Prabeesh Satmet

Q: Best way to integrate Macbooks to Windows AD

Hi Guys,


I am really new to the Mac platform!!


I am a windows administrator and I have around 30-40 MacBooks in my organization. I would like to join all this Macbooks to windows active directory and all the user should login with their AD accounts.

I saw an option in the client machines to join the domain. but its getting removed from the domain after couple of days.

I came to know that, mac has a server version and in that there is  a Directory Service feature. Could any one of you give me an idea about this feature and can i use this feature to add my Macbooks to Windows Active Directory.


Please help.


Thanks

Prabeesh

MacBook, OS X Server

Posted on Jun 9, 2016 5:29 AM

Close

Q: Best way to integrate Macbooks to Windows AD

  • All replies
  • Helpful answers

  • by Strontium90,

    Strontium90 Strontium90 Jun 9, 2016 5:51 AM in response to Prabeesh Satmet
    Level 5 (4,067 points)
    Servers Enterprise
    Jun 9, 2016 5:51 AM in response to Prabeesh Satmet

    Welcome to the fold.  Generally speaking, if you have AD, you do not want to reinvent the wheel by also deploying OD.  While OS X Server can play a role in an AD environment, using it for authentication and authorization is not a good plan.  You end up decentralizing your accounts/groups/passwords which is what AD is there for in the first place.

     

    If you are binding and everything is working for some time, I suspect you may need to adjust the password reset of the binding record.  When you bind a device to the domain, the computer record records a password in both AD and on the Mac.  By default this password will randomize every 14 days.  In some AD environments this results in a problem where the Mac will "fall off the domain" at exactly 14 days after the bind.

     

    To test this theory, bind a Mac.  After binding run this command on the Mac to set the password reset of the bind record to never reset:

     

    sudo dsconfigad -passinterval 0

     

    Wait 15 days.  If you are still connected to the domain, that is your issue.

     

    Run a man dsconfigad to check out the other hidden options.  Not everything is presented in Directory Utility and certainly not in System Preferences.

     

    If this is not the issue, I suggest looking into odutil.  With this command you can enable debug logging of directory services.  You may reveal the issue with the drop off.

     

    (It has been my experience that the Mac is usually not the issue - there tends to be a DNS or time issue that results in the problem - are all your Macs synchronized to the AD domain controllers for time?)

     

    Reid

    Apple Consultants Network

    Author - "El Capitan Server – Foundation Services"

    Author - "El Capitan Server – Control & Collaboration"

    Author - "El Capitan Server – Advanced Services"

  • by Leopardus,

    Leopardus Leopardus Jun 9, 2016 12:22 PM in response to Strontium90
    Level 4 (1,087 points)
    Desktops
    Jun 9, 2016 12:22 PM in response to Strontium90

    Top answer , as always!

  • by Prabeesh Satmet,

    Prabeesh Satmet Prabeesh Satmet Jun 29, 2016 10:20 AM in response to Strontium90
    Level 1 (4 points)
    Servers Enterprise
    Jun 29, 2016 10:20 AM in response to Strontium90

    Thank you very much Reid(Strontium90) . Its working perfectly after changing the password interval to 0, earlier it was 14. 

     

    i was waiting for couple of week for the confirmation. All good now. You saved my life and money. I was about to buy a third party tool to integrate mac to AD

     

    You are a Pro!!!

  • by Leopardus,

    Leopardus Leopardus Jun 29, 2016 8:44 PM in response to Prabeesh Satmet
    Level 4 (1,087 points)
    Desktops
    Jun 29, 2016 8:44 PM in response to Prabeesh Satmet

    Reid is simply one of the best and so unbelievably kind!