We have a suite of Macintosh clients running OS X 10.5.8
Until we upgraded our Active Directory domain to Windows Server 2008 R2 native mode and enabled LDAP encryption between servers and clients, it worked fine.
Now the clients won't log on to the network - try to use AD user accounts and the macs just "shake their head" at users.
I suspect this is a LDAP encryption issue rather than something to do with the upgrade to 2008 R2 native mode itself, but as both were performed at the same time it could be either.
Although we can log on locally to the macs and unbind them from their current domain settings, we can't seem to re-add them. Follow any instructions I can find, plus Apple's "Good Practices" pdf file, and nothing seems to work.
Any suggestions as to setting up Macs to work with a domain where LDAP Encryption is enabled? Is it just a case of obtaining a certificate from the CA we have on our network and ticking the "Use SSL" box when binding?
It is probably down to the authentication levels being brought up very high and secure in a 2008 R2 Domain. I cannot remember where I found the info but if you google you will see many issues and niggles related to 2008 compatability with other devices using NTLM and LDAP as they tightened them all up. I know if you look on here for my posts on the Sun S7000 you will find some information on one area that I had to look at for getting my SAN to work with 2008 R2.
Oddly my Macs seem to be unaffected by the changes to a R2 native domain, including leaving the defaults for the DCs security policy. There are no SSL options etc on the AD plugin, so I assume it is correctly signing the requests. Running 10.5.4 and 10.5.8.
Local Policies/Security Options
Domain controller: LDAP server signing requirements None
Domain member: Digitally encrypt or sign secure channel data (always) Enabled
Microsoft Network Server
Microsoft network server: Digitally sign communications (always) Enabled
Microsoft network server: Digitally sign communications (if client agrees) Enabled