Mac – Can Apple Macs bind to two domains in two separate forests

active-directoryauthenticationmac

Is there anyway natively or with third party extension to bind a Mac so that it can search two domains for Authentication?

We have two forests each with one domain in them. In Active Directory terms there is a trust relationship between them so users can log in to Windows workstations with credentials from either domain. As we try to move to a single Domain in a single forest I need to understand if the Mac's can at least temporarily support Authentication against both domains…

After sorting that I can see how it handles the same username, Active Directory ID (SID) etc…

Best Answer

In OS X Mavericks

The same as binding the Mac to the Active Directory to the Domain for the first time - System Preferences > Users & Groups > Login Options. Unlock the advanced options and click Edit.

Here you can click the plus and add the additional domains' details

Some points to consider:

  • The Mac will need a computer account in the additional domain
  • Users who login where a user with the same samAccountName will be prompted for Admin credentials in order to rebuild the Library. This only happens when a matching user has already logged in to the Mac
  • Users will be prompted for the 'matching' user's password as OS X seems to try and migrate the users 'keychain'
  • Consideration should be given as to the order with which domains should be checked for authentication requests

I've still yet to dig into policies and configuration across the domains and how they affect the Macs' being in both domains.... though I still haven't learnt how that works so it may be a non issue

Related Question