Avatar of CompTech810
CompTech810
Flag for United States of America asked on

MacBook Pro Join Windows Domain

I am a newbie on Macbook Pro and cannot connect it to our windows network.  I have gone to system preferences>Users & Groups > Login options>Network account server>join>  Entered the DHPC server, the MAC seems to see the server because it goes right to the next step.  I have the Client Computer ID: set up on the server.  For AD admin User: I used administrator@domain.local and entered the password

It will not connect.  Please help!
Mac OS XActive DirectoryApple Networking

Avatar of undefined
Last Comment
CompTech810

8/22/2022 - Mon
Tom Beck

Here's the way I do it.

1.) Users & Groups --> Login Options. Click "Join"
2.) In the drop down window click "Open Directory Utility"
3.) Click the lock to unlock the Utility for modification with your local (MacBook) admin account.
4.) Click Active Directory then the pencil icon to configure.
5.) Fill in Active Directory Forest (if applicable) and Active Directory Domain. This must be the qualified domain name with a ".com" at the end. Fill in the Computer ID.
6.) Click the drop arrow to open the additional configuration options.
7.) Click the Administrative tab and check the "Prefer this domain server" and enter the FQDN for the AD server like
<machinename>.<domain>.com
8.) Click "Bind", enter the Domain admin credentials. This would be admin username and password, not administrator@domain.local, as if you were logging into the AD server as the domain admin.
CompTech810

ASKER
Thanks for the quick reponse.

I thought I better ping the DHCP server and I am getting no response.  I did ping the gateway and I am getting a response.... Hmmm
CompTech810

ASKER
Never mind I am getting a response, sorry
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
CompTech810

ASKER
Where do I put in the IP of the DHCP server?
Tom Beck

DHCP server IP address doesn't really enter into the equation unless your DHCP server and AD server are one in the same machine. You could use the IP address of the Active Directory server in the "Prefer this domain server" box but it would still have to be fully qualified, like:

192.168.1.2.<domain>.com

There's no other box that will accept an IP address that I know of. If you are on a Domain then you must have a domain name. The machine that runs Active Directory must have a machine name. I don't know why an IP address would ever be necessary. It's also bad practice. If the IP address changes, things could stop working.
Tom Beck

On our Windows 2003 SBS Active Directory server I go to Control Panel --> System. Open the Computer Name tab and the full computer name and full domain name are listed there. Does that help in your case?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
CompTech810

ASKER
I have done exactly what you have said and it still says "Authentication server could not be contacted"  I have pinged the server, using IP address and the DHCP server responds.  I'm at a loss....
Tom Beck

"Authentication server could not be contacted".

I can recreate that error under the following circumstances.

1.) I have an cable connecting my laptop to the domain's network and my Ethernet card is getting an IP from the DHCP server. It's a 10.0.0.0/24 network.
2.) At the same time, my wifi adapter is picking up a connection to our "Guest" wifi network which is routed differently. It's a 192.168.0.0/24 network

The simple fix is to disable my wifi and I am then able to bind my Mac to Active Directory. Why the mac is requesting to authenticate on the wifi network ONLY instead of trying all available networks is a mystery to me but the fix is simple enough so who cares. The point is, make sure your request for authentication is being routed through an interface that's on the same network as the AD and the Mac has no other routing choice. Because of this odd behavior, successfully pinging the AD server is not a guarantee that it will be reached during the authentication phase if you have multiple adapters connected to different networks.

Make sure the credentials you are using to join the Mac to the domain have the necessary rights to do that. I use an account that is a member of Domain Admins.

One other point. You don't need to add the computer to the AD before joining the Mac. The Mac should suggest a computer ID and pre-populate that text box. You can either accept or change it and an object with that name will be automatically added to AD when you bind.

I hope this helps because I'm out of ideas.
CompTech810

ASKER
The MacPro I am working on doesn't have a network port only WIFI.  I checked what IP it is getting and it is correct, and the DNS servers IP address that it has is correct.  Do you know of someone that can remote to the Mac and double check I'm doing it right.  We have a new CEO starting Monday..... Uggghhh  why does he want an Apple!!!!
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Tom Beck

I don't know of anyone personally who could log into the Mac remotely. I'm sure any reputable computer network service company that has familiarity with Macs would do it for a fee. I would not say Geek Squad but there are many other services. They may need to also remote into the AD server.

How about this? If you do a Command + Shift + 4 on the Mac keyboard you get a crosshair that will allow you to draw a square around the dialog boxes you are presented with during your attempt to join (including your input) and post the resulting partial screenshots here. (The partial screenshots will land on your desktop when you let go of the drag to define the screen grab area.) I can check your input fields for any glaring errors.
CompTech810

ASKER
Good idea but I don't want to share with the public our domain name as it is the company name.  Do you know if I can delete the image after we are done?
ASKER CERTIFIED SOLUTION
Tom Beck

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
CompTech810

ASKER
Tom Beck had me add .local to the end of my domain, exp.  domain.local and it worked!!  Thanks so much Tom Beck!!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Tom Beck

You're welcome. Thanks for the points.

I had originally assumed that the domain used the standard .com TLD extension when I typed out the instructions. Upon seeing your screenshots I realized that yours was set up with .local.  

I hope you are not running Exchange from that domain or any other web services. Certificate Authorities are cracking down on non-standard TLDs as of November 15, 2015.
CompTech810

ASKER
The .local is only internal.  The emails do have .com on them.  I'm not sure why the system is setup with .local, I wasn't here when that was implemented.  Thanks for the info!!