Link to home
Start Free TrialLog in
Avatar of CompTech810
CompTech810Flag for United States of America

asked on

MacBook Pro Join Windows Domain

I am a newbie on Macbook Pro and cannot connect it to our windows network.  I have gone to system preferences>Users & Groups > Login options>Network account server>join>  Entered the DHPC server, the MAC seems to see the server because it goes right to the next step.  I have the Client Computer ID: set up on the server.  For AD admin User: I used administrator@domain.local and entered the password

It will not connect.  Please help!
Avatar of Tom Beck
Tom Beck
Flag of United States of America image

Here's the way I do it.

1.) Users & Groups --> Login Options. Click "Join"
2.) In the drop down window click "Open Directory Utility"
3.) Click the lock to unlock the Utility for modification with your local (MacBook) admin account.
4.) Click Active Directory then the pencil icon to configure.
5.) Fill in Active Directory Forest (if applicable) and Active Directory Domain. This must be the qualified domain name with a ".com" at the end. Fill in the Computer ID.
6.) Click the drop arrow to open the additional configuration options.
7.) Click the Administrative tab and check the "Prefer this domain server" and enter the FQDN for the AD server like
8.) Click "Bind", enter the Domain admin credentials. This would be admin username and password, not administrator@domain.local, as if you were logging into the AD server as the domain admin.
Avatar of CompTech810


Thanks for the quick reponse.

I thought I better ping the DHCP server and I am getting no response.  I did ping the gateway and I am getting a response.... Hmmm
Never mind I am getting a response, sorry
Where do I put in the IP of the DHCP server?
DHCP server IP address doesn't really enter into the equation unless your DHCP server and AD server are one in the same machine. You could use the IP address of the Active Directory server in the "Prefer this domain server" box but it would still have to be fully qualified, like:<domain>.com

There's no other box that will accept an IP address that I know of. If you are on a Domain then you must have a domain name. The machine that runs Active Directory must have a machine name. I don't know why an IP address would ever be necessary. It's also bad practice. If the IP address changes, things could stop working.
On our Windows 2003 SBS Active Directory server I go to Control Panel --> System. Open the Computer Name tab and the full computer name and full domain name are listed there. Does that help in your case?
I have done exactly what you have said and it still says "Authentication server could not be contacted"  I have pinged the server, using IP address and the DHCP server responds.  I'm at a loss....
"Authentication server could not be contacted".

I can recreate that error under the following circumstances.

1.) I have an cable connecting my laptop to the domain's network and my Ethernet card is getting an IP from the DHCP server. It's a network.
2.) At the same time, my wifi adapter is picking up a connection to our "Guest" wifi network which is routed differently. It's a network

The simple fix is to disable my wifi and I am then able to bind my Mac to Active Directory. Why the mac is requesting to authenticate on the wifi network ONLY instead of trying all available networks is a mystery to me but the fix is simple enough so who cares. The point is, make sure your request for authentication is being routed through an interface that's on the same network as the AD and the Mac has no other routing choice. Because of this odd behavior, successfully pinging the AD server is not a guarantee that it will be reached during the authentication phase if you have multiple adapters connected to different networks.

Make sure the credentials you are using to join the Mac to the domain have the necessary rights to do that. I use an account that is a member of Domain Admins.

One other point. You don't need to add the computer to the AD before joining the Mac. The Mac should suggest a computer ID and pre-populate that text box. You can either accept or change it and an object with that name will be automatically added to AD when you bind.

I hope this helps because I'm out of ideas.
The MacPro I am working on doesn't have a network port only WIFI.  I checked what IP it is getting and it is correct, and the DNS servers IP address that it has is correct.  Do you know of someone that can remote to the Mac and double check I'm doing it right.  We have a new CEO starting Monday..... Uggghhh  why does he want an Apple!!!!
I don't know of anyone personally who could log into the Mac remotely. I'm sure any reputable computer network service company that has familiarity with Macs would do it for a fee. I would not say Geek Squad but there are many other services. They may need to also remote into the AD server.

How about this? If you do a Command + Shift + 4 on the Mac keyboard you get a crosshair that will allow you to draw a square around the dialog boxes you are presented with during your attempt to join (including your input) and post the resulting partial screenshots here. (The partial screenshots will land on your desktop when you let go of the drag to define the screen grab area.) I can check your input fields for any glaring errors.
Good idea but I don't want to share with the public our domain name as it is the company name.  Do you know if I can delete the image after we are done?
Avatar of Tom Beck
Tom Beck
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Tom Beck had me add .local to the end of my domain, exp.  domain.local and it worked!!  Thanks so much Tom Beck!!
You're welcome. Thanks for the points.

I had originally assumed that the domain used the standard .com TLD extension when I typed out the instructions. Upon seeing your screenshots I realized that yours was set up with .local.  

I hope you are not running Exchange from that domain or any other web services. Certificate Authorities are cracking down on non-standard TLDs as of November 15, 2015.
The .local is only internal.  The emails do have .com on them.  I'm not sure why the system is setup with .local, I wasn't here when that was implemented.  Thanks for the info!!