Ehcho.com

Binding to Active Directory

By Morgan Rowe | 31 Jul 2013

Binding a Mac to Active Directory (AD) is a relatively simple process, which can be accomplished using tools that come with your Mac.

Before you start, you should ensure your current version of OSX is fully up to date. Making sure your operating system is up to date is extremely important as the latest patches improve the security and reliability of the Active Directory plugin – among other things. At the time of writing this article, 10.7.5 and 10.8.3 have been released. I’ve tested this technique on both operating systems but haven’t tested it on Snow Leopard or lower.

In order to connect to AD, you’ll need to know your domain name. This is the same domain name you’d use to connect your Windows clients to AD. Also make sure your Macs are connected to the same network as your AD controllers and that the time on your Macs are in sync with AD.

Getting started

To start, we need to log into the client Mac as an administrator.

Open System Preferences, which can be found within the /Applications folder or accessed from the Apple menu in the top left of the screen.

Firstly, we need to make sure that our computer has a desirable computer name. If you’re setting up a suite of computers, you’ll probably want to use a naming convention. To change the computer name, click on Sharing. Once the pane loads, you’ll have the option to change the computer name to something more appropriate. Make sure you don’t use any weird characters or spaces as this may cause issues later on. If you need to separate words, I suggest you use an underscore, or a dash. Once you’ve entered your computer name, press return and click on the “Show All” button at the top of the System Preferences window.

Binding to Actice Directory

Let’s bind our Mac to AD. Click on Users & Groups and when the pane loads, click on Login Options and then click “Join”. If the Join button is grayed out, you’ll need to unlock the preference pane by clicking on the padlock, which is located at the bottom left of the window. You’ll be prompted for the local administrator password. Enter it and press return.

Once the Join window appears, click on the plus button and type in your domain name. The window should expand with three input boxes. The client computer ID, username and password. The client computer ID will be the name of the computer record stored within AD, which is usually the computer name. The requested username and password is for an AD account that has privileges to bind computers to AD. This is usually just the AD administrator account.

Once this information is supplied, click OK and the Mac will attempt to bind to AD. It should bind successfully but if it doesn’t, here’s a few issues I’ve come across in the past.

Troubleshooting

Unsynchronised time is the most common issue I’ve come across. Ensure that the time on the Mac is the same as the time on your AD controllers. The time settings on a Mac can be edited within the “Date & Time” preference pane. Also make sure that the date is the same as well! This has caught me out in the past.

I’ve also noticed that the Macs refuse to bind to AD when multiple network adapters are enabled. Try disabling the WiFi adapter and then attempt to bind to AD. You can reenable the adapter after the Mac has bound to AD. To disable the WiFi adapter, open System Preferences and click on Network. Click on the WiFi adapter and move your mouse to small cog button, located near the bottom of Network window. Click on it and choose "Make Service Inactive". After a couple of seconds, the WiFi adapter should have been disabled.

Sometimes there’s just no good reason why the Mac won’t bind and unfortunately the error messages produced are not very helpful. You can always try to restart the Mac – sometimes this helps.

Configuring the Login Window

If you bound to AD successfully, you’ll now be able to log in using your AD credentials. Before testing this, go back the Users & Groups pane and change the “Display login window as” setting to “Name and Password”. This’ll give you a username and password box on the login screen, instead of thumbnails that represent users.

Login to an Active Directory account

Log off the Mac and attempt to login using your credentials. You may notice a red or yellow orb in the username box. This shows you the AD login status. If it’s red, you won’t be able to log in and if it’s yellow, you may be able to. Eventually the orb will disappear, allowing everyone to log in with their credentials. No matter what orb colour is being displayed, you’ll always be able to login to the local accounts that have been setup on the Mac.

Once the orb disappears, log in using your AD username and password. Once the Mac loads, you should see your user area in the Dock. It will appear as a folder and when clicked, it’ll reveal the contents of your user area. You can drag and drop stuff into it as well.

Troubleshooting

If you get a question mark in the Dock, this is likely to do with folder permissions. Windows and OSX work out whether someone should have access to a folder differently. OSX requires a user to have read rights to all folders that encapsulate their user area. So if your AD folder structure looks something like this: /myserver/staff/bob, you’ll need to make sure “bob” has read permissions to all folders leading up to his user area.