory Utility can be configured to bind to a preferred server. The option can be found in the Active Directory plug-in’s Advanced Options.
Alternatively, this option can also be set using the following console command in the terminal:
dsconfigad -preferred SERVERNAME
Should the binding operation fail due to the domain controller being unreachable or otherwise not found, try the following:
- Make sure the Mac uses the domain’s DNS server. In most cases this will be the same IP address as the domain controller. The setting can be found in the DNS section of the Network options in System Preferences
- Try add the domain suffix to the search domains. This setting can be found in the same section as the DNS server.
- Integrating Mac OS X 10.3 with Active Directory (PDF, Apple 2009)
- Snow Leopard and Active Directory Tips and Reports (MacWindows.com)