10.5 AD Binding
I am trying to bind an iMac with Leopard installed to AD. Leopard is upgraded to 10.5.2. Whenever I try to add it to the domain it just comes up with the following error:
Unable to contact the domain controller for an unknown reason.
I have looked everywhere for a solution to this problem but have been unsuccessful. All of our 10.4 clients are bound to AD without any problems but the 10.5's just wont do it. The Apple server we are running is 10.4 server but all logins are done through AD.
Any help would be greatly appreciated.
We got a similar error when setting up our only 10.5 mac. We'd forgotten to set the time zone correctly. Such a stupid thing to overlook I know, maybe it's the same for you?
The time zone is correct. I did have to double check though as I wasn't sure but it is set correctly.
make sure you have sync'ed the time with an AD Server
I have put in our frdc as the time server, once you hit enter it puts itself to the correct time. It seems able to see both our DC's however it just doesn't want to use one of them to bind to AD :(
I have seen this on a couple of our new iMacs. Basically (and I know this is often painful) it works if I do a clean install of the OS before binding. It's worth trying this on one of your systems to see if it makes a difference. Other than that, Leopard binding to our AD has been painless.
Have you also checked that the client has your primary DNS server set in Network? This can often cause a small gotcha when trying to bind.
Hope something there helps- good luck!
It is a new iMac which we are trying to bind to AD. I have tried re-installing the OS from the disks which came with the iMac but I'm going to try installing leopard from a standalone dvd without any extras.
I heard that it was a common fault with leopard and that the 10.5.2 release fixed it, I have to say though with 10.5.2 on it still does not bind. The other thing is in the directory utility what information should be in there? I have a setup guide to directory access on 10.4 but on 10.5 its quite different.
I would try the following.
Go to /Macintosh HD/System/Libary/ then rename the directory services folded to directory services_Backup
This will clear all the directory service settings.
No luck Im afraid :( tried everything. Could anyone post a few screenshots of your configurations for directory utility so I can compare it to mine?
It is pretty different. but if you show Advanced settings and go to Services all the old options are there. confused me at 1st too i have a OU i like to put the OSX machines into and wa slike how the **** do i do that as there was no setting to do it. :P
Originally Posted by ahunter
The OU is exactly the same for both our leopard and tiger machines. I just tested binding/unbinding with the same settings on a tiger machine to make sure there was no other issues and it binds/unbinds perfectly.
This sounds weird to me. I would try and trash the bind settings on your iMac by navigating to /Library/Preferences and binning the DirectoryServices folder found there. You should also trash the edu.mit.kerberos file.
To *completely* remove bind settings, use the following commands as local administrator on the iMac:
rm -R -i DirectoryService
You should be asked if you want to examine the files- type in "yes" (without the quotes)- it will do this for every file (just type yes in each time). The follow this up with:
sudo shutdown -h now
The Mac will shut itself down and then you should obviously just start it up the usual way. Now try and rebind, making sure that:
(a) the time on the system points to your internal NTP server or an external server that your AD domain server uses so that they are within the kerberos acceptable skew frame
(b) that you have both a primary DNS IP in Network Preferences for your AD DNS server and a search domain suffix (yourdomain.com) in the opposite pane.
When you get to Directory Utility make sure that you choose "Active Directory" from the drop down box after clicking the plus" sign to add a directory services server, and then use the short name of your AD domain controller in the "Server Name or IP Address" field. At school I use the server name, but when testing Leopard Server and AD at home it preferred the IP address. Horses for courses!
Check too that in "Services" when using the "Advanced" menu option in Directory Utility that you have checked the "Active Directory" field. Double click this entry and a sheet will pop out that will allow you to "bind" to the AD domain. Use your forest name and give the iMac a computer ID. I have had no problems (ever) with using the same name as the OS X name, but again you might need to make them different. Simply click "bind" and enter the username and password of a domain administrator in the sheet that appears.
You have probably tried all of this before, but there may be a step that you have missed. If all of that fails let me know and we can perhaps try other things that might help.
All the best!
Hi, thanks for the instructions. I am trying to add the AD directory services server but am getting problems.
I have typed in the following:
AD Domain - st-ambrose.internal
Computer ID - <blank>
AD Administrator Username - administrator
AD Administrator Password - <password>
The error I receive is:
"An Unexpected error of type - 14006 (eDSCannotAccessSession) occured."
The computer ID box I wasn't sure what to type into it I tried the DC name and it comes up with the same error.
Your domain doesn't end in .local does it?
Edit, erm. It doesn't as I see from your last post.
Computer ID is the name that the mac will join the domain with, works in the same was as windows clients.
Originally Posted by ahunter