Joining an Active Directory domain

This topic shows how to use the Centrify Join Assistant to join a domain. To join a domain, you must be a domain admin or a domain user with permission to create computer objects. If necessary, your domain administrator can use the Delegation Wizard to delegate permission to create computer objects. Refer to https://blogs.technet.microsoft.com/dubaisec/2016/02/01/who-can-add-workstation-to-the-domain/ for more information about joining workstations to a domain.

Note:   Alternately, you may run the adjoin command-line utility, interactively or in a script, for each Macintosh computer you want to add to a domain in the forest. See the Administrator’s Guide for Linux and UNIX for details.

To join the Mac to a domain:

  1. Launch the Centrify Join Assistant.

    There are two ways to launch the Centrify Join Assistant:

  2. Enter the active directory domain that you want to join as well as administrator credentials for that domain, then click Continue.

    A page appears that allows you to select how to join the domain with an option to enroll in the Privileged Access Service.

  3. Select from the following options:

    Select this option To do this

    Auto

    Joins the computer through Auto Zone, which allows joining a computer with little or no configuration. This option is recommended for most installations.

     

    Joins to the zone that you type in the box. Note that you must have created at least one zone before you can use this option.

    Computer name

    Defaults to the name of the computer on which you are running the join assistant, but you can change it if you want to use a different name for the local host in Active Directory.

    Note:   Enrollment is no longer supported by Centrify.

  4. (Optional) Click the arrow to expand the Advanced Options and select any Advanced Options that you want to use to join the device.

    Select this option To do this

    Overwrite existing joined computer

    Overwrite the information stored in Active Directory for an existing computer account. This option allows you to replace the information for a computer previously joined to the domain. If there is already a computer account with the same name stored in Active Directory, you must use this option if you want to replace the stored information. You should only use this option when you know it is safe to force information from the local computer to overwrite existing information.

    Checking this option is the same as running the adjoin command with the --force option.

    Container DN

    Specify the distinguished name (DN) of the container or Organizational Unit in which you want to place this computer account.

    By default, computer accounts are created in the domain’s default Computers container.

    Click Browse to browse Active Directory and select the container to use, or click Container DN and enter the name of the container in distinguished name format; for example, if the domain suffix is acme.com and you want to place this computer in the paris.regional.sales.acme.com organizational unit, you would type:

    ou=paris, ou=regional, ou=sales

    Checking this option is the same as running the adjoin command with the --container option.

    Preferred Domain Server

    Specify the name of the domain controller to which you prefer to connect. You can use this option to override the automatic selection of a domain controller based on the Active Directory site information.

    Checking this option is the same as running the adjoin command with the --server option.

    Computer Alias Name

    Specify an alias name you want to use for this computer in Active Directory. This option creates a Kerberos service principal name for the alias and the computer may be referred to by this alias.

    Checking this option is the same as running the adjoin command with the --alias option.

  5. Click Join.

    Centrify Join Assistant informs you that you have successfully joined your Mac to your Active Directory domain at <mydomain.com>.

  6. Click Done to close the installer.

    Your Active Directory users can now log on to the joined Mac computer, as described in Logging on to the Mac after joining a domain.