Integrate Macs into a Windows Active Directory domain - TechRepublic Page 1 of 10

APPLE

Integrate Macs into a Windows Active Directory domain

Jesus Vigo takes a look at how to setup and configure Apple hardware running a modern version of OS X and get it communicating with a Windows Active
Directory environment.
By Jesus Vigo | in Apple in the Enterprise, December 6, 2013, 11:05 AM PST

Market share in the enterprise is largely dominated by Microsoft specifically, the reliance on the Windows Server family line to manage network resources, align
desktops with corporate security policies, and maintain the flow of production amongst all the employees at a given organization. The process of administering all
these systems desktops and servers alike are relatively straight-forward in a homogeneous environment, but what happens when OS X is introduced to the
enterprise in the form of a sleek, shiny new MacBook Air or iMac?

Apple hasn't made great inroads in this segment. However, comparing its paltry 7% market share in the desktop market to its almost 93% in the mobile device market,
there's only a matter of time before more companies begin to choose Apple products for its mobile and desktop computing duties in lieu of the generic, stalwart PCs
they've been cycling in and out every three to five years. So, I ask you again, what do you do when your organization decides to upgrade to iMacs? How do you
manage those nodes in addition to the existing Windows domain that's already established?

Integrating Macs will initially be easier than you think! Even with little to no prior OS X knowledge, Macs will bind* to the domain with relative ease, since directory
services the underlying "file structure" of the network resources are standards-based and operate more or less about the same across operating systems.

Note*: Binding is the term associated with joining OS X to a domain. It's virtually identical to joining a Windows PC to a domain, complete with checking domain
credentials to verify the end user has the necessary rights to add the computer to the domain.

Minimum requirements:

Server hardware running Windows Server 2000-2012 Standard

Active Directory Domain Services (ADDS) setup and configured
Domain Administrator-level account
Apple desktop or laptop running OS X 10.5+
Switched network

(https://adclick.g.doubleclick.net/pcs/click%253Fxai%
253DAKAOjsvkvWAsbBRCFYnwLwyqQDEsdWSWcRlkGWCfPkABkTQfc9TUCPp7ahWTlRiMwg7QOGzGtRlDFKiRoqj8A5XzkWS0pYz04iJX-4u2-

Kb5Cu9TiOP26Ujnp3634PMwQ7TN956uVwY8g7oLCl7GLFTC4gLBLQ0yvuKXE9SN7fTUGxIDFp11_dLlsuBrP4cqxPEwoGM2Re5FtabjeSwHOFnM4_ES0Z21RcG6hFoYRZSCLRODohFPjxxLBt7XQBuS%
I.2526sig%253DCg0ArKJSzJOfo2vCs5AfEAE%2526urlfix%253D1%2526adurl%253Dhttp://intent.cbsi.com/redir?tag=medc-dfp-
Bind OS X to a Windows domain (10.5-10.9)
Follow these steps to bind OS X to a Windows domain:
blog&siteId=&rsid=cbsitechrepublicsite&pagetype=&sl=&sc=us&topicguid=&assetguid=&assettype=&ftag_cd=TRE-00-10aaa5d&devicetype=desktop&viewguid=1ed1e654-e0ab-4195-9b9b-
c4d1f0ee33fa&q=&ctype=docids;promo&cval=33160559;1071&ttag=&ursuid=&bhid=&destUrl=http%25253A%25252F%25252Fwww.techrepublic.com%25252Fresource-library%25252Fwhitepapers%
1. On the Mac, go to System Preferences, and click on the padlock to authenticate as an Administrator (Figure A)
25252Fesg-wp-machine-learning-delivers-better-it-insights%25252F%25253Fpromo%25253D1071%252526ftag%25253DTRE-00-10aaa5d%252526cval%25253Ddfp-blog)
Figure A

http://www.techrepublic.com/blog/apple-in-the-enterprise/integrate-macs-into-a-windows-active-directory-... 5/1/2017
Integrate Macs into a Windows Active Directory domain - TechRepublic Page 2 of 10
ESG WP: Machine Learning Delivers Better IT Insights (https://adclick.g.doubleclick.net/pcs/click%253Fxai%
In todays always-on, highly-competitive environment, businesses need to squeeze every ounce of performance out of their applications, giving them a step up over the competition. ...
White Papers ( http://www.techrepublic.com/resource-library/content-type/whitepapers/ ) provided by Nimble Storage ( http://www.techrepublic.com/resource-library/company/nimble-storage/ )

2. Enter your admin-level credentials to authenticate when prompted

3. Next, select Login Options, and then click the Join button next to Network Account Server (Figure B)
Figure B

4. In the Server drop-down menu, enter the fully-qualified domain name (ex. domain.com) of the Windows domain you wish to bind to the Mac, and click OK (Figure C)
Figure C

5. Next, you'll need to enter your domain-level credentials in order to proceed with the binding process (make sure that the computer name is unique and formatted
properly, because this is the name that will be created** for the computer object in ADDS), and then click OK to process the enrollment (Figure D)
Figure D

http://www.techrepublic.com/blog/apple-in-the-enterprise/integrate-macs-into-a-windows-active-directory-... 5/1/2017
Integrate Macs into a Windows Active Directory domain - TechRepublic Page 3 of 10

6. Upon successful binding, the window will close and the Users & Groups preference will remain open, but a small green dot (along with the domain name) will
appearnext to Network Account Serverto indicate connectivity to the domain (Figure E)
Figure E

Note**: By default, Windows will automatically create the computer object account in ADDS if one does not already exist. However, domain or enterprise admins may
(and often do) restrict this as a security feature to curb random nodes from being joined to the domain. Additionally, Organizational Units (OU) may be created as a
form to compartmentalize ADDS objects by one or more classifications or departments. Many enterprises will utilize OUs as a means to organize objects and accounts
separately from the items created by default when a domain controller is promoted and ADDS is created.

II. Modify Directory Services settings

Your next steps will be to modify the Directory Services settings. Here's how:

1. To ensure the highest level of compatibility between OS X and the network resources on the Windows network, certain changes must be made to the Active
Directory service with the Directory Utility so, go to System Preferences | Users& Groups, and click Login Options
2. Click the Edit button next to Network Account Server, then click Open Directory Utility (Figure F)
Figure F

http://www.techrepublic.com/blog/apple-in-the-enterprise/integrate-macs-into-a-windows-active-directory-... 5/1/2017
Integrate Macs into a Windows Active Directory domain - TechRepublic Page 4 of 10

3. The Directory Utility lists various services associated with network account directories (Figure G), and it allows you to modify settings as needed
Figure G

4. Double-click Active Directory to edit its configuration (Figure H)

Figure H

5. Click on the arrow to unhide the Advanced Options, select User Experience, and check the following boxes:
a. Check Force local home directory on startup disk (Figure I), which will force the creation of a profile on the local HDD for all users that logon to the node (if you

http://www.techrepublic.com/blog/apple-in-the-enterprise/integrate-macs-into-a-windows-active-directory-... 5/1/2017
Integrate Macs into a Windows Active Directory domain - TechRepublic Page 5 of 10
plan to serve profiles remotely from a server, leave this setting unchecked)
Figure I

b. Check Use UNC path from Active Directory to derive network home location (Figure J), and select the network protocol to be used: smb: (Note: This setting will
switch the default protocol for network resource paths from Apple's afp: to the Windows' friendly smb: also known as Common Internet File System, or CIFS).
Figure J

http://www.techrepublic.com/blog/apple-in-the-enterprise/integrate-macs-into-a-windows-active-directory-... 5/1/2017
Integrate Macs into a Windows Active Directory domain - TechRepublic Page 6 of 10

6. Next, select Mappings (Figure K), which pertains to specifying unique GUIDs for certain attributes used within ADDS to identify a computer object account. OS X will
generate these at random by default when bound to the domain; however, you may wish to use a particular set as generated by your enterprise admin.
Figure K

7. Finally, select Administrative (Figure L), and configure the following three optional settings based on the ADDS schema setup of the organization:
Figure L

http://www.techrepublic.com/blog/apple-in-the-enterprise/integrate-macs-into-a-windows-active-directory-... 5/1/2017
Integrate Macs into a Windows Active Directory domain - TechRepublic Page 7 of 10

a. Checking Prefer this domain server will perform two-way communication to/from the domain controller of your choosing
b. Checking Allow administration by will allow nodes to be managed by the administrator(s) who's responsible for overseeing systems, based on security group
membership or user account(s)
c. Checking Allow authentication from any domain in the forest may or may not be necessary to ensure that the OS X computers authenticate to the proper domain,
as configured by the domain/enterprise admin.

There you have it a basic look at how to setup and configure Apple hardware running a modern version of OS X and get it communicating with a Windows Active
Directory environment. I also threw in a few extra tips to help make a smooth transition and minimize errors.

One additional tip (and common best practice) is to host an Open Directory domain along with the Active Directory service. Multiple directory services will add to the
burden of managing two distinct operating systems, but you'll be surprised to find out that it may actually make administration of these systems easier! This dual-
directory environment will allow Windows PCs to be maintained and managed solely through the Active Directory side, while Open Directory when setup with OS X
Server can be used to maintain and manage the Apple computers.

Giving the Apple hardware the second directory binding to ADDS will allow them to seamlessly communicate with the Windows desktops and share file and printer
resources from Windows servers and nodes, and vice-versa. This eliminates the need for costly 3rd-party software plugins. The Macs will receive much of their
management directly from the domain controller hosting the Active Directory service, but it must "translate" the processes into commands that OS X will understand.
Even then, it does introduce another variable when troubleshooting. And let's be honest, the newly released OS X Server 3.0, whichis only $20 in the Mac App
Store,isa full-fledged server OS that's as simplified and easy to use as OS X.

III. Additional resources

Here are some additional resources for more information:

OS X Server: How to Setup OS X Server (http://www.techrepublic.com/blog/apple-in-the-enterprise/how-to-set-up-apple-os-x-server/)

OS X Server: How to Setup Open Directory (http://www.techrepublic.com/blog/apple-in-the-enterprise/apple-os-x-server-how-to-set-up-open-directory/)
Apple Support KB Article - Active Directory Naming Considerations when Binding (http://support.apple.com/kb/TS1532)
Apple Training PDF - Best Practices for Integrating OS X with Active Directory (http://training.apple.com/pdf/wp_integrating_active_directory_ml.pdf)

Automatically sign up for TechRepublic's Apple in the Enterprise newsletter.

SUBSCRIBE

About Jesus Vigo

Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size
businesses. He brings 19 years of experience and multiple certifications from seve...

Recommended Promoted Links by Taboola

Brooklinen is the Best Bedding for Your Buck

Brooklinen

New Device Leaves Auto Mechanics Angry

FIXD

Mother's Day is the 14th: See Unique Gifts She'll Love

Uncommon Goods

Windows 10 Creators Update: The biggest changes heading your way

How to juggle multiple calendars using Macs and iOS devices

New Mac desktops on the way, Apple admits its mistake with pro users

WHITE PAPERS, WEBCASTS, AND DOWNLOADS

White Papers // From TU Automotive

http://www.techrepublic.com/blog/apple-in-the-enterprise/integrate-macs-into-a-windows-active-directory-... 5/1/2017
Integrate Macs into a Windows Active Directory domain - TechRepublic Page 8 of 10
Auto Enters the Self-Learning Era: Deliver the Personalized Mobility Experience
TU-Automotive Detroit is the world's largest B2B event for connected car, autonomous vehicles and mobility as auto enters the self-learning era!

We are reaching a critical point in our industry. The car is set to think and drive itself, the smart city is becoming a vital component of the auto mix, and mobility
options are providing consumers with a very real alternative to car ownership. All this points to the arrival of a new automotive business.

Join us on June 7-8; of...

DOWNLOAD NOW

White Papers // From McAfee, Inc.

Busting the Myth of the Malware Silver Bullet

LEARN MORE

White Papers // From McAfee, Inc.

Unmask Evasive Threats

LEARN MORE

White Papers // From McAfee, Inc.

NSS Labs Advanced Endpoint Protection Test Report 2017

FIND OUT MORE

White Papers // From Nimble Storage

Achieving Flash Storage Nirvana

DOWNLOAD NOW

Say goodbye to email

servers and IT costs.
Get Exchange Online.

Now only
$4.00/month

EDITOR'S PICKS

The truth about MooCs and bootcamps: Their biggest benefit isn't creating more coders

Google Fiber 2.0 targets where it will stage its comeback, as AT&T Fiber prepares to go nuclear

http://www.techrepublic.com/blog/apple-in-the-enterprise/integrate-macs-into-a-windows-active-directory-... 5/1/2017
Integrate Macs into a Windows Active Directory domain - TechRepublic Page 9 of 10

How Mark Shuttleworth became the first African in space and launched a software revolution Inside Amazon's clickworker platform: How half a million people are paid pennies to train AI

RECOMMENDED Sponsored Links by Taboola

Brooklinen is the Best Bedding for Your Buck

Brooklinen

New Device Leaves Auto Mechanics Angry

FIXD

FREE NEWSLETTERS, IN YOUR INBOX

Tech News You Can Use

We deliver the top business tech news stories about the companies, the people, and the products revolutionizing the planet.

Delivered Daily

SUBSCRIBE

Best of the Week

Our editors highlight the TechRepublic articles, galleries, and videos that you absolutely cannot miss to stay current on the latest IT news, innovations, and tips.

Delivered Fridays

SUBSCRIBE

http://www.techrepublic.com/blog/apple-in-the-enterprise/integrate-macs-into-a-windows-active-directory-... 5/1/2017
Integrate Macs into a Windows Active Directory domain - TechRepublic Page 10 of 10
Related Ads

1 What Is Active Directory 5 Install Active Directory

2 Mac OS X Server 6 Active Directory

3 Active Directory Services 7 Windows Active Directory

4 Domain Controller 8 Active Directory Support

http://www.techrepublic.com/blog/apple-in-the-enterprise/integrate-macs-into-a-windows-active-directory-... 5/1/2017