Easiest Way To Use Active Directory For Windows On Mac

Joining a Mac to Active Directory has continued to get more and more difficult over the years. High Sierra and Mojave now require a Active Directory functional level of Windows Server 2008 or later and are still pretty tricky to get to join it.

  1. Easiest Way To Use Active Directory For Windows On Mac Os
  2. Easiest Way To Use Active Directory For Windows On Macbook Pro
  3. Easiest Way To Use Active Directory For Windows On Mac Windows 10

Essential Mac tools Nos. 14 and 15: Apple's Active Directory Client and Directory Utility Creating a functional, secure environment requires more than just rolling out computers and software. The most straightforward way to add a Mac to Active Directory is to use Apple’s Directory Utility, accessed in the Users & Groups section of System Preferences. One of the services in the Utility, Active Directory Connector, allows you to configure a Mac to access basic account information on a Windows server running Windows 2000 or later. Integrate Active Directory using Directory Utility on Mac. You can use the Active Directory connector (in the Services pane of Directory Utility) to configure your Mac.

Easiest way to use active directory for windows on mac shortcut

When I started researching the topic I saw a whole lot of advice to install third party software to join a Mac to Active Directory. In most corporate environments installing third party software is frowned upon due to licensing and security considerations so I was determined to get the native Mac OS X tools to work.

This guide will walk you through the basic steps to join Active Directory without having to resort to using third party software.

Configure DNS Settings

One of the big roadblocks to joining Active Directory is DNS settings. In many networks DHCP won’t populate everything you need. Windows can get away with this but when we are joining our Mac we need to make sure everything is populated.

Find the trigger. The easiest way to get everything you need is to issue a ipconfig /all from the command prompt of a Windows machine already joined:

I have bolded the important things you need to verify.

You want to make sure that all of the DNS Suffix Search List entries are listed in the “Search Domains” box pictured below:

Next verify that all of the DNS servers coming up on your Windows machine are also put into the Mac DNS servers list. On my machine I got all of the DNS servers but only one of the search domains. Make sure it matches your already joined machine!

Configure Network “Sharing” Name

Go to the Settings app on your Mac again and choose “Sharing”.

This part is easy. Set this to the computer name you are going to join the domain with. Usually the existing one will be something like “admin’s iMac”.

Prestaging AD Computer Account

Next open up Active Directory and create a new “Computer” account.

I strongly recommend keeping your Mac name to 15 characters or less. This is demonstrated in the screenshot below. If that isn’t possible then use the pre-Windows 2000 computer name when you join Active Directory or you will get an error (see Troubleshooting).

Press OK to create the Active Directory account. Now switch back to the Mac and let’s perform the bind.

Join Active Directory

Next go back to the Settings app and choose “Users and Groups”.

From here we are going to select “Login Options” in the bottom left hand of the screen. You will now see a “Network Account Server” with a Join button. Click join and fill everything out as follows:

Use your fully qualified domain name (FQDN). This is usually the same as your “Primary DNS Suffix” we got from our Windows machine. This allows us to get around any DNS configuration shenanigans.

For the Active Directory settings put in the pre-Windows 2000 computer name from the above step. If you chose a name of 15 characters or less they will both be the same.

For your AD username don’t try to use anything like DOMAINuser or [email protected] We have already fully qualified our server in the server field so this is not necessary and will cause problems. Enter it as in the example above.

Now press OK and with any luck you will be met with a screen that looks like this:

Troubleshooting

Plugin Error 10001

This is the most common error you will get when you try to join High Sierra or Mojave to Active Directory. There are a few reasons it can come up.

Apple states that your Active Directory needs to be at a functional level of Windows Server 2008 to work unless you enable “weak encryption” RC4 algorithm support in your forest. This would be a terrible idea as RC4 was broken many years ago and is a joke to crack.

However even with a functional level of 2008 I have yet to see it work regardless without prestaging the computer in Active Directory first and then attempting to join. Prestaging has fixed this error on all of the Macs I have joined to domains.

There are a few other requirements from Apple on the list that could be contributing but likely with prestaging you will be able to bind even without things like extended schema support, etc.

Easiest way to use active directory for windows on mac windows 10

Plugin Error 5103

This error is frequently encountered if the name of your PC is too long. You should join the domain with the “pre-Windows 2000” computer name or even better choose a name for the Mac that is 15 characters or less.

My domain ends with .local

This is bad. Very bad. This has been a long standing issue with joining Macs to Active Directory as .local is what Apple’s own Bonjour uses by default. It used to be a matter of simply changing or disabling Bonjour but that has no longer proven effective.

Using .local has been against best practices for many years but not everyone has migrated their domains yet. If you are stuck in this situation and telling your sysadmins to get a grip and migrate their domain is not an option then you may have to consider a third party AD stack. Here’s a lengthy spiceworks discussion on this topic.

If you have been able to find a workaround for this issue in Mojave or High Sierra definitely drop a comment below so we can share it but I was not able to find an instance of anyone getting around this in the newer versions of OS X without going third party.

Easiest Way To Use Active Directory For Windows On Mac Os

Conclusion

Easiest Way To Use Active Directory For Windows On Macbook Pro

As long as you aren’t in a .local domain the native built-in tools should prove perfectly sufficient to join Mac OS X High Sierra and Mojave provided we use prestaging.

That being said I can only speak for the environments I have worked in. If you follow this guide and encounter additional problems definitely leave a comment below so we can get that information out there!

Easiest Way To Use Active Directory For Windows On Mac Windows 10

You should also check out Apple’s Active Directory integration guide as they cover some requirements that you may have ran into that I didn’t.