Skip navigation
This discussion is archived

Binding to Active Directory Fails - Authentication Errors

49653 Views 63 Replies Latest reply: Feb 10, 2009 9:18 AM by Erik Black RSS
  • Nicholas Shaff Level 1 Level 1 (10 points)
    Hmm I'll have to test some things here to see if thats our problem. We do indeed have many DCs, though if this were the case wouldn't it work the second time you tried after the computer had been propagated to the other DCs? Subsequent tries on our network have still failed with rare sporadic exceptions.
    2x Intel Xserves, Managing Macbooks, Macbook Pros and iMacs, Mac OS X (10.5.1)
  • Jason Bennett Level 1 Level 1 (20 points)
    I'm guessing that since it ultimately fails it must never fully put the computer in the AD.

    The client tells DC A that it's adding ClientZ to AD.
    DC A waits for more info while the client then does whatever it's doing.
    Client then contacts DC B about addind ClientZ.
    DC B has no idea what it's talking about so it fails.
    Client fails
    DC A is left hanging so eventually it fails.
    In the end there's nothing added to the domain.

    That's just my guess... I really have no idea what's going on behind the scenes. But, otherwise you'd eventually see that ClientZ show up and then it would bind.

    I'm trying now to see if there's a way (other than /etc/hosts) to force the client to only use one particular DC or if there's a way to view bind attempts in the logs on the domain controllers.
    mbpro, Mac OS X (10.5.1)
  • Nicholas Shaff Level 1 Level 1 (10 points)
    I dont have a machine to test this with at the moment, but what about if you specify the DC you'd like to use with the "Prefer this domain server" option in the advanced AD settings under the Administrative tab? I'll probably give it a try once I get a machine I can use to test it but do not have one right this moment.
    2x Intel Xserves, Managing Macbooks, Macbook Pros and iMacs, Mac OS X (10.5.1)
  • MichaelLitz Calculating status...
    I FINALLY GOT IT TO WORK!
    I added the account in AD manually; but specified that "anonymous" accounts can bind that computer to AD.
    MacBook Pro, Mac OS X (10.5.1)
  • anth0ny Calculating status...
    I hope there is more room on the boat for me. I am having all the issues mentioned above and tried all the fixes with no luck.

    Just for kicks I joined a 10.4 machine to the domain (made me feel better about myself) but for now I'm sitting in purgatory about whether to go back to 10.4 or sit and wait for 10.5.2 and hope it fixes the issue.
    MBP, Mac OS X (10.5.1)
  • Jason Bennett Level 1 Level 1 (20 points)
    I tried this with no luck. I even unchecked the "use any domain server..." option to try and force it to only use the one server.

    Maybe these two options are only for after it's bound.
    mbpro, Mac OS X (10.5.1)
  • duel1ghz Calculating status...
    I am in the same boat as anth0ny. i have tried all the above. even adding the same ips in the host files for the DCs. nothing.

    if some apple engineer is reading this, we need help. this is serious. it is a total show stopper. No AD means no leopard in our environment, period.
    Mac Pro & Old G4 tower, Mac OS X (10.5.1)
  • rachelregis Calculating status...
    Got all the issues mentioned above.
    10.5.1
    Got the error message while trying to bind imac

    I tried something else....
    In directory utility instead of going in the first tab. I went in services tab and double clicked on Active Directory ( Checked box ). Filled up domainname and clicke bind. And it worked.

    Order:
    Reboot
    Open directory utility
    wait for Mac search to be completed.
    Went to tab Services
    entered domain: mydomain.net.inside
    clicked bind
    Prompted for login: Administrator
    Password: my 17 long password.
    And when go back to 1st tab Directory Services, everything is cool.

    Hope this help and this is not too late
    Reg
    iMac, Mac OS X (10.5.1)
  • Jason Bennett Level 1 Level 1 (20 points)
    The only thing that has worked for me consistently is to add the computer name to the Active Directory, wait a half hour for it to replicate to all of the domain controllers and then bind the computers.

    Doing this has worked for pretty much every computer.

    Odds are this will be fixed in 10.5.2 and we all this will be cleared up... I hope.
    mbpro, Mac OS X (10.5.1)
  • andyak Calculating status...
    This did in fact work for me, after trying and failing with the other ideas. However, it doesn't let anyone log on with a network account......it's BOUND....but not being able to log in kills some of the joy.
    G4, G5, and Intel, Mac OS X (10.5.1)
  • marklon bills Level 1 Level 1 (0 points)
    Hey Jason thanks your method worked for me. Currently running 10.5.1. ( I will do a clean install and re-test on 10.5) Binding the computer to our domain initially threw me an error code 14120, eDSPermissionError. I ignored it and tried again which resulted in success.

    After the machine was bound via directory utility I then went to the services tab (you have to activate show advanced settings to view this) selected > show advanced options > then select the Administrative tab. I checked "Prefer this domain server" and inputted the ip address for our DC. I also tested the setup by inputting the dns of the server and that worked as well. Thanks again
    iMac G5, Mac OS X (10.4.10)
  • marklon bills Level 1 Level 1 (0 points)
    Just an update, after restarting the machine I am back to where i started, although the machine is reporting that it is bound I cannot login with network accounts. Either the login process freezes at the login stage or I get the message "The system is unable to log you in at this time....."
    MBP, Mac OS X (10.5.1)
  • marklon bills Level 1 Level 1 (0 points)
    Ok here is another update hopefully the final one. I am able to bind and login consistently now on 10.5.1. Binding doesn't seem to be the major issue at hand, logging into the network accounts seems to be the principal issue. Ok here is my solution:

    [Im assuming that the reader knows how to bind the machine / or has the machine bound]

    (before you begin Select "show advanced settings" in the directory utility)

    In directory utility under search policy I clicked the + sign and added the specific domain I am currently in. By default the search path is set to All Domains. Selecting the domain I am in resolved the issue for me. After multiple reboots and different test accounts logging in was still possible.

    As a test I also unchecked "prefer this domain server" located in the services tab > show advanced options > then select the Administrative tab. After a reboot the settings from the search policy tab still held up. Hope this helps.
    MBP, Mac OS X (10.4.10)
  • MDT615 Calculating status...
    I am happy to announce that I tried what someone suggested in another post which worked:

    1. I did a fresh install of Leopard. Updated to 10.5.1
    2. I added the computer name I was planning on using into AD first.
    3. In leopard, I added the IP of our main domain controller instead of letting the OS choose (Prefer this domain controller)
    4. I unchecked allow authentication from any domain controller in the forest
    5. I added our domain to the directory servers page
    6. Was able to bind to the domain no problem after all of this
    MacBook Pro, Mac OS X (10.5.1)
  • yoHomie Level 1 Level 1 (0 points)
    1. In AD: during the creation of a new computer in AD, did you check the box "This is a managed computer?" If so what is the sample "Computer's unique ID (GUID/UUID) did you set? -If any?

    2. In Leopard System Prefs/Sharing: Did you have the Local Hostname be the same as the computer name you just added in AD? -Also did you enabel "Use dynamic global hostname"

    3. In Directory Utility/Computer ID: Is that the same as the computer name you just added in AD as well?

    Thanks!
    One of those..., Mac OS X (10.4.5)

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.