Help on integrating Mac laptop into large Active Directory network

Discussion in 'Mac OS X Server, Xserve, and Networking' started by Stubb, Dec 28, 2009.

  1. Stubb macrumors newbie

    Dec 28, 2009
    I have a MacBook Pro running 10.6.2 that I'd like to connect to an Active Directory network run on Windows Server. I have two user accounts on my Mac: one for personal stuff and another for work. The goal is to access two network shared drives from the work account. I'm not sure if it's a good or bad idea that the username of the work account on my laptop match my AD username. I already have a PC on my desk that can access them.

    I'm entirely unfamiliar with AD, and our sysadmins know nothing about Macs. So far I've only managed to bewilder myself reading AD documentation: I see that it's an authentication system but am not following the process after that. Credentials are apparently passed around via Kerberos. I've been poking around in the Accounts tab of the Control Panel under "Network Account Server" and playing with Directory Utility. The Advanced tab of Directory Utility for AD contains numerous options that I'm not sure I want to check or uncheck.

    I'm hoping that someone can point me to a good tutorial or explain the steps for making this happen. It can't be as difficult as I'm making it.


  2. TheAshMan macrumors regular

    Jan 22, 2009
    Clarksville, Maryland USA
    A few tips

    I have done a lot of Mac integration with Active Directory, extending the schema, binding and managing Macs with policies, etc, but given your situation with no admin support, there is little or no benefit to your integrating it with Active Directory and doing so may bring you more hassle and create issues, thus creating hostility for you and your Mac. Binding it to AD benefits the Administrators, not really you. If all you want to do is connect to a couple of shares, I would just do that and leave the AD stuff alone. Yes, you won't get Kerberos for Single Sign On (SSO) for some things, but the Mac OS X keychain gives you the same experience without the overhead.

    There are some things you should do even if you don't connect to AD to make your life easier:

    Name your Mac
    :apple: System Preferences > Sharing

    In the Computer Name field, change it so it conforms to your organization's naming standard, usually a dept name, AD username combination. Click the Edit button to change the local hostname too. You don't want your machine showing up on the network as "Andreas' Macbook". System Admins, network, and security folk appreciate that sort of thing. Don't use an underscore "_" or any special characters, but a hyphen "-" is perfect.

    Fix name resolution
    :apple: System Preferences > Network

    Look in the Search Domains field to see if there are internal domain names here, such as,, etc. They should be published by the network already, but if not add them. Separate multiples with a comma.

    Connect to Shares
    (If you don't know how) To get to the shares at your work, open Finder and choose Go > Connect to server (or :apple:+K for shortcut) and type the SMB (stands for Server Message Block which is Windows sharing protocol) path to your share, e.g.: smb:// And click the + button to save the location for the next time. You will be prompted for your username and password for Active Directory, enable the option to save it in your keychain. If all is correct, you won't be prompted again until your password changes. If you click the Browse button you may be able to find it, but then you can't save the address. It is best to find out the path to the share and use that. After you successfully connect to a share, drag a folder to your sidebar in the Finder for easy access in the future. If your destination share has a parent share (ask your admins), connect to the parent share, then drag your share/folder to the sidebar for easy access. With your credentials in the keychain, that will always provide immediate access to your resources. Note: Do not rename the Finder sidebar shortcut, it will rename your folder/share as well. No way to customize that I know of.

    If you have an Active Directory environment, you likely have an Exchange environment for email. If it is Exchange 2007 up to a certain patch level, you can use OS X Mail, Address Book and iCal to access your Exchange mailbox data instead of Entourage. Ask your admins if you use Exchange 2007, if you do, this should work. Simply open Mail and add an Exchange account to see if it works. All you need to know is your email address and your AD credentials (domain\username and password) to use it. If your environment is somewhat current this will work, if not, your admins are behind in administering their environment.

    When adding printers, you will be able to see Active Directory printers published and others on your network, you don't need to integrate with Active Directory for this to work.

    Password Changes
    One thing to know is that if you are replacing a Windows machine, you will not be able to change your password unless you have Exchange server for mail, then you can use the options in Outlook Web Access. Note you still have to know when your password will expire. You mention a PC on your desk, so if you still have that, you won't have any problems, just update the passwords on your keychain when prompted. There might be other workarounds for this.
  3. Les Kern macrumors 68040

    Les Kern

    Apr 26, 2002
    A few tips??? That's what I like about MR... people willing to give a lot to help.

Share This Page