A walk through of the steps needed to join an OS X 10.3 or 10.4 client to a Windows 2000 or Windows 2003 domain.
Any time you see a Star [*] symbol in the text, this is a link to a screenshot of what is being discussed.
- Setup (on the Windows DC)
- Open Active Directory Users and Computers (ADUC)[*] and decide on a location for the Apple Mac’s computer account. Best practice suggests creating an OU for Apple computer accounts.
- Create a computer account, giving it the name that you want to use for the Apple computer on your network – do not assign a GUID to make it a ‘managed’ account.
- Close ADUC
Setup (on the OS X client)
- Login with an account that has admin access to the computer.
- Open System Preferences and open the Sharing tab.
- Check that the computer’s name is the same as the one we just used in ADUC. [*]
- Click Show All
- Click Network. Select your active connection, and click on TCP/IP
- (If you are using DHCP then some or all of this information is possibly already delivered by your DHCP server – check with the DHCP admin)
- Type in a suitable IP address, subnet mask, router address.
- Type in a DNS server address – ENSURE that at least the first DNS server in the list corresponds to an Active Directory DNS server.
- Click on Search Domains, Fill in your active directory domain.
- Click Apply Now.[*]
- Click Accounts, then click Login Options, authenticating with your LOCAL admin account if asked.
- “Under Display Login Window As” select “Name and Password”.[*]
- Close System Preferences.
Testing that the client computer can “see” the network.
- Open the finder, and navigate to the utilities folder inside applications.[*]
- Open the terminal, and ping domain controllers by NETWORK NAME to ensure that DNS resolution is working properly within your domain.
- Ensure that name and IP are resolved correctly and that the ping actually works. [*]
- Stop the ping and close the terminal when done.
DO NOT TRY TO PROCEED IF THE ABOVE STEP DOES NOT WORK!
Binding the Mac client to the Windows Domain
- Run the directory access tool, which is also in the utilities folder.
- Tick “Active Directory”, then click Configure. [*]
- Fill in the Fully Qualified Domain Name of the Active Directory namespace (note, NOT the Active Directory Domain Controller!).
- Fill in the Computer name of the Mac. This should be the same as the one we setup earlier in ADUC on the Windows Server, and configured the mac to use in system properties. [*]
- Click BIND. Authenticate with your local Admin password if asked to do so.
- Next, fill in the details of a Windows User Account with permissions to add computers to the domain. Typically this will be an admin’s account.
- IF you DID NOT pre-create a computer account for the Apple Mac, then fill in the Computter OU with the details of where you’d like the account to be created, using standard LDAP notation.
- If you HAVE pre-created a computer account, then leave this as it is.
- Ensure that both tickboxes are ticked.
- Click OK [*]
The client will now attempt to bind to AD and join the domain.
- If you HAVE pre-created a computer account then you should be asked if you wish to use an existing computer account. Click OK, because that is exactly what we’re trying to do. [*]
- When the operation is finished, you can close Directory Access by clicking OK.
- At this time you can also click Advanced Options to inspect and configure custom settings. I strongly suggest leaving these alone if you don’t know what they mean or why you would want to change them. [*]
If all goes well you should now be greeted with a login window that expects you to type in your username and password [*] instead of selecting from a list.
You should now be able to log in with an Active Directory account by typing in the username and password in the traditional manner, and you can also login with a local account by specifying their username and password in the same way.