I am working at the operations department at a large, mostly Windows based, IT solutions company. Personally I am a Mac user, but I mostly use my Mac in "Mac environments".
We have got an inquiry about getting some Macs into the network domain. The main reason for this is authentication (the Mac users are already members of the domain and would like to login with these credentials), and to mount some network drives.
I have not done this before, and would like to know your ideas of the best way to implement these Macs into the domain. We are looking for free, or at least inexpensive, solution for this. I have looked into some of the solutions out there but would appreciate some feedback from someone who have worked with this in a production environment.
Best Answer
As already mentioned here, joining a Mac to a Windows domain is relatively easy. Moreover, as of 10.5 it can be done entirely from the command line, including where to put the computer if you prefer to put it in a non-default location. In fact, I developed just such a script for our engineers to use as a basis for migrating systems over. I found this document to be an incredible supplement to Apple's own documentation: Leveraging Active Directory on Mac OS X
However, I have not done converted the Macs in my environment because of the problem with user authorization. I find this to be a big problem, but I also work in Security :) There are AD extensions for the OSX attributes so you can get some of the same levels of configuration that you do with Windows in AD. However, your AD environment must be extended to support them.
If you don't mind having unmanaged machines where anybody with credentials can login, then add them. Having centralized authentication is almost always preferred. Unfortunately, for my systems, this limitation was a show stopper.
There is documentation on setting up an OSX Server as a middle-man between your Macs and the AD servers. You run OpenDirectory in what they call ‘subordinate’ mode. Supposedly, you can then completely manage the Macs as you would ordinarily, except the authentication is passed along to the AD box. The idea being that you will perform your user authorization at the OD server, and join your Macs to it (while also putting them in the AD kerberos domain). It sounds promising, but as I said, I did not have success getting the authorization to work correctly. The instructions are also in the pdf linked above.