TS1206: Active Directory Plugin requires name resolution for domain and forest namesLearn about Active Directory Plugin requires name resolution for domain and forest names
Currently Being ModeratedSep 13, 2013 2:58 PM (in response to Cerniuk)
I'd been having this problem for a long time now, and discovered the problem wasn't OS X, but rather errors in how Active Directory and DNS are configured. Even though AD will work fine in binding Windows systems with DNS configuration problems, OS X is very picky with allowing binding to AD.
The first thing I discovered on the Active Directory domain controller was that the main CA certificate on the domain had expired. Once I generated a new CA certificate I could then see "Active Directory / All Domains" under the custom search policy in the Directory Utility. Cleared that hurdle.
The next step was to verify the health of the domain and DNS entries by running a series of commands in a command prompt on the domain controller itself.
DCDIAG /test:DNS /DNSALL /e /v
dcdiag /test:DcPromo /DnsDomain:domain.company.com /Operation /e /v
dcdiag /test:RegisterInDNS /DnsDomain:domain.company.com /<Operation> /e /v
/<Operation > may be /NewForest, /NewTree, /ChildDomain or /ReplicaDC
I didn't even have to run more than the first command before I started seeing where the configuration problems were. The domain SOA was not responding and the ldap_tcp test was failing.
In the DNS manager on the domain controller I found I had incorrectly added an additional full domian as a forward zone in DNS instead of a child. Copied down all the records and deleted the problem domain, then created a child domain and re-entered the records. Still didn't fix it, but better results on the test.
Then, on the new child domain I launched the 'new delegation' wizard (right click on the forward zone domain) and configured it to name the correct FQDN and resolve both DNS servers on my LAN. After giving it a few minutes to replicate (you can also use ipconfig /registerdns to push) I re-ran the first test and all but IPv6 passed. After that I was able to bind and add to the kerberos realm.
So, bottom line is: run what ever tests you can to make sure your AD health is good, then you should be able to bind.
Currently Being ModeratedSep 13, 2013 2:55 PM (in response to OSXPhil)
I should clarify that all the fixes above were done on the Windows domain controller, not in OS X. This was binding to a Windows 2008 R2 domain.
Currently Being ModeratedSep 13, 2013 3:42 PM (in response to OSXPhil)
Phil, big thanks for the reply.
Fortunatley this is a test AD system and not part of the enterprise production system. Same goes for the DNS although it supports all of the test "Cloud".
This is harder than debugging my comms driver code in assembly. (that would be laughing in the face of adversity)
Currently Being ModeratedSep 13, 2013 3:46 PM (in response to Cerniuk)
Good that its not mission critical. :-)
I kind of posted because I scoured the message boards looking for an answer myself, so I though if anyone else had this issue it could point them in the right direction. I was pretty happy when I solved it locally.
More Like This
- Retrieving data ...
- This solved my question - 10 points
- This helped me - 5 points