Mac OS X and Active Directory integration

Hi Guys,
I need to make a decision as to what would be the best way to FULLY integrate Macs into an Active Directory domain.

Windows Server 2012 domain controller
Mac OS X Yosemite version 10.10.5

I read this article where they explain how to add a Mac to AD

But I need more details like what does this simply adding the Macs to the domain give me in terms of functionality which I'm guessing is just user authentication

Bottom line, can you please tell me what would be the pros to having a OS X Server running in a VM right beside the Windows domain controller, as opposed to just adding the Macs to the domain (as per the article above).

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ugo MenaCommented:
Either method is going to require you to setup a Mac Server as an Open Directory Master. Similar to the Active Directory Master.

common best practice) is to host an Open Directory domain along with the Active Directory service. Multiple directory services will add to the burden of managing two distinct operating systems, but you'll be surprised to find out that it may actually make administration of these systems easier! This dual-directory environment will allow Windows PCs to be maintained and managed solely through the Active Directory side, while Open Directory — when setup with OS X Server — can be used to maintain and manage the Apple computers.

Binding to Active Directory will force the Macs to receive much of their management directly from the domain controller hosting the Active Directory service, but it must "translate" the processes into commands that OS X will understand and does introduce another variable when troubleshooting.

The advantages of doing so are not many...and you will still likely want to setup a Mac Server to be able to configure and control Mac clients.

Unless you require the Mac user to use a specific account that has already been created in Active Directory or you are looking to enable SSO using AD credentials, I would not bind your Mac computer to Active Directory.
Tyler BrooksNetwork and Security ConsultantCommented:
I agree with ultralites, I ran into this issue at a clients about 6 months ago. After spending the better part of a day attempting to get them to play nice together we ended up installing Windows in bootcamp and doing it that way. (This client had several other reasons why using Windows made a lot more sense)
Binding a Mac to AD just means authenticating accounts.  You can do the OD master with Mac server, but that's extra work, and it's not a full integration.  You need 3rd party software for that.  PowerBroker Open would be a bit simpler, but you still wouldn't get Group Policies.

I've never used them, but I've seen Centrify and Thursby's AdmitMac mentioned over the years for fulll AD integration.  You just have to pay for the convenience.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

I suppose one question is what do you  mean by fully integrate?  For example, if you're expecting to get GPO's to run against the Mac, obviously that's not going to happen unless it's running Windows.

For us we only have a few Macs in our environment and we've been fine with simply binding to AD which is in the article you linked. You don't need to bind to AD to get it tor work, but it does help with logging in using AD credentials and accessing resources like printers and file shares. I've played with a few of the third party integration vendors and mostly their products do work OK and add some additional functionality. We do NOT use a OD server in our environment and for us that works just fine.
cargexAuthor Commented:
Hi Guys,
Just user Authentication is not going to be enough.
So according to your comments in this case we are down to 2 options:
- Installing an Mac OS X Server
- Using a third party application/add-on to Active Directory

Can you please elaborate on both options?

Ugo MenaCommented:
What sort of integration are you looking to achieve?

Binding to Active Directory will allow you to connect to shared resources using (Active Directory) LDAP account credentials. SMB shares, printers, etc will all be accessible to your Macs.

User and group settings from AD to Mac are hit or miss and specifically depend on what you are trying to control.  AD GPOs and other Windows machine and user specific policies will typically not get applied to Macs without using a 3rd party tool to translate the registry settings to Mac mcx and plist settings.

Installing a Mac Server with Open Directory LDAP will allow you more control over the specific user, path, resource and desktop settings on Macs using Workgroup Manager to set user specific MCX and plist settings. Very similar to, albeit not as robust, as Active Directory policies.

Either way just make sure you have solid DNS server and setup, as Macs are very fussy with domain and DNS settings.
cargexAuthor Commented:
Good Morning Guys,
Ultralite, can you please elaborate in the pros and cons of installing a Mac OSX Server?
For instance can I install it in a VMware environment?

For everybody else, please I need feedback about pros and cons about a third party application/add-on to Active Directory.

Currently I'm looking into Centrify but I would like for somebody to tell me if you have used this or any other third party software and comment on your experience.

The EULAs prevent you from installing it on non Apple environment.  You will need to get Apple branded hardware to host OS X server if you want any support and warranty from Apple.

There are issues with using Macs on Windows environments, no matter what you choose.  Apple has chosen to remove SAMBA and write their own SMB stack.  The most recent problem with that now is that Windows Long File path limits are now supported, and you get access permissions errors rather than path length errors.  You used to be able to write longer paths, because NTFS supports it.  With Mavericks, SMB was extremely problematic if you had DFS.

The OD server is a basic LDAP server and there isn't much in the way of Group Policy support.  Even with Centrify, you're not going to get 100%.
cargexAuthor Commented:
Hi Serialband,
I see you mentioned PowerBroker open, do you have experience with that product?
Can you please tell me about it?
cargexAuthor Commented:
Hi Guys,
Thank you very much for all your comments you definitely gave me some good ideas.

I'm in the process of deploying the PowerBroker Open and so far so good.
If this part works then we are going to move on to the Enterprise Edition.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.