Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

How to set up Active Directory Network
I've seen a lot of people asking how to setup Active Directory (AD), so I thought I'd post my setup which works. This assumes you have a working AD tree, properly configured DNS, and an account that can add computer objects to AD. Here's what the plug-in configuration looks like in Directory Access (located in /Applications -> Utilities):
  • Active Directory Forest: forest.company.net
  • Active Directory Domain: mydomain.forest.company.net
  • ComputerID: mycomputer
You can make the forest the same as the domain if your users don't need to access resources outside the domain. I found this also speeds up authentication in some cases. When you click on Bind..., you have to enter a username and password that has rights to add computers. The format is just:
username
password
Advanced Settings:
  • Turn on the account cache if the computer will be used offline.
  • Turn on multiple domains if users need to access multiple domains
  • If you have more than one domain controller, you can specify the one you want to use: pdc.mydomain.forest.company.net
  • Map a UID: If you don't know what this is leave it alone.
  • Allow administration by: you can put an AD group name here and anyone in that group is added to the local admin group in netinfo.
Select OK, quit Directory Access, reboot.
    •    
  • Currently 2.43 / 5
  You rated: 4 / 5 (7 votes cast)
 
[46,687 views]  

How to set up Active Directory | 26 comments | Create New Account
Click here to return to the 'How to set up Active Directory' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
How to set up Active Directory
Authored by: vineetb on Nov 14, '03 11:47:33AM

I get this error message -

Insufficient priviliges
The administrator account you specified does not have the appropriate privileges to perform the requested operation.

---
rock on\'



[ Reply to This | # ]
How to set up Active Directory
Authored by: Hes Nikke on Nov 14, '03 12:08:28PM

then the account you specified doesn't have rights to add a computer object.

windows is silly about rights and permissions that way

---
vacuums do not suck. they merely provide an absence that allows other objects to take the place of what becomes absent.



[ Reply to This | # ]
How to set up Active Directory
Authored by: matx666 on Nov 14, '03 01:34:21PM

I get "invalid domain and forest combination" :(



[ Reply to This | # ]
How to set up Active Directory
Authored by: ktappe on May 04, '04 01:52:25PM

>then the account you specified doesn't have rights to add a computer object.
>windows is silly about rights and permissions that way

Sorry, not true. I get the same error when I try to authenticate using the administrator account on the Windows server. Therefore this error message (which is not hard to get) is bogus--there must be some other cause of it.



[ Reply to This | # ]
How to set up Active Directory
Authored by: Zbigniew on Jul 27, '04 05:52:18PM

I'm also getting the "administrator account you specified does not have the appropriate permissions..."

I'm actually using domain Administrator account. Any find out what is causing this? Or what I'm doing wrong?



[ Reply to This | # ]
Worked on one Mac, fails on another
Authored by: leono on Nov 14, '03 02:24:55PM

This worked quite nicely on a Sawtooth G4 here at my office. However, when I try to Bind a Pismo to the domain, it gets to step 5, hangs for a long time, and then throws some sort of vague error message (text of which escapes me at the moment). Looking at the AD PDC, I can see that the account has been created, but I can't find any detailed errors anywhere that indicate what's going wrong.



[ Reply to This | # ]
How to set up Active Directory
Authored by: mfried on Nov 14, '03 02:49:19PM

Well, I did this on an Panther Server, and had no issues binding the computer. But, in the Workgroup Manager, I don't get all of the user groups that are on the AD. I get all the users, but the groups stop at the letter 'J.' I have groups that start with 'W' that I need the most.

Why thoughts on why that happened? Anyone else having that problem?

---

---
Buy a Mac, save the world!



[ Reply to This | # ]
How to set up Active Directory
Authored by: Drakino on Nov 14, '03 04:39:03PM

Once I join, how do I log in? I bound my Powerbook to the domain here, but no combination of DOMAIN\user or user@domain will log me in.



[ Reply to This | # ]
How to set up Active Directory
Authored by: sgustafs on May 13, '04 11:51:59AM

I had this problem too. I found that if you have a local user on OSX with the same name as your AD account, you will always be logged on with the local credentials.

The Connect to Server option in the Directory Access utility does not work. If you are logged on with your AD credentials, the Connect to Server option in Finder works without asking for further authentication when connecting to Servers in the AD.



[ Reply to This | # ]
How to set up Active Directory
Authored by: Durandal on Nov 14, '03 07:20:33PM
I can't say that this hint is incredibly helpful. It left out the fact that you have to add the AD authentication path in the Authentication tab of Directory Access, otherwise you won't be able to authenticate users against the AD domain.

Also, we're currently fighting with trying to get Panther to play nicely on our AD domain at school. It doesn't respect the assigned administrator groups in the plug-in setup. To make an AD user and admin, you have to log in with that user, log out, log back in as the local admin and then assign the administrator privileges to that user in the Accounts preference pane. You can also add that particular user to the admin group in NetInfo. But for some reason, even though the proper AD groups show up in the admin group in AD, members of those groups are not automatically granted administrator privileges on the machine, like they should be.

The other headache is home directories. Upon logging in with an AD user the first time, Panther will ask if you want to create a local home folder for the user. If you say yes, a local home is created for the user and the user's network home share (if specified in AD) is mounted. If you choose to keep the user remote, no local home is created, and the network share path is not mounted, nor is it used as the home directory, the way it should be.

So basically, Apple has given us nothing new in terms of ActiveDirectory support. I could do everything that I can do in Panther with Jaguar's LDAP plug-in to interact with ActiveDirectory. With the LDAP plug-in, administrator groups were not recognized, which is something we thought would change with Panther. And Apple's support has been nonexistent. For god's sake, we want to implement this plug-in on an enterprise scale, and they're blowing us off. Are they just stupid?

---
Damien Sorresso

[ Reply to This | # ]

How to set up Active Directory
Authored by: tipster on Nov 14, '03 10:05:19PM

It's unfair to suggest it's given us nothing new that you couldn't do under LDAP under Jaguar.

The fact that you can bind to the AD domain is a huge step forward -- this isn't just about getting people to log onto a Mac, but about Mac's *participating* in the Active Directory.

Jaguar's AD support, using Samba 3, also gives users the ability to move around the windows domain as an authenticated user. They don't need to re-enter their username/password everytime they want to access a server they have permission to. This is also a huge step forward.

Caching the users logon is also a godsend, and I don't believe Jaguar gave you that ability. Laptop users really benefit from this, with one sign on -- whether they're on the network or not.



[ Reply to This | # ]
How to set up Active Directory
Authored by: ktappe on May 04, '04 02:32:09PM
Can you say what to add to the Authentication Path to get this tip to work? I've tried adding a "/LDAPv3/(domain)" path but that still doesn't let me authenticate. Is there an "/AD" or similar prefix I should be putting in there?

[ Reply to This | # ]
point to remember
Authored by: tipster on Nov 14, '03 10:17:55PM

I struggled to get the add to domain part happening, until I realised that the username who is used to add the account - and the names of those users who want to log on - needs to be configured with both a long and short name within the accounts part of Users and Computers (on the W2k side). Our AD accounts only had the "pre-w2k username" part set, with the other username field left blank. Once I corrected this everything went smoothly.

The pre-w2k name is the long name under OS X - and the other field is used by OS X as the short name.



[ Reply to This | # ]
How to set up Active Directory
Authored by: climberbry on Nov 18, '03 05:52:25PM

Anyone have any AD server problems after binding to the domain? After binding with Panther's (10.3) Active Directory feature, our AD server stopped functioning. When we went looking for the problem on the AD server (W2K), we were unable to access "Users and Computers" and were getting this error:

"Naming information cannot be located because:
The target principal name is incorrect.
Contact your system administrator to verify that your domain is properly configured and is currently online.\0"

We went thru several tiers of TS at Apple. No help at all. A couple of them didn't even know Panther's Active Directory feature existed (that makes me feel warm and fuzzy!). Only after talking to Microsoft TS did we resolve the problem. They said our "Machine account secret was out of sync". MS had us run netdom resetpwd to reset the secret. All is back to normal (with Panther not on domain). We still don't know the exact cause, other than Panther seemed to cause it. Additionally, we have heard of other cases of this exact same thing happening with Panther. That was with 10.3. Don't know about 10.3.1 yet...still a little gun shy.

Anyone know if this is a bug, has it been addressed in 10.3.1, or have a workaround?


Pertinent Microsoft KB ARTICLES
======================
The following KB articles were referenced during the course of this case:

826902 You Cannot Browse the Drives of or Map a Drive to a Domain Controller
http://support.microsoft.com/?id=826902

216498 HOW TO: Remove Data in Active Directory After an Unsuccessful Domain
http://support.microsoft.com/?id=216498

292438 Troubleshooting Journal_Wrap Errors on Sysvol and DFS Replica Sets
http://support.microsoft.com/?id=292438

818742 Overview of the Microsoft Configuration Capture Utility (MPS_REPORTS)
http://support.microsoft.com/?id=818742

ADDITIONAL RECOMMENDATIONS
==============================
A List of Windows 2000 White Papers and Technical Resources
http://support.microsoft.com/support/kb/articles/q298/4/47.asp?id=Q298447&sd=GN&fr=0&ln=EN-US

\0



[ Reply to This | # ]
How to set up Active Directory
Authored by: PaulNelson on Dec 03, '03 11:07:40AM

You need to make absolutely sure you don't enter a domain controller in the Computer ID. You may have provided administrator credentials capable of resetting the password for the computer named in the computer ID field. If Panther's AD plug-in resets a domain controllers password by mistake, you will have the symptoms you describe.



[ Reply to This | # ]
How to set up Active Directory
Authored by: climberbry on Dec 05, '03 09:12:44AM

Ah yes. I see. Apple, counter intuitively, wants the ID of my mac here, not the name of the AD server, which is what you'd expect to put under the Active directory configuration. Very important! Thanks a million!



[ Reply to This | # ]
How to set up Active Directory
Authored by: Schwie on Nov 20, '03 05:04:43PM

I'm having the following problem. I'm running 10.3.1, and I'm trying to bind. I keep getting the following error message. As far as I can tell, DNS is set up correctly. Any ideas?

DNS is not properly configured

DNS service on this computer is not properly configured. DNS entries for your servers must have forward and reverse entries that match. You should verify correct operation of the DNS service or contact your System Administrator for assistance.

*I'm not allowed to get support for my TiBook in the company (my choice if I want to use a Mac).*



[ Reply to This | # ]
How to set up Active Directory
Authored by: djlc on Nov 21, '03 03:58:09PM

Your forward zone and reverse zones have to be corresponding. In other words, make sure the reverse zone has pointers for all the hosts in the forward zone. and then feel free to add any other pointers in the reverse zone.
i'm having a problem myself though. i get my powerbook to bind, and if i use some terminal commands, i can call up the list of domain users and groups, but none of them are authenticating on the powerbook. do i need to disable smb services? the reason i ask is because i tried admitmac out and it made me disable smb service before i could even install it.



[ Reply to This | # ]
How to set up Active Directory
Authored by: Schwie on Dec 12, '03 05:15:14PM
I took a peek in my localhost.zone file and found the following:
$TTL    86400
$ORIGIN localhost.
@                       1D IN SOA       @ root (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                        1D IN NS        @
                        1D IN A         127.0.0.1

in my named.local file, I found:
$TTL    86400
@       IN      SOA     localhost. root.localhost.  (
                                      1997022700 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
              IN      NS      localhost.

1       IN      PTR     localhost.

I'm not really sure what you want me to add here... Should I be adding entries for the WIN Servers here, and pointers to them? I dont' know...

Was "vtzeb" able to help you with the authentication problems? I'm sure I'll be stumbling upon that, next....

Brad

[ Reply to This | # ]

How to set up Active Directory
Authored by: ktappe on May 04, '04 12:44:13PM

Are you using DHCP? If so, the reverse DNS problem is your network admin's fault, not yours.

And if they try to deny you support, tell them you are not asking for support for your Mac, you are asking them to do their job. Lack of reverse DNS is a server misconfiguration that would affect any client regardless of OS. Any sysadmin who doles out IP addresses that are not configured for reverse lookup has not properly configured his server. There are several websites out there (though I fear I cannot recall one right now) that won't even let you on if your reverse DNS lookup fails.

If all else fails, put a PC on your desk, try to visit one of those sites, then tell your sysadmin that your WINDOWS COMPUTER needs reverse DNS configured. Then put your Mac back. :-)



[ Reply to This | # ]
How to set up Active Directory
Authored by: martinp on Mar 21, '05 07:58:22AM

I had the same problem with 10.3.8. After much tinkering with the DHCP and DNS servers, I managed to find a way around it.

Open Directory access, go to Active Directory and configure.

Untick 'authenticate multiple domains' (if you only use one).
Tick 'prefer this domain server' and then enter the full address for the main domain server.
Then bind.

That fixed it for me. Hope it helps.



[ Reply to This | # ]
How to set up Active Directory
Authored by: djlc on Nov 21, '03 04:41:12PM

i'm having a problem. i get my powerbook to bind, and if i use some terminal commands, i can call up the list of domain users and groups, but none of them are authenticating on the powerbook. do i need to disable smb services? the reason i ask is because i tried admitmac out and it made me disable smb service before i could even install it.
I downloaded and ran the kerbtray utility from microsoft and i have found a clue to my problem. there is no ticket from the powerbook. can anyone help me out from here?



[ Reply to This | # ]
How to set up Active Directory
Authored by: vtzeb on Dec 08, '03 11:54:28AM

You need to edit your edu.mit.Keberos file (under Library/Preferences). Add a line under the [libdefaults] section that says default_realm = YOURREALM where YOURREALM is the domain of your user account. It is case-sensitive and must match an entry in the [realms] section.



[ Reply to This | # ]
How to set up Active Directory
Authored by: sydbarrett74 on May 03, '04 10:18:19PM

When I go to the Directory utility, all of the options (AD, Appletalk, Rendezvous) are greyed out and I can't click on any of them....



[ Reply to This | # ]
How to set up Active Directory
Authored by: ktappe on May 04, '04 01:16:27PM

Click the lock icon in the lower left corner and enter an admin username and password.



[ Reply to This | # ]
How to set up Active Directory
Authored by: gmagerr on Jun 30, '04 10:16:45AM

Please correct me, Hopefully i'm mis informed. We are getting ready to roll out active directory. I Administer around 100 MAC's (G5's with 10.3) I have one XServe and an XRaid as well. From what I understand, the MAC's are not going to adhear to any group policies we set up in AD correct? What then would be the reason for authenticating against the AD Domain Controller? I'm not trying to be sarcastic, I'd really like to know. Thanks guys.



[ Reply to This | # ]