Join Domain For Mac
You can use the Active Directory connector (in the Services pane of Directory Utility) to configure your Mac to access basic user account information in an Active Directory domain of a Windows 2000 or later server. The Active Directory connector generates all attributes required for macOS authentication from Active Directory user accounts. If the lock icon at the bottom left of the page is locked, click it and enter your password when prompted. Click the Join button. By default, the user login options are locked to prevent unauthorized changes. This step unlocks the settings so that you can join the domain. You’re prompted to enter the name of the domain you want to join.
There’s a lot of noise in the marketplace about cloud identity management solutions. With organizations making the leap to the cloud with Google Apps, Microsoft Office 365, and other solutions, an Identity-as-a-Service solution is a perfect complement. On-prem solutions, such as Active Directory and OpenLDAP, don’t integrate well with a cloud-forward model. Furthermore, organizations are leveraging more Macs and Linux devices within their infrastructure rather than being tied to Windows. This shift in the IT infrastructure is changing the landscape of how directory services is being done. A core question that IT is asking about Microsoft’s cloud directory solution is, can you bind Macs with Azure Active Directory?
Azure Active Directory Doesn’t Play Well With Others
As you might expect, Azure AD doesn’t play well with Macs. Active Directory doesn’t really play well with Macs either. Although you can do some basic authentication via AD, it is far more limited than what is possible with Windows. The challenge is that non-Windows devices now make up four out of five devices in an organization when you include smartphones and tablets (source).
Manage macOS with JumpCloud
Try the Directory that can manage macOS, Windows, and Linux
While Windows is no longer dominant, Active Directory is managing less and less of an organization’s infrastructure. Add to that the fundamental shifts that we are seeing in the IT environment with the move to the cloud, a mobile workforce, and DevOps methodology, and IT now has a significant uphill climb to centrally manage the infrastructure.
When You bind Macs with Azure Active Directory You End Up In A Real Bind
A key part of that management process is centralizing user management. IT pros know that a unified directory service that centrally manages user access is far preferred to managing user access on each system, application, or network. Not only are there efficiency benefits for IT, but it is also better for end users. In addition, it is more secure. That’s why as organizations look at Azure or Office 365, they immediately jump to the question of whether Azure AD can authenticate their Mac OS X devices. It can’t, but there is another path that is probably better suited to the needs of IT organizations.
Unified Cloud Directory Service, Level Playing Field
A unified cloud directory service can authenticate, authorize, and manage a wide variety of systems, applications, and networks. The Directory-as-a-Service® platform from JumpCloud® treats Windows, Mac, and Linux devices as equals. A most noteworthy feature is its ability to authenticate them regardless of their location. A small agent is placed on each system and user accounts are natively managed through each platform’s APIs. In addition to binding Macs to the cloud directory, it can also seamlessly integrate with G Suite and Office 365. User credentials from those platforms can be leveraged for access to other IT resources, thereby creating greater efficiency for end users and increased control and security for IT.
Put JumpCloud On Your Team
Looking to bind Macs with Azure Active Directory? Unfortunately, that’s not the way that Azure is built. Instead, take a look at how JumpCloud’s Directory-as-a-Service works with Mac fleets. Easily and quickly solve the problem without jumping through hoops with Azure AD or on-prem AD. Give JumpCloud’s cloud-hosted directory service a try for yourself to see how it works with your Macs. Your first 10 users are free forever.
Joining a Mac to Active Directory has continued to get more and more difficult over the years. High Sierra and Mojave now require a Active Directory functional level of Windows Server 2008 or later and are still pretty tricky to get to join it.
When I started researching the topic I saw a whole lot of advice to install third party software to join a Mac to Active Directory. In most corporate environments installing third party software is frowned upon due to licensing and security considerations so I was determined to get the native Mac OS X tools to work.
This guide will walk you through the basic steps to join Active Directory without having to resort to using third party software.
Configure DNS Settings
One of the big roadblocks to joining Active Directory is DNS settings. In many networks DHCP won’t populate everything you need. Windows can get away with this but when we are joining our Mac we need to make sure everything is populated.
The easiest way to get everything you need is to issue a ipconfig /all from the command prompt of a Windows machine already joined:
I have bolded the important things you need to verify.
You want to make sure that all of the DNS Suffix Search List entries are listed in the “Search Domains” box pictured below:
Next verify that all of the DNS servers coming up on your Windows machine are also put into the Mac DNS servers list. On my machine I got all of the DNS servers but only one of the search domains. Make sure it matches your already joined machine!
Configure Network “Sharing” Name
Go to the Settings app on your Mac again and choose “Sharing”.
This part is easy. Set this to the computer name you are going to join the domain with. Usually the existing one will be something like “admin’s iMac”.
Join Domain For Mac Pro
Prestaging AD Computer Account
Next open up Active Directory and create a new “Computer” account.
I strongly recommend keeping your Mac name to 15 characters or less. This is demonstrated in the screenshot below. If that isn’t possible then use the pre-Windows 2000 computer name when you join Active Directory or you will get an error (see Troubleshooting).
Join Domain For Mac Osx
Press OK to create the Active Directory account. Now switch back to the Mac and let’s perform the bind.
Join Active Directory
Next go back to the Settings app and choose “Users and Groups”.
From here we are going to select “Login Options” in the bottom left hand of the screen. You will now see a “Network Account Server” with a Join button. Click join and fill everything out as follows:
Use your fully qualified domain name (FQDN). This is usually the same as your “Primary DNS Suffix” we got from our Windows machine. This allows us to get around any DNS configuration shenanigans.
For the Active Directory settings put in the pre-Windows 2000 computer name from the above step. If you chose a name of 15 characters or less they will both be the same.
For your AD username don’t try to use anything like DOMAINuser or [email protected] We have already fully qualified our server in the server field so this is not necessary and will cause problems. Enter it as in the example above.
Now press OK and with any luck you will be met with a screen that looks like this:
Plugin Error 10001
This is the most common error you will get when you try to join High Sierra or Mojave to Active Directory. There are a few reasons it can come up.
Apple states that your Active Directory needs to be at a functional level of Windows Server 2008 to work unless you enable “weak encryption” RC4 algorithm support in your forest. This would be a terrible idea as RC4 was broken many years ago and is a joke to crack.
However even with a functional level of 2008 I have yet to see it work regardless without prestaging the computer in Active Directory first and then attempting to join. Prestaging has fixed this error on all of the Macs I have joined to domains.
Join Domain Joined Machine To Azure Ad
There are a few other requirements from Apple on the list that could be contributing but likely with prestaging you will be able to bind even without things like extended schema support, etc.
Plugin Error 5103
This error is frequently encountered if the name of your PC is too long. You should join the domain with the “pre-Windows 2000” computer name or even better choose a name for the Mac that is 15 characters or less.
My domain ends with .local
This is bad. Very bad. This has been a long standing issue with joining Macs to Active Directory as .local is what Apple’s own Bonjour uses by default. It used to be a matter of simply changing or disabling Bonjour but that has no longer proven effective.
Using .local has been against best practices for many years but not everyone has migrated their domains yet. If you are stuck in this situation and telling your sysadmins to get a grip and migrate their domain is not an option then you may have to consider a third party AD stack. Here’s a lengthy spiceworks discussion on this topic.
If you have been able to find a workaround for this issue in Mojave or High Sierra definitely drop a comment below so we can share it but I was not able to find an instance of anyone getting around this in the newer versions of OS X without going third party.
Join Domain From Command Line
As long as you aren’t in a .local domain the native built-in tools should prove perfectly sufficient to join Mac OS X High Sierra and Mojave provided we use prestaging.
That being said I can only speak for the environments I have worked in. If you follow this guide and encounter additional problems definitely leave a comment below so we can get that information out there!
Join Domain For Mac Shortcut
You should also check out Apple’s Active Directory integration guide as they cover some requirements that you may have ran into that I didn’t.