Mac IT Guy: Macs and Active Directory
It's certainly possible to connect Macs to networks that are running Active Directory. But sometimes it takes a little doing.
We are a small office, with three Windows computers, a machine running Windows Small Business Server 2003 with Exchange and one iMac running Mac OS X 10.6. They are all connected via wireless or wired network. The iMac can't connect to Active Directory on the Windows server. Any advice?
You absolutely can add Macs to Active Directory; it’s actually pretty easy.
First, make sure your iMac’s version of Mac OS X 10.6 is as current as possible. Apple continually adds small improvements to their Active Directory support without specifically mentioning them. Next, you’re need to figure out where in Active Directory you want that Mac to live. Since your network is fairly small, the default container—Computers—will work just fine. If your network were larger, you'd probably want to give the Macs a container or Organizational Unit (OU) of their own.
You also want to make sure that you have rights in Active Directory to add computers to that container. Go to /System/Library/CoreServices and open Directory Utility. (You’ll probably have to authenticate.) There, you’ll see a list of services in the main Directory Utility window. You want Active Directory. When you double-click on Active Directory, you’ll get a sheet that looks like this:
For your purposes, you can ignore the Active Directory Forest field. (That’s for far larger networks.) Obviously enough, you'll want to enter your Active Directory domain name in the Active Directory Domain field. Leave the computer ID alone; Directory Utility pulls that from the Sharing preferences.
In the user experience tab, you can probably leave most of the the defaults. In particular, leave Network Protocol To Be Used set to
smb:. While Windows Server 2003 was the last version of Windows Server to support Services For Macintosh, it was one of the worst AFP servers ever; you’re better off using Mac OS X's SMB support than Windows’ AFP support. The only change you’ll want to make in this tab is to enable Create Mobile Account at Login. That will make using Active Directory logins much easier.
The only other change I’d make is in the Administrative tab. Enable the Allow Administration By option; this will make anyone in the enterprise or domain admins group a local administrator on that Mac.
Next, click the Bind button and enter in your Active Directory username and password. Click OK and, after a few seconds, you should be done. Click OK again, quit Directory Utility, and reboot the Mac. Active Directory logins should work, and create their own home directory automatically.
If I use my Active Directory login on a PC, I automatically have access to a My Documents folder that is synced to that PC. Can I get that same convenience on my Mac? I'm using multiple Macs, all of them connect over Ethernet, all are relatively new Intel machines, and all run Snow Leopard.
Let’s assume that you have already bound your Macs to Active Directory. If so, then you should be able to just log into the server that hosts your My Documents folder via SMB in the Finder, and mount your home directory's My Documents folder. In the Finder, press Command-K (Go -> Connect to Server). In the dialog that pops up, enter
smb://servername.networkname and click Connect. Assuming you’re bound to Active Directory correctly, you shouldn’t even need to enter a password, (Active Directory single-signon is awesome!) Pick the appropriate share, and your My Documents folder should be right there.
[Editor's Note: Got a Mac IT question? Coming to Macworld Expo? John C. Welch will be answering questions there live on the Macworld Live stage Friday, January 28th starting at 2:00 PM. Come on by and see if he can help.]