Advanced AD options for profiles: https://support.apple.com/en-ca/HT202834 Best Practices: http://training.apple.com/pdf/Best_Practices_for_Integrating_OS_X_with_Active_Directory.pdf Active Directory naming considerations when binding: https://support.apple.com/en-us/HT203193 https://support.microsoft.com/en-ca/kb/909264 Requesting a certificate: https://support.apple.com/en-ca/HT204602 Renewing a certificate: https://support.apple.com/en-ca/HT204446 Export AD CS root cert: https://support.microsoft.com/en-ca/kb/555252 Binding from CLI: The functionality of Directory Utility and the Directory payload is also accessible from the command-line interface with the dsconfigad command. For example, the following command can be used to join a system to Active Directory: dsconfigad -preferred ads01.example.com -a COMPUTERNAME –domain example.com -u administrator -p "password" After you’ve bound a system to the domain, you can use dsconfigad to set the administrative options in Directory Utility: dsconfigad -alldomains enable -groups domain admins@example.com, enterprise admins@example.com Note: Using dsconfigad in a script requires using clear text for the password. Configuration profiles are preferred. Troubleshooting and Debugging: https://support.apple.com/en-ca/HT202242 List of available trusted root certs in OS X: https://support.apple.com/en-ca/HT202858 Increased logging: odutil set log debug Stored in: /var/log/opendirectoryd.log (persists across restarts) Standard logging: odutil set log default Disable packet encryption while troubleshooting: dsconfigad -packetencrypt disable dsconfigad -packetencrypt allow TCP Dump Example: tcpdump –K -i en0 -s 0 -w capture.pcap port 88 or port 464 or port 53 or port 389 or port 3268 DNS Troubleshooting: dig -t SRV _ldap._tcp.example.com telnet dc01.example.com 88 TCP 88 - Kerberos TCP 389 - LDAP TCP/UDP 464 - Kerberos password changes TCP 3268 - Global Catalog /usr/bin/id