WGM error while trying to connect to Active Directory

The error is exactly what is says. Error -14002 is eDSOpenNodeFailed which means that you failed to open the directory node. Start with the basics. Have you changed DNS? Is your time off? DNS and time are the two most common causes of AD drop off. Run these commands:

sudo changeip -checkhostname
nslookup <fqdn of_your_macserver>
nslookup <ip address_of_yourserer>

host -t SRV ldap.tcp.domain.tld

host -t SRV kerberos.tcp.domain.tld

host -t SRV kpasswd.tcp.domain.tld

host -t SRV gc.tcp.domain.tld

In the last 4, replace domain.tld with your domain and top level domain suffix (such as mydomain.com)

If DNS is all still in place, then check your time. You are pointing the Mac at the Windows DC for time, correct?

ntpq -p

This will check your time sync. What is the jitter. If it is high, then stop and start time sync in System Preferences. Again, make sure you are using a mutually accepted (preferably an internel) time server on all domain resources.

If DNS and time check out, you can always try doing a rebind of the machine. It is possible that in the changes to AD you moved or deleted the machine record.

Hope this helps

All checked out fine from the Server except host -t SRV _gc....it relayed a host not found: 3(NXDomain) Is this a Global Catalog error relayed from the Windows domain?

Yes

... I wonder how this would effect the Xserve, all AD users can log into the machines my only problem is in pulling AD groups into OD. The Xserve OD DNS structure is seperate from AD, but I do have the Xserve bound to AD, I have unbound and rebound my macmini before I made the post to see if that would change anything but it did not, I think I will try the Xserve next.

Why is DNS independent? Not that it is related, but maintaining two DNS identities is going to lead to confusion at best and disaster at worst. If the primary domain is AD, you should be using only the AD DNS. In a normal AD promotion all the SRV records get created by default. While it is possible to create the service records for AD on OS X, it is usually not recommended. Too much management. My gut is to track down the absence of the GC service record. If you truly have independent DNS hosted on OS X and that is the primary resolver for the machine (assuming same domain), then try creating the svr record on OS X for the GC. Seems a bit odd but if you are at odds with the Windows admins, this might be your only way of proving that this is the issue.

You mention that users can log into machines. This is from the workstation. Have you tried dscl from the server or the workstation to see if you are able to browse the groups?

Do you know how to use the dscl command?

Maybe you are truly dealing with an odd WGM issue. Try to use dscl to query the AD domain. In Terminal, enter (followed by the return key):

dscl

This will enter you into the interactive dscl shell. It will take simple commands like ls and cd. For example, if you want to navigate to the AD container, enter this:

cd Active\ Directory/All\ Domains/Groups/

Hit return. Then list the contents of the Groups container using:

ls

That is a lower L as in list

Do you get an error here?

redrider03 wrote:
Thanks, I gave it a try it returns a Invalid Path, DS Error: -1409 (eDSUnkownNodeName). It tried lost of variables, parent domains, child domains and different groups within them. All return the same error.

How about this. Go one step at a time.

dscl

ls

cd Active\ Directory

ls

What is listed?