Binding a Mac to an Active Directory domain with the command line
Directory Utility and the directory payload functionality are accessible from the command-line interface with the
dsconfigad command. For example, you can use the following command to join a system to Active Directory:
dsconfigad -preferred <ads01.example.com> -a <computername> -domain example.com -u administrator -p <password>
After you bind a Mac to the domain, you can use
dsconfigad to set the administrative options in Directory Utility:
dsconfigad -alldomains enable -groups domain <firstname.lastname@example.org>, enterprise <email@example.com>
dsconfigad in a script, you must include the clear-text password used to join to the domain. Typically, an Active Directory user with no other administrator privileges is delegated the responsibility of joining Mac computers to the domain. This user name and password pair is stored in the script. It’s common practice for the script to securely delete itself after binding so that this information doesn’t reside on the storage device.
Advanced command line options
The native support for Active Directory includes options that aren’t exposed in the Directory Utility app. To access these advanced options, use either the Directory payload in a configuration profile, or the
dsconfigad command-line tool. Open Terminal and type
man dsconfigad for complete usage. See Advanced Active Directory payload options in MDM Settings for IT Administrators.
Computer object password interval
When a Mac system is bound to Active Directory, it sets a computer account password that’s stored in the system keychain and is automatically changed by the Mac. The default password interval is every 14 days, but you can use the directory payload or
dsconfigad command-line tool to set any interval that your policy requires.
Setting the value to 0 disables automatic changing of the account password:
dsconfigad -passinterval 0
Note: The computer object password is stored as a password value in the system keychain. To retrieve the password, open Keychain Access, select the system keychain, then select the Passwords category. Find the entry that looks like /Active Directory/DOMAIN where DOMAIN is the NetBIOS name of the Active Directory domain. Double-click this entry, then select the “Show password” checkbox. Authenticate as a local administrator as needed.
macOS supports authenticating multiple users with the same short names (or login names) that exist in different domains within the Active Directory forest. By enabling namespace support with the Directory payload or the
dsconfigad command-line tool, a user in one domain can have the same short name as a user in a secondary domain. Both users have to log in using the name of their domain followed by their short names (DOMAIN\short name), similar to logging in to a Windows PC. To enable this support, use the following command:
dsconfigad -namespace <forest>
Packet signing and encryption
The Open Directory client can sign and encrypt the LDAP connections used to communicate with Active Directory. With support for signed SMB in macOS, it shouldn’t be necessary to downgrade the site’s security policy to accommodate Mac computers. The signed and encrypted LDAP connections also eliminate any need to use LDAP over SSL. If SSL connections are required, use the following command to configure Open Directory to use SSL:
dsconfigad -packetencrypt ssl
Note that the certificates used on the domain controllers must be trusted for SSL encryption to be successful. If the domain controller certificates aren’t issued from the macOS native trusted system roots, install and trust the certificate chain in the System keychain. Certificate authorities trusted by default in macOS are in the System Roots keychain. To install certificates and establish trust, do one of the following:
Import the root and any necessary intermediate certificates using the certificates payload in a configuration profile.
Use Keychain Access located in /Applications/Utilities/.
Use the security command as follows:
/usr/bin/security add-trusted-cert -d -p basic -k /Library/Keychains/System.keychain <path/to/certificate/file>
Restrict Dynamic DNS
macOS attempts to update its Address (A) record in DNS for all interfaces by default if there are multiple configured interfaces, this may result in multiple records in DNS. To manage this behavior, specify which interface to use when updating the Dynamic Domain Name System (DDNS) by using the Directory payload or the
dsconfigad command-line tool. Specify the BSD name of the interface in which to associate the DDNS updates. The BSD name is the same as what’s in the Device field, returned by running this command: