We help IT Professionals succeed at work.

MacBook Pro Join Windows Domain

571 Views
Last Modified: 2015-08-13
I am a newbie on Macbook Pro and cannot connect it to our windows network.  I have gone to system preferences>Users & Groups > Login options>Network account server>join>  Entered the DHPC server, the MAC seems to see the server because it goes right to the next step.  I have the Client Computer ID: set up on the server.  For AD admin User: I used administrator@domain.local and entered the password

It will not connect.  Please help!
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2015

Commented:
Here's the way I do it.

1.) Users & Groups --> Login Options. Click "Join"
2.) In the drop down window click "Open Directory Utility"
3.) Click the lock to unlock the Utility for modification with your local (MacBook) admin account.
4.) Click Active Directory then the pencil icon to configure.
5.) Fill in Active Directory Forest (if applicable) and Active Directory Domain. This must be the qualified domain name with a ".com" at the end. Fill in the Computer ID.
6.) Click the drop arrow to open the additional configuration options.
7.) Click the Administrative tab and check the "Prefer this domain server" and enter the FQDN for the AD server like
<machinename>.<domain>.com
8.) Click "Bind", enter the Domain admin credentials. This would be admin username and password, not administrator@domain.local, as if you were logging into the AD server as the domain admin.

Author

Commented:
Thanks for the quick reponse.

I thought I better ping the DHCP server and I am getting no response.  I did ping the gateway and I am getting a response.... Hmmm

Author

Commented:
Never mind I am getting a response, sorry

Author

Commented:
Where do I put in the IP of the DHCP server?
CERTIFIED EXPERT
Top Expert 2015

Commented:
DHCP server IP address doesn't really enter into the equation unless your DHCP server and AD server are one in the same machine. You could use the IP address of the Active Directory server in the "Prefer this domain server" box but it would still have to be fully qualified, like:

192.168.1.2.<domain>.com

There's no other box that will accept an IP address that I know of. If you are on a Domain then you must have a domain name. The machine that runs Active Directory must have a machine name. I don't know why an IP address would ever be necessary. It's also bad practice. If the IP address changes, things could stop working.
CERTIFIED EXPERT
Top Expert 2015

Commented:
On our Windows 2003 SBS Active Directory server I go to Control Panel --> System. Open the Computer Name tab and the full computer name and full domain name are listed there. Does that help in your case?

Author

Commented:
I have done exactly what you have said and it still says "Authentication server could not be contacted"  I have pinged the server, using IP address and the DHCP server responds.  I'm at a loss....
CERTIFIED EXPERT
Top Expert 2015

Commented:
"Authentication server could not be contacted".

I can recreate that error under the following circumstances.

1.) I have an cable connecting my laptop to the domain's network and my Ethernet card is getting an IP from the DHCP server. It's a 10.0.0.0/24 network.
2.) At the same time, my wifi adapter is picking up a connection to our "Guest" wifi network which is routed differently. It's a 192.168.0.0/24 network

The simple fix is to disable my wifi and I am then able to bind my Mac to Active Directory. Why the mac is requesting to authenticate on the wifi network ONLY instead of trying all available networks is a mystery to me but the fix is simple enough so who cares. The point is, make sure your request for authentication is being routed through an interface that's on the same network as the AD and the Mac has no other routing choice. Because of this odd behavior, successfully pinging the AD server is not a guarantee that it will be reached during the authentication phase if you have multiple adapters connected to different networks.

Make sure the credentials you are using to join the Mac to the domain have the necessary rights to do that. I use an account that is a member of Domain Admins.

One other point. You don't need to add the computer to the AD before joining the Mac. The Mac should suggest a computer ID and pre-populate that text box. You can either accept or change it and an object with that name will be automatically added to AD when you bind.

I hope this helps because I'm out of ideas.

Author

Commented:
The MacPro I am working on doesn't have a network port only WIFI.  I checked what IP it is getting and it is correct, and the DNS servers IP address that it has is correct.  Do you know of someone that can remote to the Mac and double check I'm doing it right.  We have a new CEO starting Monday..... Uggghhh  why does he want an Apple!!!!
CERTIFIED EXPERT
Top Expert 2015

Commented:
I don't know of anyone personally who could log into the Mac remotely. I'm sure any reputable computer network service company that has familiarity with Macs would do it for a fee. I would not say Geek Squad but there are many other services. They may need to also remote into the AD server.

How about this? If you do a Command + Shift + 4 on the Mac keyboard you get a crosshair that will allow you to draw a square around the dialog boxes you are presented with during your attempt to join (including your input) and post the resulting partial screenshots here. (The partial screenshots will land on your desktop when you let go of the drag to define the screen grab area.) I can check your input fields for any glaring errors.

Author

Commented:
Good idea but I don't want to share with the public our domain name as it is the company name.  Do you know if I can delete the image after we are done?
CERTIFIED EXPERT
Top Expert 2015
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Tom Beck had me add .local to the end of my domain, exp.  domain.local and it worked!!  Thanks so much Tom Beck!!
CERTIFIED EXPERT
Top Expert 2015

Commented:
You're welcome. Thanks for the points.

I had originally assumed that the domain used the standard .com TLD extension when I typed out the instructions. Upon seeing your screenshots I realized that yours was set up with .local.  

I hope you are not running Exchange from that domain or any other web services. Certificate Authorities are cracking down on non-standard TLDs as of November 15, 2015.

Author

Commented:
The .local is only internal.  The emails do have .com on them.  I'm not sure why the system is setup with .local, I wasn't here when that was implemented.  Thanks for the info!!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.