I've been having an issue with Active Directory for a company that my job place supports. For the past 3-4 months, a red dot appears on the top right side of the screen. This happens on 3 of their machines. Is there anything I can do to resolve this?
[Re-Titled by Moderator]
Please note, directory binding, while still possible, is deprecated and Apple is encouraging modern solutions such as Apple SSO Extension (delivered via MDM) or Platform SSO (still a work in progress but possible with Microsoft as the identity provider). Also, Jamf Connect, for Jamf environments, is a capable replacement (assuming you have a cloud identity provider).
That being said, a few questions. Are the Macs desktops? I suspect not. The portable nature of laptops can make directory binding tenuous at best.
I suspect the issue is that the device binding credential reset on the Mac and not the domain. So the unit is now "untrusted" and you get the red dot. If you are on the Mac with a red dot, are you able to query the AD domain using the dscl command? I will speculate not. If you are unable to query the LDAP directory, then you will need to rebind the unit to resolve the red dot. This will produce an updated computer record in the AD Computers OU (or custom path if used).
Next, how do you stop it from "going red?" So, back in the day, the DS service for AD binding requires the randomization of the password for the device record to rotate every 14 days. The issue is that with laptops, we cannot ensure that a machine will have access to the domain in 14 days. If it does not, then the Mac updates the record's password but that is not shared with the domain. When the Mac gets back on the corporate LAN and can talk to the domain, the domain binding record on the Mac and the device record in the domain no longer agree. Red dot.
You can try disabling the device record password refresh. Do the following:
• Unbind (likely a force unbind) the Mac that is giving trouble
• Optionally, assuming a force unbind is required, go to the domain controller and manually delete the device record
• Bind the Mac to the domain using whichever method you were using (Directory Utility, System Settings, dsconfigad, MDM, etc.)
• Open Terminal and modify the bind using this command
sudo dsconfigad -passinterval 0
This sets the record password refresh to never. This avoids the standard 14 day refresh of the directory record.
This recommendation will likely not resolve ALL red dots. Again, assuming you are doing this on laptops, you are next going to deal with sleep/wake cycles. The DS query will occur on a reboot and generally periodically. But when lids are closed, opened, closed, etc., DS will often just give up and stop probing the network. In these cases, if you really need a live connection to the domain, a reboot will likely be the faster way to resolve.
Hope this is helpful.
Please note, directory binding, while still possible, is deprecated and Apple is encouraging modern solutions such as Apple SSO Extension (delivered via MDM) or Platform SSO (still a work in progress but possible with Microsoft as the identity provider). Also, Jamf Connect, for Jamf environments, is a capable replacement (assuming you have a cloud identity provider).
That being said, a few questions. Are the Macs desktops? I suspect not. The portable nature of laptops can make directory binding tenuous at best.
I suspect the issue is that the device binding credential reset on the Mac and not the domain. So the unit is now "untrusted" and you get the red dot. If you are on the Mac with a red dot, are you able to query the AD domain using the dscl command? I will speculate not. If you are unable to query the LDAP directory, then you will need to rebind the unit to resolve the red dot. This will produce an updated computer record in the AD Computers OU (or custom path if used).
Next, how do you stop it from "going red?" So, back in the day, the DS service for AD binding requires the randomization of the password for the device record to rotate every 14 days. The issue is that with laptops, we cannot ensure that a machine will have access to the domain in 14 days. If it does not, then the Mac updates the record's password but that is not shared with the domain. When the Mac gets back on the corporate LAN and can talk to the domain, the domain binding record on the Mac and the device record in the domain no longer agree. Red dot.
You can try disabling the device record password refresh. Do the following:
• Unbind (likely a force unbind) the Mac that is giving trouble
• Optionally, assuming a force unbind is required, go to the domain controller and manually delete the device record
• Bind the Mac to the domain using whichever method you were using (Directory Utility, System Settings, dsconfigad, MDM, etc.)
• Open Terminal and modify the bind using this command
sudo dsconfigad -passinterval 0
This sets the record password refresh to never. This avoids the standard 14 day refresh of the directory record.
This recommendation will likely not resolve ALL red dots. Again, assuming you are doing this on laptops, you are next going to deal with sleep/wake cycles. The DS query will occur on a reboot and generally periodically. But when lids are closed, opened, closed, etc., DS will often just give up and stop probing the network. In these cases, if you really need a live connection to the domain, a reboot will likely be the faster way to resolve.
Hope this is helpful.
Red dot on Active Directory-bound Mac login page