Market share in the enterprise is largely dominated by Microsoft — specifically, the reliance on the Windows Server family line to manage network
resources, align desktops with corporate
security policies, and maintain the flow of production amongst all the employees at
a given
organization. The process of administering all these systems — desktops and
servers alike — are relatively straight-forward in a homogeneous environment, but
what happens when OS X is
introduced to the enterprise in the form of a sleek, shiny new MacBook Air or

Apple hasn’t made great inroads in this segment. However, comparing its
paltry 7%
market share in the desktop market to its almost 93% in the mobile device
market, there’s only a matter of time before more companies begin to choose Apple
products for its mobile and desktop
computing duties in lieu of the generic, stalwart PCs they’ve been cycling in
and out every three to five years. So, I ask you again, what do you do when your
organization decides to upgrade to iMacs? How do you manage those
nodes in addition to the existing Windows domain that’s already established?

Integrating Macs will initially be easier than you think! Even
with little to no prior OS X
knowledge, Macs will bind* to the domain with relative ease, since
directory services — the
underlying “file structure” of the network resources — are
standards-based and operate more or less about the same across operating systems.

Note*: Binding is the term associated with joining OS X to a
domain. It’s virtually identical to joining a Windows PC to a domain, complete
with checking domain credentials to verify the end user has the necessary rights
to add the
computer to the domain.

Minimum requirements:

  • Server
    hardware running Windows Server 2000-2012 Standard
  • Active
    Directory Domain Services (ADDS) setup and configured
  • Domain
    Administrator-level account
  • Apple
    desktop or laptop running OS X 10.5+
  • Switched

I. Bind OS X to a Windows domain (10.5-10.9)

Follow these steps to bind OS X to a Windows domain:

  1. On
    the Mac, go to System Preferences, and click on the padlock to authenticate as
    an Administrator (Figure A)
    Figure A
  2. Enter
    your admin-level credentials to authenticate when prompted
  3. Next,
    select Login Options, and then click the Join… button next to Network
    Account Server (Figure B)
    Figure B
  4. In the Server drop-down menu, enter the fully-qualified
    domain name (ex. of the Windows domain
    you wish to bind to the Mac, and click OK (Figure C)
    Figure C
  5. Next, you’ll need to enter your domain-level credentials in order to
    proceed with the binding process (make sure that the computer name is unique and
    formatted properly, because this is the name that will be created** for the
    computer object in ADDS), and then click OK to process
    the enrollment (Figure D)
    Figure D
  6. Upon
    successful binding, the window will close and the Users & Groups preference
    will remain open, but a
    small green dot (along with the domain name) will appear next to Network Account Server to indicate connectivity to the
    domain (Figure E)
    Figure E

Note**: By default, Windows will automatically create the
computer object account in ADDS if one does not already exist. However, domain
or enterprise admins may (and often do) restrict this as a security feature to
curb random nodes from being joined to the domain. Additionally, Organizational Units (OU) may be created as a form to
compartmentalize ADDS objects by one or more classifications or departments.
Many enterprises will utilize OUs as a means to organize objects and accounts separately from the items created by default when a domain controller
is promoted and ADDS is created.

II. Modify Directory Services settings

Your next steps will be to modify the Directory Services settings. Here’s how:

  1. To
    ensure the highest level of compatibility between OS X and the network
    resources on the Windows network, certain changes must be made to the Active
    Directory service with the Directory Utility — so, go to System Preferences | Users
    & Groups, and click Login Options
  2. Click
    the Edit… button next to Network Account Server, then click Open
    Utility… (Figure F)
    Figure F
  3. The Directory
    Utility lists various services associated with network account directories (Figure G), and it allows you to modify settings as needed 
    Figure G
  4. Double-click Active Directory to edit its configuration (Figure H)
    Figure H
  5. Click on
    the arrow to unhide the Advanced Options, select User Experience, and check the following boxes:
    a. Check Force local home directory on startup disk (Figure I), which will force the creation of a profile on the local HDD for all
    users that
    logon to the node (if you plan to serve profiles remotely from a server, leave
    setting unchecked)
    Figure I

    b. Check Use UNC path from Active Directory to derive network home location (Figure J), and select the network protocol to be used: smb: (Note: This setting will switch the default protocol for network resource paths from
    Apple’s afp: to the Windows’ friendly smb: — also known as Common Internet File System, or CIFS).
    Figure J
  6. Next,
    select Mappings (Figure K), which pertains to specifying unique GUIDs for certain attributes used
    within ADDS to identify a computer object account. OS X will generate these at
    random by default when bound to the domain; however, you may wish to use a
    particular set as generated by your enterprise admin.
    Figure K
  7. Finally,
    select Administrative (Figure L), and configure the following three optional settings based on the ADDS
    schema setup of the organization:
    Figure L
    a. Checking Prefer this domain server will perform two-way communication to/from the domain controller of your choosing
    b. Checking Allow administration by will allow nodes to be managed by the administrator(s) who’s responsible for
    overseeing systems, based on security group membership or user account(s)
    c. Checking Allow authentication from any domain in the forest may or may not be necessary to ensure that the OS X computers
    authenticate to the proper domain, as configured by the domain/enterprise

There you have it — a basic look at how to setup and configure Apple hardware running a modern version of OS X and get it communicating with a Windows Active Directory environment. I also threw in a few extra tips to help make a smooth transition and minimize errors.

One additional tip (and common best practice) is to host an Open Directory domain along with the Active Directory service. Multiple directory services will add to the burden of managing two distinct operating systems, but you’ll be surprised to find out that it may actually make administration of these systems easier! This dual-directory environment will allow Windows PCs to be maintained and managed solely through the Active Directory side, while Open Directory — when setup with OS X Server — can be used to maintain and manage the Apple computers. 

Giving the Apple hardware the second directory binding to ADDS will allow them to seamlessly communicate with the Windows desktops and share file and printer resources from Windows servers and nodes, and vice-versa. This eliminates the need for costly 3rd-party software plugins. The Macs will receive much of their management directly from the domain controller hosting the Active Directory service, but it must “translate” the processes into commands that OS X will understand. Even then, it does introduce another variable when troubleshooting. And let’s be honest, the newly released OS X Server 3.0, which is only $20 in the Mac App Store, is a full-fledged server OS that’s as simplified and easy to use as OS X.

III. Additional resources

Here are some additional resources for more information: