Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: Binding to single-label Active Directory domains Network
Tiger only hintI have a single label domain name that is the same as the name of the Forest. Try finding any information about the problems of a single label domain. I'll just say that the problems are numerous, vexing, and undocumented.

I don't know how much of the following is critical for the connection to AD, but I've worked so long and hard to get this working that I don't want to turn them off and on to try to break it. And given other posts about unpredictable behavior, turning them off and on may not even tell me which ones are necessary.

Read on for the configuration...

System Preferences > Network:
Configure IPv4: Using DHCP
Search Domains: DC=[my domain]

Directory Access:
Services enabled: Active Directory, AppleTalk, LDAPv3, SLP, SMB/CIFS

SMB/CIFS Configuration:
Workgroup: [my domain]
WINS Server: [IP of my WINS Server]

LDAPv3 Configuration:
Location: Automatic
Yes - Add DHCP-supplied LDAP servers to automatic search policies
I also have my LDAP server configured in the window below, but I disabled it and everything seems to still be working.

Active Directory Configuration:
Active Directory Forest: - Automatic -
Active Directory Domain: [my domain]
Computer ID: [unique label for computer]
Advanced > Administrative
Yes-Prefer this domain server: [my domain controller].[my domain]. (note the last period, may be important)
Yes-Allow administration by: domain admins, enterprise admins
Yes-Allow authentication from any domain in the forest

Now here's the trick: When you click [Bind...] and give it a Username with the correct credentials and the correct password, leave the COMPUTER OU: field blank!

I don't know why this works, but it does. I can unbind and re-bind my Mac to my heart's content, but if that field is populated I get errors.
    •    
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (1 vote cast)
 
[15,665 views]  

10.4: Binding to single-label Active Directory domains | 5 comments | Create New Account
Click here to return to the '10.4: Binding to single-label Active Directory domains' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Binding to single-label Active Directory domains
Authored by: smanzo on Mar 14, '06 11:29:41AM

Okay, first off... Enabling both the Active Directory and the SMB/CIFS plugin is redundant. SMB/CIFS is for workgroups or NT4/Samba domains, not AD.

You mention giving the "correct" user credentials.... Unless these credentials are for a Domain Administrator account (OR you've specifically changed permissions on the OU structures to allow the account used Write and Delete of Computer objects), you won't be able to put the computer anywhere other than CN=Computers, DC=yourdomain. Make special note of that... the default places for Computers and Users are both Containers (CN), not Organizational Units(OU), and are designated as such in AD. THIS is the likely source of your problems.

Another side note... ANY AD user account can, by default, join up to 10 machines to the domain, as long as they are dropped into CN=Computers (or the new default if you've redirected this)



[ Reply to This | # ]
10.4: Binding to single-label Active Directory domains
Authored by: redclawx on Mar 14, '06 02:20:30PM

If you don't have the SMB/CIFS active then you won't be able to browse the network for SMB/CIFS computers, (i.e. Windows file shares.) In my environment we have three (for lack of a better term) main network paths. The only one currently supported is AD. For the Macintosh environment, browsing to Network/Delta will get you to the SMB share points for most everything on the network. The other two unsupported paths are the standard Windows SMB "Workgroup" and the AFP path.

By turning off SMB/CIFS the only item brows-able is AFP, at least with our setup.



[ Reply to This | # ]
10.4: Binding to single-label Active Directory domains
Authored by: mbartosh on Mar 15, '06 05:11:57AM

First of all, just saying snything like this:

_
I don't know how much of the following is critical for the connection to AD, but I've worked so long and hard to get this working that I don't want to turn them off and on to try to break it. And given other posts about unpredictable behavior, turning them off and on may not even tell me which ones are necessary.
_

...correlation is not causality! This is basic scientific theory they teach in any sience or social science course. You can't just stay stuff like this without regression testing. And characterizing the AD Plug-in (which Apple has done a great job on) as unpredictable is spurious and just wrong.

'single lable' AD domains are the simplest to support. Whatever problem you're hving, it's not related to that. Moreover:

-Mac OS X is entirely unable to use that as a DNS search domain, which does not conform to the dns namespace. Nothing could use that as a DNS search domain.

-The LDAPv3 Plug-in has -nothing- to do with the AD Plug-in, and your direction there opens your machine to malicous compromise

" [my domain controller].[my domain]. (note the last period, may be important)" -- You do not specify the domain controller. you specify the domain. The domain controller is then discovered via DNS service discovery.

-leaving the OU field blank just puts it into the default cn=Computers.

Do -real troubleshooting- and regression. Learn about the DirectoryService debug mode. AD integration in general works great, and is far easier than you have characterized. If it took you as long as you say, you should have brought a consultant in, it'd have saved your compaany money.


__
Essential Mac OS X Server System Administration
O'Reilly

---
4am Media, Inc. Mac OS X Training and Consulting



[ Reply to This | # ]
10.4: Binding to single-label Active Directory domains
Authored by: Moshker on May 09, '06 04:03:28PM

This may be an old thread, but these "reverse FUD" head in sand type responses really aggravate me.

He says "Hey I am having problems" you respond with "your statements are unscientific, apple is good." Brilliant.

I and several other administrators at my organization are having intermittent and frustrating problems with AD integration as well.

"You can't just stay stuff like this without regression testing." - ??? What universe are you from? Seriously. His opinion is as legitimate as your blanket statement that the directory plug-in is good. Your experience differs and instead of proving your experience with some kind of scientific method you state that he isn't being scientific without you offering any kind of proof either. Spurious? Do a search for Troubleshooting Active Directory and OSX. The reasons for it not working may be varied, may even be MS for all I know, but to try to say it is easy to use and universally stable is just as dumb.

I'm not an expert on OSX, but I can follow instructions. This shouldn't be rocket science that requires a consultant. If it does then someone at Apple failed to do their job.



[ Reply to This | # ]
10.4: Binding to single-label Active Directory domains
Authored by: bobnance on Jun 22, '07 10:15:23AM
One of the things that works consistently for me is to add:
    DC=local
as in,
    CN=Computers,DC=<DOMAIN>,DC=local
during the bind. Works every time!

[ Reply to This | # ]