How To Integrate Mac OS X With Windows Active Directory

Business IT administrators and service providers have been coming across more mixed environment network configurations where some users are on Macs and others are using Windows.  There can be some challenges in terms of getting both operating systems to play nice together but generally it is fairly easy to integrate them seamlessly in one IT network system.

 

Mac And Windows File Sharing

 

Let’s look at one example to see how to implement this process. Say a company has a small office with several workstations running Windows, a desktop server running Windows Small Business Server 2008 with Exchange, and one iMac running Mac OS X 10.8. These computers are all connected via wireless or hardwired Ethernet to the network. How would one go about getting the iMac to connect to and work with the network, which is running Active Directory?


Active Directory Users and Computers is where you can access, manage, and set permissions on shared resources in your network for specific users, groups, and computer objects. Active Directory Domain Services (ADDS) stores the directory data and manages all communications between users and the associated domains, including:

 

 

FIle Sharing Permissions In Active Directory For Mac

 

  • User logon processes
  • Authentication
  • Directory searches

 

 

 

Security Active Directory For MacCute Mac Computer

 

 

 

 

 

 

 

 

Macs can connect to Active Directory networks just like any user or computer running Windows.  The first thing to consider is where in Active Directory you would want the Mac to reside. Since our example the network is small, the container could remain the default container, which is “Computers”. If you happened to have a more complicated or larger network, you would want to give the Macs a container or Organizational Unit (OU) of their own.

 

 

Mac Organization Units in Active Directory

 

Macs will bind to the domain via directory services similar to a Windows computer. Binding refers to joining a Mac OS X to a domain and entails checking domain credentials to verify the end user has the necessary rights to add the computer to the domain. This process is the same for both Mac and Windows operating systems because the underlying “file structure” of the network resources are standards-based and operate similarly across operating systems. [1]

 

 

Active-Directory

 

Steps To Bind OS X to a Windows domain

 

  • Go to System Preferences
  • Click on the padlock to authenticate as an Administrator

 

 

Mac Login Options

 

  • Enter admin-level credentials to authenticate after the prompt
  • Select “Login Options”, and then click the “Join” button

 

 

Active Directory Join a Mac to the Domain

  • Enter the domain name in the Server drop-down menu

 

Enter Domain

  • Enter the domain-level credentials in order to proceed with the binding process
  • Click OK to process the enrollment

Note: Make sure the computer name is unique and formatted properly, because this is the name that will be created for the computer object in Active Directory Domain Services (ADDS).[2]

Modify Directory Services settings

 

These next steps ensure compatibility between OS X and the network resources on the Windows network; the changes can be made to the Active Directory service with the Directory Utility.

 Users and Groups

First make sure that you have rights in Active Directory to add computers to the necessary container.

  • System Preferences
  • Users & Groups
  • Login Options

 

Then click “Edit” the Network Account Server, and click “Open Directory Utility”.  You will most likely need to authenticate at this point.  The Directory Utility lists different services associated with network account directories and this is where you can modify settings.

 

 

Directoy Utility

 

Choose “Active Directory” from the list of services in the main Directory Utility window.

 

 

active directory tree

For our example, you can ignore the Active Directory Forest field. (This option is typically used for larger networks.)

 

  • Enter the Active Directory domain name in the “Active Directory Domain” field.
  • Leave the computer ID field as it is; the Directory Utility will pull the appropriate information from the Sharing preferences.[3]

 

 

User Experience


Show the Advanced Options by clicking on the arrow, select “User Experience”, and check the following boxes:

  • Enable “Create Mobile Account at Login”, this will make Active Directory logins easier for the user.
  • Force local home directory on startup disk.

This option will force the creation of a profile on the local HDD for all users that logon to the node. If you plan to serve profiles remotely from a server, you can leave this setting unchecked.

  • Use UNC path from Active Directory to derive the network home location.

Select the network protocol to be used: smb:

Note: This switches the default protocol for network resource paths from Apple’s afp: to the Windows’ friendly smb: which is also known as Common Internet File System, (CIFS).[4]

 

 

Mapping

Next select “Mappings”, this is where you can specify unique GUIDs for certain attributes used in ADDS, to identify a computer object account. OS X generates the GUIDS at random by default when it is bound to the domain; however, you may need to use a particular attribute set that is generated by your network admin.[5]


Administrative


Now select the “Administrative” tab and configure the following three optional settings based on the ADDS schema setup of your organization.

a)   Prefer this domain server:

This option will perform two-way communications to/from the domain controller of your choice.

 

b)  Allow administration by:

This option will allow the administrator to manage the nodes.

c)   Allow authentication from any domain in the forest:

This option may or may not be necessary to ensure that the OS X computers authenticate to the proper domain, as configured by the domain network admin.

For our example we will choose the following steps:

Enable the “Allow Administration By” option, this will make anyone in the enterprise or domain admins group a local admin on that Mac.

Now click “Bind” and enter in the Active Directory username and password then click “OK”. Click “OK” again, quit Directory Utility, and reboot the Mac. Active Directory logins should now work, and create home directories automatically.[6]


Joining Active Directory Domain

 

 

After the Mac binds to the Windows domain the Users & Groups preference will show a small green dot and the domain name next to “Network Account Server” indicating connectivity to the domain.

 

 

Join Domain Small Green Dot

 

Another tip and best practice is to host an Open Directory domain in addition to the Active Directory service. This dual-directory environment will allow Windows PCs to be maintained and managed solely through the Active Directory side, while Open Directory (if it is setup with OS X Server) can be used to maintain and manage the Apple computers.

 

 

mac integration

 

Giving Macs the second directory binding to ADDS will allow them to seamlessly communicate with the Windows computers and share resources from Windows servers and nodes, and also the other way around.

The Macs will receive much of their management directly from the domain controller hosting the Active Directory service, but it must “translate” the processes into commands that OS X will understand.  This will eliminate the need for 3rd-party software plugins to enable seamless communication.[7]

 

 


[1] Welch, John C. “Mac IT Guy: Macs and Active Directory.” Macworld. Mac Publishing, 18 Jan. 2011. Web. 13 Apr. 2014.

[2) Welch, John C. “Mac IT Guy: Macs and Active Directory.” Macworld. Mac Publishing, 18 Jan. 2011. Web. 13 Apr. 2014.

[3] Vigo, Jesus. “Apple OS X Server: How to Set up Open Directory.” TechRepublic. Apple in the Enterprise, 8 Aug. 2013. Web. 13 Apr. 2014.

[4] Vigo, Jesus. “Apple OS X Server: How to Set up Open Directory.” TechRepublic. Apple in the Enterprise, 8 Aug. 2013. Web. 13 Apr. 2014.

[5] Vigo, Jesus. “Apple OS X Server: How to Set up Open Directory.” TechRepublic. Apple in the Enterprise, 8 Aug. 2013. Web. 13 Apr. 2014.

[6] Vigo, Jesus. “Apple OS X Server: How to Set up Open Directory.” TechRepublic. Apple in the Enterprise, 8 Aug. 2013. Web. 13 Apr. 2014.

[7] Vigo, Jesus. “Integrate Macs into a Windows Active Directory Domain.” TechRepublic. Apple in the Enterprise, 6 Dec. 2013. Web. 13 Apr. 2014.