Mac OS X:Configuring Access to an Active Directory Domain

eqmxwlkrkc

Server Admin 10.6 Help
Configuring Access to an Active Directory Domain

Using the Active Directory connector listed in Directory Utility, you can configure MacOSX to access basic user accountinformation in an Active Directory domain on a Windows server.
The Active Directory connector generates all attributes required for MacOSX authentication. No changes to the Active Directoryschema are required.
The Active Directory connector detects and accesses standard MacOSX record types and attributes (such as the attributesrequired for MacOSX client management), if the Active Directory schema has been extended to include them.
WARNING:Withthe advanced options of the Active Directory connector, you can map to the MacOSX unique user ID (UID), primary groupID (GID), and group GID attribute to the correctattributes that have been added to the Active Directory schema. If you changethe setting of these mapping options later, users might lose access to previously created files.

Important:If your computer name contains a hyphen you might not be able to join or bind to a Directory Domain such as LDAP or ActiveDirectory. To establish binding, use a computer name that does not contain a hyphen.


To configure access to an Active Directory domain:

• Open System Preferences and click Accounts.
  
• If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator.
  
• Click Login Options, then click Join or Edit.
  
• Click Open Directory Utility.
  
• If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator.
  
• Click Services.
  
• In the list of services, select Active Directory and click the Edit (/) button.
  
• Enter the DNS name of the Active Directory domain you want to bind to the computer you’re configuring.
  The administrator of the Active Directory domain can tell you the DNS name to enter.
  
• If necessary, edit the Computer ID.
  The Computer ID is the name the computer is known by in the Active Directory domain, and it’s preset to the name of the computer.You might change this to conform to your organization’s established scheme for naming computers in the Active Directory domain.If you’re not sure, ask the Active Directory domain administrator.
  
• (Optional) Set advanced options.
  If the advanced options are hidden, click Show Advanced Options and set options in the User Experience, Mappings, and Administrativepanes. You can also change advanced option settings later.
  For more information about advanced options, see:
  
  
  
  • Setting Up Mobile User Accounts in Active Directory
    
  • Setting Up Home Folders for Active Directory User Accounts
    
  • Setting a UNIX Shell for Active Directory User Accounts
    
  • Mapping the UID to an Active Directory Attribute
    
  • Mapping the Primary Group ID to an Active Directory Attribute
    
  • Mapping the Group ID in Group Accounts to an Active Directory Attribute
    
  • Specifying a Preferred Active Directory Server
    
  • Changing the Active Directory Groups That Can Administer the Computer
    
  • Controlling Authentication from All Domains in the Active Directory Forest
    
  
  
• Click Bind, use the following to authenticate as a user who has rights to bind a computer to the Active Directory domain,select the search policies you want Active Directory added to (see below), and click OK:
  
  
  
  • Username and Password: Youmight be able to authenticate by entering the name and password of yourActive Directory user account, or the Active Directorydomain administrator might need to provide a name and password.
    
  • Computer OU: Enter the organizational unit (OU) for the computer you’re configuring.
    
  • Use for authentication: Use to determine whether Active Directory is added to the computer’s authentication search policy.
    
  • Use for contacts: Use to determine whether Active Directory is added to the computer’s contacts search policy.
    
  When you click OK, Directory Utility sets up trusted binding between the computer you’re configuring and the Active Directoryserver. The computer’s search policies are set according to the options you selected when you authenticated, and Active Directoryis enabled in Directory Utility’s Services pane.
  With the default settings for Active Directory advanced options, the Active Directory forest is added to the computer’s authenticationsearch policy and contacts search policy if you selected “Use for authentication” or “Use for contacts.”
  However, if you deselect “Allow authentication from any domain in the forest” in the Administrative advanced options panebefore clicking Bind, the nearest Active Directory domain is added instead of the forest.
  You can change search policies later by adding or removing the Active Directory forest or individual domains. For more information,see Defining Custom Search Policies.
  
  
• (Optional) Join the server to the Active Directory Kerberos realm:
  
  
  
  • On the server or an administrator computer that can connect to the server, open Server Admin and select Open Directory forthe server.
    
  • Click Settings, then click General.
    
  • Click Join Kerberos, then choose the Active Directory Kerberos realm from the pop-up menu and enter credentials for a localadministrator on this server.
    
  
  

For more information, see Joining a Server to a Kerberos Realm.