PDA

View Full Version : Please help:adding a mac PC to the windows domain at work




john0026
May 10, 2008, 06:49 AM
I am trying to add our mac PC's to the windows domain at work.I am little confused on where to start from. do i need Mac OS X 10.5 leopard server to do this or can do this without mac osx server.we are using VMware esx, windows server 2003 on the corp environment. are there any 3rd party tools to get this accomplished.



Eidorian
May 10, 2008, 06:59 AM
Take a look at this thread (http://forums.macrumors.com/showthread.php?t=460582) first.

VideoFreek
May 10, 2008, 01:45 PM
Funny you should ask; I was just playing around with this for the first time today. While it's fresh in my mind, I'll walk you through the steps. The following instructions apply to Leopard--I'm not sure if this would apply to earlier versions of OS X:

1) From Finder, select Go-->Utilities from the menu
2) Run "Directory Utility"
3) Click the little padlock, and enter a Mac admin's credentials to unlock it
4) Click on "Show Advanced Settings"
5) When the toolbar appears, select "Services" and then select "Active Directory" checkbox
6) Next, select "Directory Servers" from the toolbar, then click the "+" button to add your AD domain server
7) In the top drop-down box "Add a new directory of type," select "Active Directory".
8) Enter the name of your domain (I used FQDN nomenclature as in "mydomain.com"), then enter the username and password of a Domain Admin that is authorized to add computers to the AD directory and click OK
9) In the directory servers list, you should now see your domain with a little green light next to it and the message "This server is responding normally."
10) Now log off.
11) If the Mac is configured to show a list of users at login, select "Other" at the bottom. Enter your domain logon credentials: "mydomain\username" and your password. The machine will pause a minute to create new user folders, and then you're in AND you have access to all of your network shares without entering your name and password again.

That's it! What's cool is that any domain user can now log on to the machine without a local account being set up first.

Some caveats:

You will have trouble if the domain userID happens to match the short name of a local Mac account, e.g., if there is a local account named "Rich" and a domain user "mydomain\Rich" this will not work properly--it won't create new user folders for the domain user.

If you ARE running Leopard, make sure you're up to date. I was reading some complaints in another forum that AD integration was broken in Leopard prior to 10.5.2. I haven't personally verified that this is true, but just a word to the wise...

Hope this helps, have fun!

john0026
May 10, 2008, 06:09 PM
Funny you should ask; I was just playing around with this for the first time today. While it's fresh in my mind, I'll walk you through the steps. The following instructions apply to Leopard--I'm not sure if this would apply to earlier versions of OS X:

1) From Finder, select Go-->Utilities from the menu
2) Run "Directory Utility"
3) Click the little padlock, and enter a Mac admin's credentials to unlock it
4) Click on "Show Advanced Settings"
5) When the toolbar appears, select "Services" and then select "Active Directory" checkbox
6) Next, select "Directory Servers" from the toolbar, then click the "+" button to add your AD domain server
7) In the top drop-down box "Add a new directory of type," select "Active Directory".
8) Enter the name of your domain (I used FQDN nomenclature as in "mydomain.com"), then enter the username and password of a Domain Admin that is authorized to add computers to the AD directory and click OK
9) In the directory servers list, you should now see your domain with a little green light next to it and the message "This server is responding normally."
10) Now log off.
11) If the Mac is configured to show a list of users at login, select "Other" at the bottom. Enter your domain logon credentials: "mydomain\username" and your password. The machine will pause a minute to create new user folders, and then you're in AND you have access to all of your network shares without entering your name and password again.

That's it! What's cool is that any domain user can now log on to the machine without a local account being set up first.

Some caveats:

You will have trouble if the domain userID happens to match the short name of a local Mac account, e.g., if there is a local account named "Rich" and a domain user "mydomain\Rich" this will not work properly--it won't create new user folders for the domain user.

If you ARE running Leopard, make sure you're up to date. I was reading some complaints in another forum that AD integration was broken in Leopard prior to 10.5.2. I haven't personally verified that this is true, but just a word to the wise...

Hope this helps, have fun!

Thanks videoF very useful info i would try it out on monday and let u know what happens

Supa_Fly
May 12, 2008, 12:12 AM
Funny you should ask; I was just playing around with this for the first time today. While it's fresh in my mind, I'll walk you through the steps. The following instructions apply to Leopard--I'm not sure if this would apply to earlier versions of OS X:

1) From Finder, select Go-->Utilities from the menu
2) Run "Directory Utility"
3) Click the little padlock, and enter a Mac admin's credentials to unlock it
4) Click on "Show Advanced Settings"
5) When the toolbar appears, select "Services" and then select "Active Directory" checkbox
6) Next, select "Directory Servers" from the toolbar, then click the "+" button to add your AD domain server
7) In the top drop-down box "Add a new directory of type," select "Active Directory".
8) Enter the name of your domain (I used FQDN nomenclature as in "mydomain.com"), then enter the username and password of a Domain Admin that is authorized to add computers to the AD directory and click OK
9) In the directory servers list, you should now see your domain with a little green light next to it and the message "This server is responding normally."
10) Now log off.
11) If the Mac is configured to show a list of users at login, select "Other" at the bottom. Enter your domain logon credentials: "mydomain\username" and your password. The machine will pause a minute to create new user folders, and then you're in AND you have access to all of your network shares without entering your name and password again.

That's it! What's cool is that any domain user can now log on to the machine without a local account being set up first.

Some caveats:

You will have trouble if the domain userID happens to match the short name of a local Mac account, e.g., if there is a local account named "Rich" and a domain user "mydomain\Rich" this will not work properly--it won't create new user folders for the domain user.

If you ARE running Leopard, make sure you're up to date. I was reading some complaints in another forum that AD integration was broken in Leopard prior to 10.5.2. I haven't personally verified that this is true, but just a word to the wise...

Hope this helps, have fun!

Indeed, Wicked info! Bookmarking this info for future reference. Didn't know that this was possible!

bentoms
May 12, 2008, 03:34 AM
The best site for information about this is: http://www.afp548.com

I have used their whitepaper (found here) (http://www.afp548.com/filemgmt/visit.php?lid=12) to connect Macs to AD 2003 in various environments.

If you have all of your data on a Windows Managed SAN with Distributed File Sharing & SMB Signing configured & you Macs are running 10.4 then you may have like to try; AdmitMac (http://www.thursby.com/products/admitmac-eval.html).

(Apparently 10.5 can access the above security methods but I haven't tested this follow due to the below).

If you are looking at using 10.5 & have a large network be warned as 10.5 queries every DC on the domain before it allows you to login, I am currently working at a Global Company with some 50 dc's located across the globe & login can take 6 - 10 Minutes.

I am awaiting for 10.5.3 to resolve this.

tgallant
May 13, 2008, 12:43 PM
Their is realy easy software to use, if you google, "Adding Mac to Active Directory Client lists" and it is like the second or third one.

Sky Blue
May 13, 2008, 12:48 PM
Funny you should ask; I was just playing around with this for the first time today. While it's fresh in my mind, I'll walk you through the steps. The following instructions apply to Leopard--I'm not sure if this would apply to earlier versions of OS X:

1) From Finder, select Go-->Utilities from the menu
2) Run "Directory Utility"
3) Click the little padlock, and enter a Mac admin's credentials to unlock it
4) Click on "Show Advanced Settings"
5) When the toolbar appears, select "Services" and then select "Active Directory" checkbox
6) Next, select "Directory Servers" from the toolbar, then click the "+" button to add your AD domain server
7) In the top drop-down box "Add a new directory of type," select "Active Directory".
8) Enter the name of your domain (I used FQDN nomenclature as in "mydomain.com"), then enter the username and password of a Domain Admin that is authorized to add computers to the AD directory and click OK
9) In the directory servers list, you should now see your domain with a little green light next to it and the message "This server is responding normally."
10) Now log off.
11) If the Mac is configured to show a list of users at login, select "Other" at the bottom. Enter your domain logon credentials: "mydomain\username" and your password. The machine will pause a minute to create new user folders, and then you're in AND you have access to all of your network shares without entering your name and password again.

That's it! What's cool is that any domain user can now log on to the machine without a local account being set up first.



under Advanced options I would check 'Create mobile account at login' and 'prefer this domain server'.

If you are looking at using 10.5 & have a large network be warned as 10.5 queries every DC on the domain before it allows you to login, I am currently working at a Global Company with some 50 dc's located across the globe & login can take 6 - 10 Minutes.

I am awaiting for 10.5.3 to resolve this.

Why not just add in the preferred DC?

VideoFreek
May 13, 2008, 02:15 PM
under Advanced options I would check 'Create mobile account at login' and 'prefer this domain server'.Just out of curiosity (I'm still learning this stuff), what does the "create mobile account" setting do, exactly?

bentoms
May 14, 2008, 03:40 AM
Just out of curiosity (I'm still learning this stuff), what does the "create mobile account" setting do, exactly?

It creates an account a local account on your Mac that checks the server for your username & password details when you login (if available & the cached creadntials if not).

By using this, Laptop users can login when 'off network' but will authenticate to the network when back in the office.

Sky Blue
May 14, 2008, 12:17 PM
It creates an account a local account on your Mac that checks the server for your username & password details when you login (if available & the cached creadntials if not).

By using this, Laptop users can login when 'off network' but will authenticate to the network when back in the office.

What he said :)

bentoms
May 14, 2008, 12:22 PM
Why not just add in the preferred DC?

I have,,, it still queries them.

This is similar to the behavior of 10.3.something, but I have found that 10.5.3 should sort it.

Can't wait to test it though!

modi55
Jun 9, 2008, 08:07 AM
hey guys ,,

neeeeeed your help guys ,, iam about to creat a ms domain for a company but they want to join 5 MAC pc to the domain, and also they want to creat a redirection path to a folder as backup for each user .. so i know how to create ms domain and join the windows pc users but i dont even know anything about MAC Pc .. anybudy could help me in this guys

Sky Blue
Jun 9, 2008, 08:15 AM
hey guys ,,

neeeeeed your help guys ,, iam about to creat a ms domain for a company but they want to join 5 MAC pc to the domain, and also they want to creat a redirection path to a folder as backup for each user .. so i know how to create ms domain and join the windows pc users but i dont even know anything about MAC Pc .. anybudy could help me in this guys

Did you even read the thread?

modi55
Jun 10, 2008, 09:07 AM
Did you even read the thread?


yes now i did :o sorry..

parsnipc
Jun 17, 2008, 02:40 AM
Hi All,

I'm trying to add my mac to a Windows network at work. I've followed the above steps (Thanks!! They're terrific)... but i'm getting this error when I go through the "add active directory" part:

An unexpected error type - 14120 (eDSPermissionError) occured.

I think maybe this means my mac needs to be added to the windows network permission list or something?? Somewhere? Anyone have any idea about this at all??

Thanks!! :D

skyman1978
Jul 24, 2008, 08:39 PM
I have a MAC G5 we are using to play around adding to the MS active directory. for about a week it has been absolutely sweet. following the steps in this thread, we have it sitting on the domain, accessing the network drives, talking to the exchange server, using the network printers (inlcuding a canon multifunction with some funky custom accounting software - took me forever to work that one out) but in the last couple of days it hasn't been playing ball. It keeps loosing its connection to the domain. At frist I thought the issue was a dodgy ethernet cable, but it isn't, then i suspected the network switch. again no. At the login screen the other user option comes and goes as connection with the server is gained or lost. usually this happens to quickly to log on. If i log onto the Mac's local admin account the directory utility says that the server isn't responding. So the fault may be with the server, but that seems a little strange given it was working quite happily for more than a week. I have looked everywhere I can think of to see if I have overlooked something but I am not sure where I should be looking. I have been a long time Mac user at home but have never needed to network one before so i am sort of following my nose. I do have admin access to the AD but I am no systems engineer so I am sort of following my nose their as well. I did get our regular engineer to check the AD but he isn't a mac person so probably wouldn't know what to look for either. If we can get this working somewhat stably then the number of macs we use will hopefully increase.

paulthepcguy
Jul 30, 2008, 03:48 PM
Hi All,

I'm trying to add my mac to a Windows network at work. I've followed the above steps (Thanks!! They're terrific)... but i'm getting this error when I go through the "add active directory" part:

An unexpected error type - 14120 (eDSPermissionError) occured.

I think maybe this means my mac needs to be added to the windows network permission list or something?? Somewhere? Anyone have any idea about this at all??

Thanks!! :D

Make sure the machine name does not have an underscore '_'. I received the same message but then realized the underscore in my machine name.

movement3
Jul 31, 2008, 04:58 PM
Thanks for the post, I was able to get a test machine connect to AD. Any tips on how to move the current home directory (files and settings) to the new one? Would it be the same steps as moving the home dir to another hard drive?

paulthepcguy
Jul 31, 2008, 11:18 PM
Thanks for the post, I was able to get a test machine connect to AD. Any tips on how to move the current home directory (files and settings) to the new one? Would it be the same steps as moving the home dir to another hard drive?


Sorry, I am not sure. I am new to Mac.

jvandyke
Sep 18, 2008, 10:23 PM
What if you don't get a "other" user on the log in screen? Am I missing something obvious and simple or is this a 10.5.4 bug?
Binding to AD was fine, how can I log in?

bartzilla
Sep 19, 2008, 07:38 AM
What if you don't get a "other" user on the log in screen? Am I missing something obvious and simple or is this a 10.5.4 bug?
Binding to AD was fine, how can I log in?

Not sure why it's not showing up.. unless.. you need to *reboot* your mac to make it work with the AD login provider.

We have our macs at work set to ask for username and password in the more traditional network PC manner.

To set this:
System Preferences > Accounts > Login Options > "Display Login Window As:" and tick "Name and Password".

paulthepcguy
Sep 19, 2008, 07:39 AM
Check the settings under 'Directory Utility' and 'Active Directory'. We had an issue with the mobile account.

We have:

Create mobile account at login 'checked'
Require confirmation before creating a mobile account 'unchecked'
Force local home directory on startup disk 'checked'
Use UNC path from AD to derive network home location 'unchecked'
Default user shell 'checked' with '/bin/bash'

Hope this helps.

jvandyke
Sep 20, 2008, 09:47 AM
I updated to 10.5.5 at home, next time I was at that location "other" showed up. I admit I don't understand it exactly, as I click on it, it required my AD username but my Mac password? Then my Mac account loaded but I had the access to the web that I wanted. Hmmmm Worked out exactly like I wanted. I only wanted the ability to surf the web and the IT people told me I needed to add my computer to the domain. Which I did myself. Thanks though, it probably won't work again Monday.

brahma
Oct 9, 2008, 06:13 AM
I am new to using MACs and know nothing - there are brilliant tips guys - got my MAC on the AD domain now. Couple of quesitons - hope someone can help!

If I logon to the MAC with an AD user account and open Finder and go to the "Shared" tab, I see all of the shares that are available on the authorising domain controller, including my user accounts share (listed ith a $ at the end). How can I hide these shares?

I would like to map some drives and provide access to printers currently being delivered by my domain controllers, in the same way as my PCs work. How can I do this?

Is it possible to create a policy that restricts access to certain components on the MAC dependent on user logon permissions - again in the same way as PC work? Is this a MAC policy or would it be an AD policy

Many thanks again for helping the Newboy!!

modi55
Oct 12, 2008, 10:57 AM
hi again guys,,, i've made th network and everything work great but some of mac user called me and said " my mac take so long to login" i thought its about 2 or 3 min's.. i asked him for how long it takes you he said 2 hours sometimes 1 hour 30 min's ..:confused:.. :( ...:confused: i made some test, i tried to clear the system Cash using the onyx software but its didn't help, so at once i thought why i dont remove the network cable and try.:):D:)... its work .. it takes him to login only 1-2 min's so i know its not a prof-solution but i realy as usual neeeeeeeeeeeeeeeeed your help guys

bartzilla
Oct 15, 2008, 06:10 AM
hi again guys,,, i've made th network and everything work great but some of mac user called me and said " my mac take so long to login" i thought its about 2 or 3 min's.. i asked him for how long it takes you he said 2 hours sometimes 1 hour 30 min's ..:confused:.. :( ...:confused: i made some test, i tried to clear the system Cash using the onyx software but its didn't help, so at once i thought why i dont remove the network cable and try.:):D:)... its work .. it takes him to login only 1-2 min's so i know its not a prof-solution but i realy as usual neeeeeeeeeeeeeeeeed your help guys

Every problem we've had with long logins and leopard has been traced to leopard not liking some part of the DNS settings issued by our DHCP servers. Tiger works fine, all versions of Windows works fine. We've used static IPs as a workaround for now.

sdotbailey
Nov 11, 2008, 06:59 PM
Make sure the machine name does not have an underscore '_'. I received the same message but then realized the underscore in my machine name.


Hey Paul, I also removed the underscores but am still getting the same error messages. Do you have any other advice? My sys admin guy really isn't all tha interested in helping me here, so, I'm learning this ***** on my own!

Any help will be appreciated!

Thanks,
Shawn

sdotbailey
Nov 11, 2008, 10:06 PM
Hey Paul, I also removed the underscores but am still getting the same error messages. Do you have any other advice? My sys admin guy really isn't all tha interested in helping me here, so, I'm learning this ***** on my own!

Any help will be appreciated!

Thanks,
Shawn

OK, so, I'm a douchebag....I figured it out and got connected.

But, from this tutorial I was reading, it made it seem that a new "Other" option should appear for me when I logged out/rebooted/whatevered my system after binding. But, that isn't the case. Can anyone offer any help with this instance? If I'm bound to the AD, what needs to happen next?

Thanks,
Shawn

piper28
Nov 13, 2008, 03:13 PM
I've been fighting with this issue of adding a mac to the AD myself off and on. In my case, I've been able to get the mac to bind to the domain without any problems. After that, I can use the Directory utility and can see lists of the users, groups, etc on the domain. However, for the life of me, I've been unable to get a domain user to be able to login to the mac. All I ever get is the login box shaking at me. I'm guessing I'm missing something simple stupid, but when I compare what I've done to what the various guides out there show, I just don't see what I'm missing. I've tried multiple domain accounts, so it's not that it's matching a same named account on the mac.

surya973
Nov 17, 2008, 08:02 AM
Funny you should ask; I was just playing around with this for the first time today. While it's fresh in my mind, I'll walk you through the steps. The following instructions apply to Leopard--I'm not sure if this would apply to earlier versions of OS X:

1) From Finder, select Go-->Utilities from the menu
2) Run "Directory Utility"
3) Click the little padlock, and enter a Mac admin's credentials to unlock it
4) Click on "Show Advanced Settings"
5) When the toolbar appears, select "Services" and then select "Active Directory" checkbox
6) Next, select "Directory Servers" from the toolbar, then click the "+" button to add your AD domain server
7) In the top drop-down box "Add a new directory of type," select "Active Directory".
8) Enter the name of your domain (I used FQDN nomenclature as in "mydomain.com"), then enter the username and password of a Domain Admin that is authorized to add computers to the AD directory and click OK
9) In the directory servers list, you should now see your domain with a little green light next to it and the message "This server is responding normally."
10) Now log off.
11) If the Mac is configured to show a list of users at login, select "Other" at the bottom. Enter your domain logon credentials: "mydomain\username" and your password. The machine will pause a minute to create new user folders, and then you're in AND you have access to all of your network shares without entering your name and password again.

That's it! What's cool is that any domain user can now log on to the machine without a local account being set up first.

Some caveats:

You will have trouble if the domain userID happens to match the short name of a local Mac account, e.g., if there is a local account named "Rich" and a domain user "mydomain\Rich" this will not work properly--it won't create new user folders for the domain user.

If you ARE running Leopard, make sure you're up to date. I was reading some complaints in another forum that AD integration was broken in Leopard prior to 10.5.2. I haven't personally verified that this is true, but just a word to the wise...

Hope this helps, have fun!


Hi... this seems extremely useful and I really would like to enter the windows network in my home with my mac, but I can't get beyond the 4th step because the window that comes up doesn't have "show advanced settings". My Mac version is 10.4.1.1
Any tips?
thanks in advance!

Sky Blue
Nov 18, 2008, 06:32 PM
Hi... this seems extremely useful and I really would like to enter the windows network in my home with my mac, but I can't get beyond the 4th step because the window that comes up doesn't have "show advanced settings". My Mac version is 10.4.1.1
Any tips?
thanks in advance!

Do you mean 10.4.11? Those instructions are for 10.5. In 10.4, just click Active Directory and then 'Configure'.

You're running Active Directory at home?? :confused:

jerwhite
Jul 22, 2009, 11:36 AM
I have a MAC G5 we are using to play around adding to the MS active directory. for about a week it has been absolutely sweet. following the steps in this thread, we have it sitting on the domain, accessing the network drives, talking to the exchange server, using the network printers (inlcuding a canon multifunction with some funky custom accounting software - took me forever to work that one out) but in the last couple of days it hasn't been playing ball. It keeps loosing its connection to the domain. At frist I thought the issue was a dodgy ethernet cable, but it isn't, then i suspected the network switch. again no. At the login screen the other user option comes and goes as connection with the server is gained or lost. usually this happens to quickly to log on. If i log onto the Mac's local admin account the directory utility says that the server isn't responding. So the fault may be with the server, but that seems a little strange given it was working quite happily for more than a week. I have looked everywhere I can think of to see if I have overlooked something but I am not sure where I should be looking. I have been a long time Mac user at home but have never needed to network one before so i am sort of following my nose. I do have admin access to the AD but I am no systems engineer so I am sort of following my nose their as well. I did get our regular engineer to check the AD but he isn't a mac person so probably wouldn't know what to look for either. If we can get this working somewhat stably then the number of macs we use will hopefully increase.

Try going to date and time and you have to check set sate and time automatically. But instead of choosing an external time server you choose your internal time server. My internal time server is my domain controller. Windows silently kicks you off the domain if you aren't synchronized with the internal time server/service. Hope this helps