if you wanna be good at something, you gotta start somewhere

Mac OS 10.5 consistently resisted most attempts to bind to Windows domain controllers with all kinds of errors and connection problems. Fortunately, the process has been greatly improved in Snow Leopard, the latest incarnation of Mac OS X. Anyone wishing to integrate a Mac with an existing Windows based network is highly encouraged to upgrade to 10.6.5. Along with the many other useful updates and improvements it is $30 well spent.

This article describes how to join Snow Leopard to a Windows Server 2008 R2 domain.

Creating a Computer Account

The first step is to create a computer account on the Active Directory domain controller:

1. In the domain controller’s Server Manager navigate to Roles → Active Directory Domain Services → Active Directory Users and Computers
2. Select the domain the Mac should join to, right-click Computers and click New → Computer
3. In the New Object – Computer dialog window enter a name for the Mac computer, make it a member of the desired group and click OK

The new entry for the Mac computer should now be displayed in list of registered domain computers. The computer’s description can be added by opening its properties (right-click).

Joining the Mac

The Mac can be configured from the command line interface using the dsconfigad command, but for most purposes it is generally easier to use the Directory Utility graphical user interface that is integrated into Mac OS. Please note that the Directory Utility, which previously used to be located in /Applications/Utilities/ can now be found in /System/Library/CoreServices/.

1. Launch the Directory Utility and unlock it as a local administrator, if necessary
2. In the list of directory plug-ins, select Active Directory and click the pen button at the bottom left to configure the plug-in.
3. In the configuration dialog, enter the names of your Active Directory domain, as well as the Mac computer. The Computer ID field should match the name of the entry that was previously created on the domain controller. Then click the Bind… button
4. Enter a user name and password credentials for a domain user that is authorized to join computers to the Active Directory domain. If this is also the account you will be operating the Mac under, you may leave the Use for authentication and Use for contacts boxes checked.
5. In the next step the Directory Utility will detect the existing computer account previously created in the Active Directory. Click OK to join the Mac to the existing account.

The Mac should now be bound to the Windows domain.

Supporting Multiple Domain Controllers

If multiple domain controllers are present on the local network, as is often the case in enterprise and corporate networks, the Directory Utility can be configured to bind to a preferred server. The option can be found in the Active Directory plug-in’s Advanced Options.

Alternatively, this option can also be set using the following console command in the terminal:

dsconfigad -preferred SERVERNAME

If the Domain Controller Cannot Be Found

Should the binding operation fail due to the domain controller being unreachable or otherwise not found, try the following:

• Make sure the Mac uses the domain’s DNS server. In most cases this will be the same IP address as the domain controller. The setting can be found in the DNS section of the Network options in the System Preferences
• Try add the domain suffix to the search domains. This setting can be found in the same section as the DNS server (see example screenshot on the right).

Resources

• Integrating Mac OS X 10.3 with Active Directory (PDF, Apple 2009)
• Snow Leopard and Active Directory Tips and Reports (MacWindows.com)