Join Mac OS X Mojave to Active Directory Using Built In Tools

Mac AD Join Successful
Mac AD Join Successful

Joining a Mac to Active Directory has continued to get more and more difficult over the years. High Sierra and Mojave now require a Active Directory functional level of Windows Server 2008 or later and are still pretty tricky to get to join it.

When I started researching the topic I saw a whole lot of advice to install third party software to join a Mac to Active Directory. In most corporate environments installing third party software is frowned upon due to licensing and security considerations so I was determined to get the native Mac OS X tools to work.

This guide will walk you through the basic steps to join Active Directory without having to resort to using third party software.

Configure DNS Settings

One of the big roadblocks to joining Active Directory is DNS settings. In many networks DHCP won’t populate everything you need. Windows can get away with this but when we are joining our Mac we need to make sure everything is populated.

The easiest way to get everything you need is to issue a ipconfig /all from the command prompt of a Windows machine already joined:

C:\Users\JChambers>ipconfig /all

Windows IP Configuration
Host Name . . . . . . . . . . . . : TESTMACHINE
Primary Dns Suffix . . . . . . . : example.test.domain.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : example.test.domain.com
test.domain.org
test3.test.com


Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : example.test.domain.com
Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217
Physical Address. . . . . . . . . : FF-FC-FF-3C-C1-F4
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 211.211.77.112(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Lease Obtained. . . . . . . . . . : Thursday, May 2, 2019 11:38:56 AM
Lease Expires . . . . . . . . . . : Thursday, May 2, 2019 7:40:38 PM
Default Gateway . . . . . . . . . : 211.211.76.1
DHCP Server . . . . . . . . . . . : 211.211.76.19
DNS Servers . . . . . . . . . . . : 172.1.2.233
172.1.2.231
172.1.26.7
NetBIOS over Tcpip. . . . . . . . : Enabled

I have bolded the important things you need to verify.

You want to make sure that all of the DNS Suffix Search List entries are listed in the “Search Domains” box pictured below:

Mac DNS Settings
Mac DNS Settings

Next verify that all of the DNS servers coming up on your Windows machine are also put into the Mac DNS servers list. On my machine I got all of the DNS servers but only one of the search domains. Make sure it matches your already joined machine!

Configure Network “Sharing” Name

Go to the Settings app on your Mac again and choose “Sharing”.

Mac Sharing Computer Name
Mac Sharing Computer Name Settings

This part is easy. Set this to the computer name you are going to join the domain with. Usually the existing one will be something like “admin’s iMac”.

Mac AD Join Successful
Mac AD Join Successful

Prestaging AD Computer Account

Next open up Active Directory and create a new “Computer” account.

Active Directory New Computer (Menu)
Active Directory New Computer (Menu)

I strongly recommend keeping your Mac name to 15 characters or less. This is demonstrated in the screenshot below. If that isn’t possible then use the pre-Windows 2000 computer name when you join Active Directory or you will get an error (see Troubleshooting).

Active Directory New Computer Dialog
Active Directory New Computer (Dialog Box)

Press OK to create the Active Directory account. Now switch back to the Mac and let’s perform the bind.

Join Active Directory

Next go back to the Settings app and choose “Users and Groups”.

Mac Users and Groups
Mac Users and Groups Settings

From here we are going to select “Login Options” in the bottom left hand of the screen. You will now see a “Network Account Server” with a Join button. Click join and fill everything out as follows:

Mac Active Directory Enrollment
Mac Active Directory Enrollment

Use your fully qualified domain name (FQDN). This is usually the same as your “Primary DNS Suffix” we got from our Windows machine. This allows us to get around any DNS configuration shenanigans.

For the Active Directory settings put in the pre-Windows 2000 computer name from the above step. If you chose a name of 15 characters or less they will both be the same.

For your AD username don’t try to use anything like DOMAIN\user or user@domain. We have already fully qualified our server in the server field so this is not necessary and will cause problems. Enter it as in the example above.

Now press OK and with any luck you will be met with a screen that looks like this:

Mac AD Join Successful
Mac AD Join Successful

Troubleshooting

Plugin Error 10001

Mac AD Plugin Error 10001
Mac AD Plugin Error 10001

This is the most common error you will get when you try to join High Sierra or Mojave to Active Directory. There are a few reasons it can come up.

Apple states that your Active Directory needs to be at a functional level of Windows Server 2008 to work unless you enable “weak encryption” RC4 algorithm support in your forest. This would be a terrible idea as RC4 was broken many years ago and is a joke to crack.

However even with a functional level of 2008 I have yet to see it work regardless without prestaging the computer in Active Directory first and then attempting to join. Prestaging has fixed this error on all of the Macs I have joined to domains.

There are a few other requirements from Apple on the list that could be contributing but likely with prestaging you will be able to bind even without things like extended schema support, etc.

Plugin Error 5103

Mac AD Plugin Error 5103
Mac AD Plugin Error 5103

This error is frequently encountered if the name of your PC is too long. You should join the domain with the “pre-Windows 2000” computer name or even better choose a name for the Mac that is 15 characters or less.

My domain ends with .local

This is bad. Very bad. This has been a long standing issue with joining Macs to Active Directory as .local is what Apple’s own Bonjour uses by default. It used to be a matter of simply changing or disabling Bonjour but that has no longer proven effective.

Using .local has been against best practices for many years but not everyone has migrated their domains yet. If you are stuck in this situation and telling your sysadmins to get a grip and migrate their domain is not an option then you may have to consider a third party AD stack. Here’s a lengthy spiceworks discussion on this topic.

If you have been able to find a workaround for this issue in Mojave or High Sierra definitely drop a comment below so we can share it but I was not able to find an instance of anyone getting around this in the newer versions of OS X without going third party.

Conclusion

As long as you aren’t in a .local domain the native built-in tools should prove perfectly sufficient to join Mac OS X High Sierra and Mojave provided we use prestaging.

That being said I can only speak for the environments I have worked in. If you follow this guide and encounter additional problems definitely leave a comment below so we can get that information out there!

You should also check out Apple’s Active Directory integration guide as they cover some requirements that you may have ran into that I didn’t.

5 thoughts on “Join Mac OS X Mojave to Active Directory Using Built In Tools”

  1. Avatar for Patrick

    Hi, I tried all that you said , but after I join to domain error prompt occur
    “Unable to add server.”
    Host not found
    (9007)

  2. Avatar for Santiago Cordoba
    Santiago Cordoba

    Currently it is working without issues when connected to network where is the Domain Controller but in a external network where the Mac has not connection with the domain controller is not working.

    How can I resolve this issue?
    Do you have a guide or manual where you explain how to solve it?

    Thanks in advance
    Regards

    1. Avatar for James A. Chambers

      Is a VPN connection an option for enrollment? I’ve used a VPN connection to enroll devices that live primarily off the network that has the domain controller.

      If you choose this method you will likely need to create a “mobile account” or else whenever the domain controller can’t be contacted the user will not be able to log in.

      If you just need to access printers and network shares you may want to consider leaving them unjoined and having users go to their smb path. For example, open a Finder window and then choose the “Go” menu at the top of the screen and “Connect to server”. The network path for a Windows share such as \\server\share would be smb://server/share. The user then will enter their AD username/password and be granted access to the share.

Leave a Comment

Your email address will not be published. Required fields are marked *

Type here..

Exit mobile version