Working at a school which has a suite of 5 mac mini's which they want connecting to their windows 2003 domain. I tested this out on my home system with no problems but when I came to join the schools mac's to the domain I have encountered a problem. Instead of having a domain name of school.local, they have a domain name of just school which means the mac's won't connect to it as its not a fully qualified domain name.
So if any one has any ideas I would like to hear them.
Whats the FQDN of your windows 2003 domain ?
Its just schoolOriginally Posted by gecko
Last time I did a 2003 install, it wouldn't let you create a domain without qualifying it
I didn't set the the domain up but I have a feeling that it was an NT4 domian upgraded to 2K then to 2K3.
I thought that you simply had to be able to resolve DNS entries and resolve IP addresses to DNS entries for it to work?
If you have a single-label DNS name in your environment, clients may not
be able to dynamically register DNS records in a single-label forward
lookup zone. Specific symptoms vary according to the OS installed.
As a general rule, Microsoft recommends that you register DNS domain
names for internal and external namespaces with Internet authorities.
This includes the DNS names of Active Directory domains, unless such
names are sub-domains of names that are registered by your organization
name, for example, "corp.example.com" is a sub-domain of "example.com".
When you register DNS names with Internet authorities, it prevents
possible name collisions should registration for the same DNS domain be
requested by another organisation, or if your organisation merges,
acquires or is acquired by another organization that uses the same DNS
names.
DNS names that don't include a dot are said to be single-label
Single label domains. Oh boy.
Try this:
http://www.macosxhints.com/article.p...60310075328878
...(Edit) I need to qualify the link- what the poster suggests is rebutted pretty well by a post further on in the link above. That's OK, because I wanted you to actually see the rebuttal and be able from that to build an idea of what this will take to get working. Hope it helps in some way.
...(Edit2) Read this too:
http://support.microsoft.com/kb/300684
Paul :-)
I did some asking and the domain was set up like this by the previous Network Manager. Thanks for the advice guys I'm back at the school on Thursday but if anyone else has any ideas I would still to hear them.
Heres an update. I tried the things in the articles kingswood found and no joy what so ever. So I've suggested that they look at setting up the macs on their own domain. Hopefully I'll have an answer when I go back in next week.
By setting the Macs up on their own domain, do you mean installing an Open Dsirectory Master and making that authoritative for the Macs? If so, you will have to run these as two discreet networks- and put your users in twice (once in AD and then again in OD). A better solution (I think) would be to get to the bottom of the issues you are obviously having with the existing network and then binding the Macs to the AD, thus having only one central database of users to worry about.
Have you run some diagnostics on the network? On a Mac, type:
nslookup -sil
The prompt will turn to:
>
now type:
host -t SRV _ldap._tcp.domain.com
host -t SRV _kerberos._tcp.domain.com
host -t SRV _kpasswd._tcp.domain.com
Where I have put domain.com there put in your single label namespace. If you don't see any entries, then OS X doesn't figure that they are *valid* entries.
You can also tell Directory Services Plugin to run in loggin mode if you like and this can be helpful after the process fails to trace where the issue lies:
sudo killall -USR1 DirectoryService
Toggle it back again to turn off the the debug log- you will find it (IIRC) in the following place on your systems:
/Library/Logs/DirectoryService
The main issue is whether you are allowing dynamic DNS updates on your AD server. If you aren't, then OS X isn't going to be happy about registering itself on the server (well, effectively this would have to be done manually and this isn't helpful to you either). Check your DNS snap-in on your AD Server and look for SRV records and whether you are allowing Dynamic Updates. This will be crucial in deciding whether you can bind the Macs to this AD at this point.
Back on your Macs, look at:
man dsconfigad
and read through it to get an idea of what is expected by the binding process. The plug in uses _domain.tcp.domain.com to find the DNS Server, which should return to your system a list of hosts providing those services I just said should be seen in your forward lookup zone on your AD DNS Server. If it can't find them, it just won't find what domain it's in or any authentication or registration services. OS X uses this information to build the edu.mit.kerberos (I may have that wrong) configuration file. Then it tries to authenticate to the new DC and searches for a domain and forest for a computer record with a computer ID that matches the one specified in the plugin. If a match is not found the plugin creates the new record and a password is attached to that ID. That's it bound to AD. But notice that it takes that registration service to finish the job?
OK. All that said, in the Directory Access plugin make sure you have:
The forest name
AD Domain name (Are in domain name format)
Computer ID
Make sure your domain name is entered first in Network Preferences.
Then go to a Windows machine (doesn't have to be your AD Server) and run:
nslookup
At the next prompt, type:
www.apple.com
Does it return valid results?
See if any of that throws you in the right direction.
Paul
As an aside to what is already been mentioned, don't name your active directory domain in a name that ends in .local, you'd have only been swapping one problem for another if your domain was named that way.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote