Binding to Active Directory Fails - Authentication Errors

I'm guessing that since it ultimately fails it must never fully put the computer in the AD.

The client tells DC A that it's adding ClientZ to AD.
DC A waits for more info while the client then does whatever it's doing.
Client then contacts DC B about addind ClientZ.
DC B has no idea what it's talking about so it fails.
Client fails
DC A is left hanging so eventually it fails.
In the end there's nothing added to the domain.

That's just my guess... I really have no idea what's going on behind the scenes. But, otherwise you'd eventually see that ClientZ show up and then it would bind.

I'm trying now to see if there's a way (other than /etc/hosts) to force the client to only use one particular DC or if there's a way to view bind attempts in the logs on the domain controllers.

I dont have a machine to test this with at the moment, but what about if you specify the DC you'd like to use with the "Prefer this domain server" option in the advanced AD settings under the Administrative tab? I'll probably give it a try once I get a machine I can use to test it but do not have one right this moment.

I FINALLY GOT IT TO WORK!
I added the account in AD manually; but specified that "anonymous" accounts can bind that computer to AD.

I hope there is more room on the boat for me. I am having all the issues mentioned above and tried all the fixes with no luck.

Just for kicks I joined a 10.4 machine to the domain (made me feel better about myself) but for now I'm sitting in purgatory about whether to go back to 10.4 or sit and wait for 10.5.2 and hope it fixes the issue.

I tried this with no luck. I even unchecked the "use any domain server..." option to try and force it to only use the one server.

Maybe these two options are only for after it's bound.

I am in the same boat as anth0ny. i have tried all the above. even adding the same ips in the host files for the DCs. nothing.

if some apple engineer is reading this, we need help. this is serious. it is a total show stopper. No AD means no leopard in our environment, period.

Got all the issues mentioned above.
10.5.1
Got the error message while trying to bind imac

I tried something else....
In directory utility instead of going in the first tab. I went in services tab and double clicked on Active Directory ( Checked box ). Filled up domainname and clicke bind. And it worked.

Order:
Reboot
Open directory utility
wait for Mac search to be completed.
Went to tab Services
entered domain: mydomain.net.inside
clicked bind
Prompted for login: Administrator
Password: my 17 long password.
And when go back to 1st tab Directory Services, everything is cool.

Hope this help and this is not too late
Reg

The only thing that has worked for me consistently is to add the computer name to the Active Directory, wait a half hour for it to replicate to all of the domain controllers and then bind the computers.

Doing this has worked for pretty much every computer.

Odds are this will be fixed in 10.5.2 and we all this will be cleared up... I hope.

This did in fact work for me, after trying and failing with the other ideas. However, it doesn't let anyone log on with a network account......it's BOUND....but not being able to log in kills some of the joy.

Hey Jason thanks your method worked for me. Currently running 10.5.1. ( I will do a clean install and re-test on 10.5) Binding the computer to our domain initially threw me an error code 14120, eDSPermissionError. I ignored it and tried again which resulted in success.

After the machine was bound via directory utility I then went to the services tab (you have to activate show advanced settings to view this) selected > show advanced options > then select the Administrative tab. I checked "Prefer this domain server" and inputted the ip address for our DC. I also tested the setup by inputting the dns of the server and that worked as well. Thanks again

Just an update, after restarting the machine I am back to where i started, although the machine is reporting that it is bound I cannot login with network accounts. Either the login process freezes at the login stage or I get the message "The system is unable to log you in at this time....."

Ok here is another update hopefully the final one. I am able to bind and login consistently now on 10.5.1. Binding doesn't seem to be the major issue at hand, logging into the network accounts seems to be the principal issue. Ok here is my solution:

[Im assuming that the reader knows how to bind the machine / or has the machine bound]

(before you begin Select "show advanced settings" in the directory utility)

In directory utility under search policy I clicked the + sign and added the specific domain I am currently in. By default the search path is set to All Domains. Selecting the domain I am in resolved the issue for me. After multiple reboots and different test accounts logging in was still possible.

As a test I also unchecked "prefer this domain server" located in the services tab > show advanced options > then select the Administrative tab. After a reboot the settings from the search policy tab still held up. Hope this helps.

I am happy to announce that I tried what someone suggested in another post which worked:

1. I did a fresh install of Leopard. Updated to 10.5.1
2. I added the computer name I was planning on using into AD first.
3. In leopard, I added the IP of our main domain controller instead of letting the OS choose (Prefer this domain controller)
4. I unchecked allow authentication from any domain controller in the forest
5. I added our domain to the directory servers page
6. Was able to bind to the domain no problem after all of this

1. In AD: during the creation of a new computer in AD, did you check the box "This is a managed computer?" If so what is the sample "Computer's unique ID (GUID/UUID) did you set? -If any?

2. In Leopard System Prefs/Sharing: Did you have the Local Hostname be the same as the computer name you just added in AD? -Also did you enabel "Use dynamic global hostname"

3. In Directory Utility/Computer ID: Is that the same as the computer name you just added in AD as well?

Thanks!

YO,

Can you explain your thinking on this?
Should it be managed or not? I would say no.

What is the IDs going to do for you?

I think the thing on the HOSTNAME, and "-"s are a real oversite.

What advantage is enabling Use Dynamic Global Hoistname?