Are you tasked with establishing appropriate OS X Active Directory Integration in your environment? Are we talking apples and oranges here or what? Most IT professionals are efficient with the Mac OS X or Windows Active Directory (AD) but not both. I’m sure you’ve had plenty of good fun harassing one or the other on either platform. Is it really possible to allow a Macintosh Computer to become a law abiding citizen of an AD Domain? If so, how much Pepto Bismol am I going to need to get through it? Sorry for the drama, but I wanted to get your attention.

As it turns out, the Mac natively supports OS X Active Directory Integration for their loyal followers that apparently are being coerced into joining a Windows domain.

Why would an organization find itself needing OS X Active Directory Integration (migrate Mac computers into their AD structure)? Most shops decide at conception if they are going to be Mac or PC based companies. But what happens if Company A (PC Based) purchases Company B (Mac based)? Are they really going to want to replace possibly hundreds or thousands of Macs from Company B with new PCs. Of course not. Being able to join all those Macs to the AD domain is invaluable from that point of view. On the other hand, perhaps new hires are Mac experts and know nothing about PCs. In that situation, A computer needs to be purchased either way, so why not be able to get them a computer they are already proficient at and let them hit the ground running?

Enough with the intro and necessary explanations… You probably already know you need to join a Mac to an AD Domain.

For starters, the first thing to understand is that Macs bind to an AD domain while PCs join an AD Domain. It’s just terminology, but it needs to be understood.

Below is an outline for accomplishing OS X Active Directory Integration. I have also included more in-depth referential links to provide you with all of the detail you would need to complete the bind.

OS X Active Directory Integration – The Process

Minimum Requirements:

• Server hardware running Windows Server 2000-2012 Standard
• Active Directory Domain Services (ADDS) setup and configured
• Domain Administrator-level account
• Apple desktop or laptop running OS X 10.5 or newer

Step 1: Bind OS X to a Windows Domain

1. Login to the Mac as an Administrator
2. Open ‘System Preferences’ and select ‘Users & Groups’
3. Select the ‘Login Options’ menu in the sidebar and use the “Join” button
4. Enter the fully-qualified domain name of the AD domain being bound
5. AD Domain level credentials will be needed

Step 2: Modify Directory Services Settings

1. From the ‘Login Options’ menu again, edit the ‘Network Account Server’ settings
2. Configure the “Force Local home directory on startup” option
3. Configure the “Use UNC path from Active Directory to derive network home location”
4. Select ‘Mapping’ which specifies unique IDs for certain attributes that server to identify a computer account
5. Finally, there will be three optional settings to choose from, “Prefer this domain server”, “Allow administration by” and “Allow authentication from any domain in the forest.” Select whichever option is most applicable.

Now for the good news. Once your Mac clients have been joined to your AD domain, other software services that rely on AD will be able to perform necessary functions for both security and convenience.  For example, with a Mac that is bound to an AD domain, the PortalGuard Desktop Client can be installed and your end users will be able to enjoy the same Self-service Password Reset and Recovery feature that Windows users appreciate.