Integrating Mac OS X and Active Directory

Mac OS X and Mac OS X Server have been designed to fit into existing enterprise directory services. Apple’s extensible Open Directory architecture integrates with standards-based LDAP directory services, including Sun JAVA Enterprise Directory Server and IBM Directory Server, as well as with proprietary ones such as Microsoft’s Active Directory.

PDF

Download the authoritative guide for all things related to the Open Directory Server and the Open Directory architecture.

Mac Computers on Windows Networks

Apple has gone well beyond generic standards-based support. Mac OS X builds in support for all of Microsoft’s proprietary Active Directory services: Microsoft Kerberos authentication; Active Directory authentication policies, such as password changes, expiration and forced password changes; and Active Directory replication and failover.

Network Diagram

This means Mac computers work with Active Directory in much the same way Windows clients do. Macintosh systems can use existing Active Directory networks and Exchange mail servers, Microsoft’s VPN server and Microsoft Office applications. Administrators can maintain Mac OS X user names and passwords in Active Directory, authenticate Mac OS X users with Active Directory and allow users to mount their network home directory based on information stored in Active Directory. Mac OS X can also discover multiple domain controllers and automatically determine the closest one. If a domain controller becomes unavailable, the Mac system uses another nearby domain controller.

Because these capabilities are built into Mac OS X, you can take advantage of them without expensive software add-ons or time-consuming changes to the Active Directory schema.

Apple Servers on Windows Networks

With new Directory Access modules, Apple servers can access account records stored in Active Directory — without requiring any modifications to the Active Directory schema. This enables Windows-based departments or workgroups to take advantage of the low-cost SMB file services in Mac OS X Server, while integrating with their existing Active Directory infrastructure for user account information and authentication. Secure network services — including network home directories — hosted on Mac OS X Server even support single sign-on for clients authenticated using Microsoft’s proprietary Kerberos implementation.

Using the powerful Workgroup Manager application in Mac OS X Server, it’s also possible to manage Mac clients on networks that rely exclusively on Active Directory. This requires some additional configuration of the Active Directory schema to include the necessary records and attributes. Administrators who prefer to use scripts can automate the process using the included command-line tools.