This guide will assist you to joining a Mac to AD. There are plenty of guides online, but many of them leave out certain key aspects that lead to issues when not performed properly.
First step, check AD for the next available computer name and create the computer AD entity in the correct OU.
Document the AD computer description field with useful information such as ticket number, model, user, serial number, etc
Identify & note down any users / groups that should have local administrative rights on the Mac
Setting the local workstation host name:
Apple Menu > System Preferences > Sharing > Computer Name
Now let’s get get domain joined:
System Preferences > Users & Groups > Login Options
Click the 
to gain admin access using the local administrator account
Change Display login window as: Name and password
Change Show fast user switching menu as: Full Name
Click the Join… button
Click Open Directory Utility…
Click the and authenticate to unlock
Highlight Active Directory
Click the pencil 
button to edit
Populate the Active Directory Domain field with the AD name
Click the 
icon to expand the options
Place a tick next to Create mobile account at login – this tells the Mac to create a local user profile for the AD account so a) the user has somewhere to store data, and b) the user can login when away from the AD network.
Click the Administrative Button
Place a tick next to: Allow administration by:
By default, it will have domain admins and enterprise admins pre-populated.
Use the + button to add in the additional resource users & groups noted earlier that will require local admin rights
Click Bind…
This will first prompt for the local admin password
Then it will prompt for the domain administrator username & password.
If all details are correct and DNS is working, the Mac will be joined to the directory.
If you followed the earlier instructions to pre-create the computer in AD, it will advise you that the computer account exists, and ask you if you want to use the existing computer account – say Yes.
Domain Join over a VPN:
If you need to join over a VPN connection, but the VPN connection is disconnected when switching user accounts, you can cache an AD account from the local admin account when still connected to the VPN post domain join using the below terminal commands:
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n [AD_username]
Once this passes, you will need to cache the login credentials
login
When prompted, login using the user’s username and password.
Note: the password entering will not provide any feedback on-screen.
Ideally, if the Mac is being domain joined over the VPN, you would also cache the domain admin account using this method also.
A Mac already directory bound that isn’t configured to create mobile account at login:
Using terminal, issue the below commands:
sudo dsconfigad -mobile enable
sudo dsconfigad -mobileconfirm disable
The first command forces the system to create mobile (cached) accounts when the user logs in, the second command suppresses the confirmation prompt when creating the account.
A little Terminal bonus:
You can do a quick & dirty AD join from the terminal using the below command:
dsconfigad -prefered yourserver.YOURDOMAIN.SOMETHING -a nameOfYourDevice -domain YOURDOMAIN.SOMETHING -u DomainAdministratorAccount -p 'DomainAdministratorPassword'
Of course doing this, will not set the Mac to create a mobile account at login, won’t configure local admin users…