Deploying Apple iMacs to an Active Directory Network

So, the day has come to deploy some Apple iMACs to one of our computer labs where I work. With little experience using an iMac, we set out to accomplish this task. The Apple GUI took a little getting used to, but with a little exploring things came very easily. There is not much difference between Snow Leopard and many Linux distributions.

The task at hand is to integrate the new iMACs into an Active Directory network. Our student server is running Microsoft Windows Server 2008. The plan is to be able to have our students in our Medical Assisting, Electrical Technology, and Information Technology programs, be able to log into the network to do their work as if they were sitting in front of a Windows XP or Windows 7 client and also to allow our Information Technology students to run multiple Operating Systems in a virtualized environment using Oracle’s Virtualbox. After our exploring we discovered where to go to join the iMacs into our Active Directory network.

The whole process of joining the iMACs to our Active Directory domain is as follows:

  • Go to Users & Groups
  • If you need to Unlock, use your administrator user name and password
  • Click on Login Options

Now, you want to make sure of the following:

  • Set Auto Login to Off
  • Display login window as: Username and Password. If not, your log in screen will be overwhelmed with User icons
  • The option, Allow network users to log in at login window, which appears after the computer has been joined to the domain. It will be checked off by default
  • The other options on this screen can be selected or deselected depending on your needs
  • Click on Join to the right of Network Account Server

Now, click on the Open Directory Utility button and do the following:

  • Go to Services
  • Select Active Directory
  • Click the Pencil icon
  • Leave the Active Directory Forest at the default
  • Enter your Active Directory Domain Name
  • Enter the Client Computer ID (what you want the name of the iMac here and also synchronize the iMACs host name (go to System Preferences / ) with whatever you enter here.)
  • Got to Advanced Options
  • 1. On the User Experience tab –

    • Check Create mobile account at login
    • Uncheck Use UNC path from Active Directory to derive network home location
    • Uncheck Force local home directory on startup disk
    • Leave the rest at the default

    2. On the Administrative tab –

    • Check Prefer this domain server and enter your-server-name.domain-name.local
    • Check Allow administration by:. Leave default entries
    • Uncheck Allow authentication from any domain in the forest
    • Click Bind
    • Enter your Active Directory Administrator’s username and password
    • Click OK

After you click OK you should see it going through the process of joining the domain. When completed, you will see a green dot next to Network Account Server.

That is it; your iMac should now be a member of the Active Directory domain. One way to check this is to look in Active Directory Users and Computers at your server to see if your iMac’s Client name is listed or better yet, log off and try to log in.

But hold on, when we logged off of our iMACs and got to the log on screen, we received the following message:

Network accounts are unavailable

What to do now? Experimentation!

1. Update all of the software.
2. Try to rebind to Active Directory.
3. Adjust some settings under Advanced Options.
4. Repair permissions through Disk Utility on reboot. We actually had to rebind the machine after doing this.

For us none of this worked – though running an update is always a good thing, right? After doing some research on the Internet I saw some comments about the Search Policy. At first this looked OK, but it actually was not. There were two listings that looked like this:

/local/default
/Active Directory/YOUR_DOMAIN

When clicking on the add button, the following entry was available:
/Active Directory /YOUR_DOMAIN/your_domain.local

Once you add the new entry, make that the first one in the list (if you keep the other entry.) Once this was added to the Directory Domains list under Search Policies we were able to log into the iMAC with an Active Directory domain user.

After this success it was on to the next part of the project – using the iMACs as the host to virtualized Microsoft Windows client/server Operating Systems. But that is another story.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>