Can't bind to Active Directory

Question

Level 1

9 points

Can't bind to Active Directory

Sorry to cross post, but I've had no response in the Account and Login category.

We recently added two new iMacs (3.06 Intel Core i3, OS 10.6.4) to our network (Windows Server 2008 R2). Although our older 10.5.8 machines bind to the active directory just fine, the new Snow Leopard iMacs (10.6.4) go through the binding process and then cough up an insufficient privileges dialog (I am logged in as administrator). I've tried all the tricks posted (all caps for domain, removing DNS servers, short machine name, etc) and I'm stumped. These Macs can log on to the server, but it takes an incredibly long time to authenticate, unlike the instant access for the older Macs. Any insight would be appreciated.

Additional info: spoke with Apple Support today, no help whatsoever. Told me to check with Microsoft for a fix, even though ONLY the Snow Leopard machines have the issue.

2.4 Ghz Intel Core 2 Duo, Mac OS X (10.5.8)

Posted on Oct 28, 2010 11:38 AM

Reply

Answer 1

mrdlth

Level 1

0 points

Oct 28, 2010 2:35 PM in response to cwolsen

hi,

i'm just guessing, but if you have an domain name ending with .local maybe the information in links might help. During some tests with an os x server who had troubles keeping the binding and a client which had similar troubles above those suggestions helped so far.

http://support.apple.com/kb/ts3248
http://www.macwindows.com/Fix-AD-dot-local-domains.html

cheers
stefan

Reply

Answer 2

cwolsen Author

Level 1

9 points

Oct 29, 2010 5:11 AM in response to mrdlth

Thanks for the suggestions Stefan, but both of these links deal with trouble RE-binding. I can't get it to bind at all.

Reply

Answer 3

cwolsen Author

Level 1

9 points

Nov 2, 2010 10:19 AM in response to cwolsen

Okay I got the answer (and I'm rather embarrassed about it too) it seems the short answer is I was using the wrong password. I was using the local computer admin password when I needed to use the Server admin password. Up and running in under a minute. Thanks to the guys at MacInTouch for pointing out my glaring error.

Reply

Answer 4

Nov 4, 2010 8:16 AM in response to cwolsen

I have this problem on a user's iMac. It just started this morning and nothing I've tried works. I keep getting an invalid id and password error when trying to bind to the domain. Yes, I am using the network admin ID and password.

Kent

Reply

Answer 5

Nov 4, 2010 8:24 AM in response to cticompserv

Yet I can unbind another Mac and rebind it with no problem.

Kent

Reply

Answer 6

Nov 5, 2010 5:23 AM in response to mrdlth

Apple's timeout setting didn't work for me, actually made things worse.

Kent

Reply

Answer 7

Nov 29, 2010 8:58 AM in response to cwolsen

I'm having this trouble as well. The username and password can join other computers to the domain fine. It's happening to all our 10.6 Macs including our new server. Anyone have a solution? I've tried setting up the account in advance, and let it create its own, neither helped. When I pre-cerate the account it does recognize it and tries to join it, but same errors. I was able to bind one across VPN once, but I can't reproduce that either. All ideas are appreciated!

domain functional level is 2003 and forest functional level is 2003
We have a .com domain not a .local.
The GUI says: Invalid user name and password combination
Console says: Failed to changed computer password in Active Directory domain then [our domain name]

Reply

Answer 8

Nov 30, 2010 7:58 AM in response to cticompserv

In my case it turned out to be a failing hard drive. I was able to transfer the user's data to a different iMac and then got the bad drive replaced.

Reply

Answer 9

UPGTech

Level 1

0 points

Dec 2, 2010 6:52 AM in response to cticompserv

We have the same problem at our enterprise, I'm hoping Apple support or someone can assist. Basically, our computers are extremely tough to join to the domain, and after they join some of then stop authenticating to the domain. When joining they give some cryptic error that's not really verbose, and after trying for a while it just binds. However, The user goes to login one day and the login screen just shakes. I have ran verbose logging while attempting to bind and it fails on step 5 w/ an 'unknown' error. hopefully someone can shed light on this unknown error. I grepped the error log for any line that mentions Active Directory. This has happened to my mac too, so it's not a pebkac error lol. It errors out on the fifth step of binding, from running the dsconfig -status and also looking at the log below I can see that something is happening, but not sure what. If I get no response I will cross post.

I changed the machine name from having a hyphen to an underscore, in the past that has been an issue. Also, it appears it stopped working b/c it couldn't update it's computer password in AD, which led it to expire. The log below is what it output after I deleted the computer account in AD, unjoined the machine, changed the name, created a new computer account in AD, and tried to join the machine again.

2010-12-01 11:25:11 EST - T[0x000000010058D000] - Client: dsconfigad, PID: 146, API: dsOpenDirNode(), Active Directory Used : DAC : Dir Ref = 16779575 : Node Name = /Active Directory
2010-12-01 11:25:11 EST - T[0x000000010058D000] - Client: dsconfigad, PID: 146, API: dsOpenDirNode(), Active Directory Used : DAR : Dir Ref = 16779575 : Node Ref = 33556792 : Result code = 0
2010-12-01 11:25:11 EST - T[0x000000010058D000] - Client: dsconfigad, PID: 146, API: dsDoPlugInCustomCall(), Active Directory Used : DAC : Node Ref = 33556792 : Request Code = 50
2010-12-01 11:25:11 EST - T[0x000000010058D000] - Client: dsconfigad, PID: 146, API: dsDoPlugInCustomCall(), Active Directory Used : DAR : Node Ref = 33556792 : Request Code = 50 : Result code = -14260
2010-12-01 11:25:11 EST - T[0x000000010058D000] - Client: dsconfigad, PID: 146, API: dsDoPlugInCustomCall(), Active Directory Used : DAC : Node Ref = 33556792 : Request Code = 50
2010-12-01 11:25:11 EST - T[0x000000010058D000] - Client: dsconfigad, PID: 146, API: dsDoPlugInCustomCall(), Active Directory Used : DAR : Node Ref = 33556792 : Request Code = 50 : Result code = 0
2010-12-01 11:25:11 EST - T[0x000000010058D000] - Client: dsconfigad, PID: 146, API: dsCloseDirNode(), Active Directory Used : DAC : Node Ref = 33556792
2010-12-01 11:25:11 EST - T[0x000000010058D000] - Client: dsconfigad, PID: 146, API: dsCloseDirNode(), Active Directory Used : DAR : Node Ref = 33556792 : Result code = 0
2010-12-01 11:25:14 EST - T[0x000000010058D000] - Client: dsconfigad, PID: 146, API: dsOpenDirNode(), Active Directory Used : DAC : Dir Ref = 16779583 : Node Name = /Active Directory
2010-12-01 11:25:14 EST - T[0x000000010058D000] - Client: dsconfigad, PID: 146, API: dsOpenDirNode(), Active Directory Used : DAR : Dir Ref = 16779583 : Node Ref = 33556800 : Result code = 0
2010-12-01 11:25:14 EST - T[0x000000010058D000] - Client: dsconfigad, PID: 146, API: dsDoPlugInCustomCall(), Active Directory Used : DAC : Node Ref = 33556800 : Request Code = 82
2010-12-01 11:25:14 EST - T[0x000000010058D000] - Active Directory: Bind Step 1 - Searching for Forest/Domain information
2010-12-01 11:25:14 EST - T[0x000000010058D000] - Active Directory: med.wayne.edu - Start checking servers for site "any"
2010-12-01 11:25:14 EST - T[0x000000010058D000] - Active Directory: Total Servers "any" LDAP - 7, Kerberos - 7, kPasswd - 7
2010-12-01 11:25:14 EST - T[0x000000010058D000] - Active Directory: Adding Server - "med-dhcp01b.med.wayne.edu"
2010-12-01 11:25:14 EST - T[0x000000010058D000] - Active Directory: Adding Server - "med-backup01.med.wayne.edu"
2010-12-01 11:25:14 EST - T[0x000000010058D000] - Active Directory: Adding Server - "med-dhcp01a.med.wayne.edu"
2010-12-01 11:25:14 EST - T[0x000000010058D000] - Active Directory: Adding Server - "med-core01b.med.wayne.edu"
2010-12-01 11:25:14 EST - T[0x000000010058D000] - Active Directory: Adding Server - "med-core03.med.wayne.edu"
2010-12-01 11:25:14 EST - T[0x000000010058D000] - Active Directory: Adding Server - "med-core04.med.wayne.edu"
2010-12-01 11:25:14 EST - T[0x000000010058D000] - Active Directory: Adding Server - "med-core01a.med.wayne.edu"
2010-12-01 11:25:14 EST - T[0x000000010058D000] - Active Directory: med.wayne.edu - Finished checking servers for domain
2010-12-01 11:25:14 EST - T[0x000000010058D000] - Active Directory: DomainConfiguration reachabilityNotification - Node: med.wayne.edu - resolves - enabled
2010-12-01 11:25:15 EST - T[0x000000010058D000] - Client: dsconfigad, PID: 146, API: dsDoPlugInCustomCall(), Active Directory Used : DAR : Node Ref = 33556800 : Request Code = 82 : Result code = 0
2010-12-01 11:25:15 EST - T[0x000000010058D000] - Client: dsconfigad, PID: 146, API: dsCloseDirNode(), Active Directory Used : DAC : Node Ref = 33556800
2010-12-01 11:25:15 EST - T[0x000000010058D000] - Client: dsconfigad, PID: 146, API: dsCloseDirNode(), Active Directory Used : DAR : Node Ref = 33556800 : Result code = 0
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Client: dsconfigad, PID: 146, API: dsOpenDirNode(), Active Directory Used : DAC : Dir Ref = 16779585 : Node Name = /Active Directory
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Client: dsconfigad, PID: 146, API: dsOpenDirNode(), Active Directory Used : DAR : Dir Ref = 16779585 : Node Ref = 33556802 : Result code = 0
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Client: dsconfigad, PID: 146, API: dsDoPlugInCustomCall(), Active Directory Used : DAC : Node Ref = 33556802 : Request Code = 83
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: Bind Step 2 - Finding nearest Domain controllers
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Client: dsconfigad, PID: 146, API: dsDoPlugInCustomCall(), Active Directory Used : DAR : Node Ref = 33556802 : Request Code = 83 : Result code = 0
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Client: dsconfigad, PID: 146, API: dsCloseDirNode(), Active Directory Used : DAC : Node Ref = 33556802
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Client: dsconfigad, PID: 146, API: dsCloseDirNode(), Active Directory Used : DAR : Node Ref = 33556802 : Result code = 0
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Client: dsconfigad, PID: 146, API: dsOpenDirNode(), Active Directory Used : DAC : Dir Ref = 16779587 : Node Name = /Active Directory
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Client: dsconfigad, PID: 146, API: dsOpenDirNode(), Active Directory Used : DAR : Dir Ref = 16779587 : Node Ref = 33556804 : Result code = 0
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Client: dsconfigad, PID: 146, API: dsDoPlugInCustomCall(), Active Directory Used : DAC : Node Ref = 33556804 : Request Code = 84
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: Bind Step 3 - Verifying credentials
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: med.wayne.edu - Start checking servers for site "any"
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: Total Servers "any" LDAP - 7, Kerberos - 7, kPasswd - 7
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: Adding Server - "med-dhcp01b.med.wayne.edu"
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: Adding Server - "med-backup01.med.wayne.edu"
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: Adding Server - "med-dhcp01a.med.wayne.edu"
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: Adding Server - "med-core01b.med.wayne.edu"
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: Adding Server - "med-core03.med.wayne.edu"
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: Adding Server - "med-core04.med.wayne.edu"
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: Adding Server - "med-core01a.med.wayne.edu"
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: med.wayne.edu - Finished checking servers for domain
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: DomainConfiguration reachabilityNotification - Node: med.wayne.edu - resolves - enabled
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: EstablishConnectionUsingReplica - Node med.wayne.edu - New connection requested
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: FindSuitableReplica - Node med.wayne.edu - Attempting Replica connect to med-dhcp01b.med.wayne.edu.
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: FindSuitableReplica - Node med.wayne.edu - Attempting Replica connect to med-backup01.med.wayne.edu.
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: watchReachability watching socket = 20, 146.9.40.77 -> 146.9.21.5
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: VerifiedServerConnection - Verified server connectivity - med-dhcp01b.med.wayne.edu.
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: CheckWithSelect - good socket to host med-dhcp01b.med.wayne.edu. from poll and verified LDAP
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: FindSuitableReplica - Node med.wayne.edu - Established connection to med-dhcp01b.med.wayne.edu.
2010-12-01 11:25:15 EST - T[0x0000000100404000] - Active Directory: kadmEntry port is nil, will use default 464
2010-12-01 11:25:16 EST - T[0x0000000100404000] - Active Directory: Password verify for mmoor@MED.WAYNE.EDU succeeded - cache MEMORY:DoXehFS
2010-12-01 11:25:16 EST - T[0x0000000100404000] - Active Directory: Switching active cache to MEMORY:DoXehFS
2010-12-01 11:25:16 EST - T[0x0000000100404000] - Active Directory: Secure BIND Session Success with server med-dhcp01b.med.wayne.edu.:389 using cache MEMORY:DoXehFS user mmoor@MED.WAYNE.EDU
2010-12-01 11:25:16 EST - T[0x0000000100404000] - Active Directory: Processing Site Search with found IP
2010-12-01 11:25:16 EST - T[0x0000000100404000] - Active Directory: Site found of - WSUSoM
2010-12-01 11:25:16 EST - T[0x0000000100404000] - Active Directory: Updated site name to WSUSoM
2010-12-01 11:25:16 EST - T[0x0000000100404000] - Active Directory: med.wayne.edu - Start checking servers for site "WSUSoM"
2010-12-01 11:25:16 EST - T[0x0000000100404000] - Active Directory: Total Servers "WSUSoM" LDAP - 7, Kerberos - 7, kPasswd - 7
2010-12-01 11:25:16 EST - T[0x0000000100404000] - Active Directory: Adding Server - "med-backup01.med.wayne.edu"
2010-12-01 11:25:16 EST - T[0x0000000100404000] - Active Directory: Adding Server - "med-core03.med.wayne.edu"
2010-12-01 11:25:16 EST - T[0x0000000100404000] - Active Directory: Adding Server - "med-core01a.med.wayne.edu"
2010-12-01 11:25:16 EST - T[0x0000000100404000] - Active Directory: Adding Server - "med-dhcp01b.med.wayne.edu"
2010-12-01 11:25:16 EST - T[0x0000000100404000] - Active Directory: Adding Server - "med-core01b.med.wayne.edu"
2010-12-01 11:25:16 EST - T[0x0000000100404000] - Active Directory: Adding Server - "med-core04.med.wayne.edu"
2010-12-01 11:25:16 EST - T[0x0000000100404000] - Active Directory: Adding Server - "med-dhcp01a.med.wayne.edu"
2010-12-01 11:25:16 EST - T[0x0000000100404000] - Active Directory: med.wayne.edu - Finished checking servers for domain
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Active Directory: Updating Mappings from inSchema.........
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Active Directory: Updated schema for node name med.wayne.edu
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Active Directory: Configuration naming context = cn=Partitions,CN=Configuration,DC=med,DC=wayne,DC=edu
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Active Directory: Top domain set as <cn=med,cn=partitions,cn=configuration,dc=med,dc=wayne,dc=edu>
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Active Directory: Updating domain hierarchy cache
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Active Directory: Updating policies from domain med.wayne.edu
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Active Directory: Updated policies for node name med.wayne.edu
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Client: dsconfigad, PID: 146, API: dsDoPlugInCustomCall(), Active Directory Used : DAR : Node Ref = 33556804 : Request Code = 84 : Result code = 0
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Client: dsconfigad, PID: 146, API: dsCloseDirNode(), Active Directory Used : DAC : Node Ref = 33556804
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Client: dsconfigad, PID: 146, API: dsCloseDirNode(), Active Directory Used : DAR : Node Ref = 33556804 : Result code = 0
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Client: dsconfigad, PID: 146, API: dsOpenDirNode(), Active Directory Used : DAC : Dir Ref = 16779604 : Node Name = /Active Directory
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Client: dsconfigad, PID: 146, API: dsOpenDirNode(), Active Directory Used : DAR : Dir Ref = 16779604 : Node Ref = 33556821 : Result code = 0
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Client: dsconfigad, PID: 146, API: dsDoPlugInCustomCall(), Active Directory Used : DAC : Node Ref = 33556821 : Request Code = 85
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Active Directory: Bind Step 4 - Searching for existing computer
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Active Directory: EstablishConnectionUsingReplica - Node med.wayne.edu - New connection requested
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Active Directory: watchReachability watching socket = 22, 146.9.40.77 -> 146.9.21.5
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Active Directory: VerifiedServerConnection - Verified server connectivity - med-dhcp01b.med.wayne.edu.
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Active Directory: establishConnectionUsingReplica - Node med.wayne.edu - Previous replica = med-dhcp01b.med.wayne.edu. responded
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Active Directory: kadmEntry port is nil, will use default 464
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Active Directory: Password verify for mmoor@MED.WAYNE.EDU succeeded - cache MEMORY:tif9oIk
2010-12-01 11:25:17 EST - T[0x0000000100404000] - Active Directory: Switching active cache to MEMORY:tif9oIk
2010-12-01 11:25:18 EST - T[0x0000000100404000] - Active Directory: Secure BIND Session Success with server med-dhcp01b.med.wayne.edu.:389 using cache MEMORY:tif9oIk user mmoor@MED.WAYNE.EDU
2010-12-01 11:25:18 EST - T[0x0000000100404000] - Active Directory: Doing Computer search for Ethernet address - 00:1b:63:a3:4c:c3
2010-12-01 11:25:18 EST - T[0x0000000100404000] - Active Directory: Bind Step 4 - no mapping for Ethernet MAC address
2010-12-01 11:25:18 EST - T[0x0000000100404000] - Active Directory: Doing DN search for account - david_imac
2010-12-01 11:25:18 EST - T[0x0000000100404000] - Active Directory: stopWatching socket = 20, 146.9.40.77 -> 146.9.21.5
2010-12-01 11:25:18 EST - T[0x0000000100404000] - Active Directory: LDAP connection closed - med-dhcp01b.med.wayne.edu.:389 - cache MEMORY:DoXehFS user mmoor@MED.WAYNE.EDU
2010-12-01 11:25:18 EST - T[0x0000000100404000] - Active Directory: Destroying cache name MEMORY:DoXehFS user mmoor@MED.WAYNE.EDU
2010-12-01 11:25:18 EST - T[0x0000000100404000] - Active Directory: Closing All Connections
2010-12-01 11:25:18 EST - T[0x0000000100404000] - Active Directory: stopWatching socket = 22, 146.9.40.77 -> 146.9.21.5
2010-12-01 11:25:18 EST - T[0x0000000100404000] - Active Directory: LDAP connection closed - med-dhcp01b.med.wayne.edu.:389 - cache MEMORY:tif9oIk user mmoor@MED.WAYNE.EDU
2010-12-01 11:25:18 EST - T[0x0000000100404000] - Active Directory: Destroying cache name MEMORY:tif9oIk user mmoor@MED.WAYNE.EDU
2010-12-01 11:25:18 EST - T[0x0000000100404000] - Client: dsconfigad, PID: 146, API: dsDoPlugInCustomCall(), Active Directory Used : DAR : Node Ref = 33556821 : Request Code = 85 : Result code = -14135
2010-12-01 11:25:18 EST - T[0x0000000100404000] - Client: dsconfigad, PID: 146, API: dsCloseDirNode(), Active Directory Used : DAC : Node Ref = 33556821
2010-12-01 11:25:18 EST - T[0x0000000100404000] - Client: dsconfigad, PID: 146, API: dsCloseDirNode(), Active Directory Used : DAR : Node Ref = 33556821 : Result code = 0
2010-12-01 11:25:18 EST - T[0x0000000101C0F000] - Client: dsconfigad, PID: 146, API: dsOpenDirNode(), Active Directory Used : DAC : Dir Ref = 16779618 : Node Name = /Active Directory
2010-12-01 11:25:18 EST - T[0x0000000101C0F000] - Client: dsconfigad, PID: 146, API: dsOpenDirNode(), Active Directory Used : DAR : Dir Ref = 16779618 : Node Ref = 33556835 : Result code = 0
2010-12-01 11:25:18 EST - T[0x0000000101C0F000] - Client: dsconfigad, PID: 146, API: dsDoPlugInCustomCall(), Active Directory Used : DAC : Node Ref = 33556835 : Request Code = 81
2010-12-01 11:25:18 EST - T[0x0000000101C0F000] - Active Directory: Bind Step 5 - Bind/Join computer to domain
2010-12-01 11:25:18 EST - T[0x0000000101C0F000] - Active Directory: EstablishConnectionUsingReplica - Node med.wayne.edu - New connection requested
2010-12-01 11:25:18 EST - T[0x0000000101C0F000] - Active Directory: watchReachability watching socket = 20, 146.9.40.77 -> 146.9.21.5
2010-12-01 11:25:18 EST - T[0x0000000101C0F000] - Active Directory: VerifiedServerConnection - Verified server connectivity - med-dhcp01b.med.wayne.edu.
2010-12-01 11:25:18 EST - T[0x0000000101C0F000] - Active Directory: establishConnectionUsingReplica - Node med.wayne.edu - Previous replica = med-dhcp01b.med.wayne.edu. responded
2010-12-01 11:25:18 EST - T[0x0000000101C0F000] - Active Directory: kadmEntry port is nil, will use default 464
2010-12-01 11:25:18 EST - T[0x0000000101C0F000] - Active Directory: Password verify for mmoor@MED.WAYNE.EDU succeeded - cache MEMORY:dIlRCuE
2010-12-01 11:25:18 EST - T[0x0000000101C0F000] - Active Directory: Switching active cache to MEMORY:dIlRCuE
2010-12-01 11:25:19 EST - T[0x0000000101C0F000] - Active Directory: Secure BIND Session Success with server med-dhcp01b.med.wayne.edu.:389 using cache MEMORY:dIlRCuE user mmoor@MED.WAYNE.EDU
2010-12-01 11:25:19 EST - T[0x0000000101C0F000] - Active Directory: Looking for existing Record of david_imac
2010-12-01 11:25:19 EST - T[0x0000000101C0F000] - Active Directory: Doing DN search for account - david_imac
2010-12-01 11:25:19 EST - T[0x0000000101C0F000] - Active Directory: EstablishConnectionUsingReplica - Node med.wayne.edu - New connection requested
2010-12-01 11:25:19 EST - T[0x0000000101C0F000] - Active Directory: watchReachability watching socket = 22, 146.9.40.77 -> 146.9.21.5
2010-12-01 11:25:19 EST - T[0x0000000101C0F000] - Active Directory: VerifiedServerConnection - Verified server connectivity - med-dhcp01b.med.wayne.edu.
2010-12-01 11:25:19 EST - T[0x0000000101C0F000] - Active Directory: establishConnectionUsingReplica - Node med.wayne.edu - Previous replica = med-dhcp01b.med.wayne.edu. responded
2010-12-01 11:25:19 EST - T[0x0000000101C0F000] - Active Directory: kadmEntry port is nil, will use default 464
2010-12-01 11:25:19 EST - T[0x0000000101C0F000] - Active Directory: Switching active cache to MEMORY:dIlRCuE
2010-12-01 11:25:19 EST - T[0x0000000101C0F000] - Active Directory: Secure BIND Session Success with server med-dhcp01b.med.wayne.edu.:389 using cache MEMORY:dIlRCuE user mmoor@MED.WAYNE.EDU
2010-12-01 11:25:19 EST - T[0x0000000101C0F000] - Active Directory: KerberosID Found for account CN=david_imac,CN=Computers,DC=med,DC=wayne,DC=edu - DAVID_IMAC$
2010-12-01 11:25:19 EST - T[0x0000000101C0F000] - Active Directory: Existing record found @ CN=david_imac,CN=Computers,DC=med,DC=wayne,DC=edu with david_imac$@MED.WAYNE.EDU.
2010-12-01 11:25:21 EST - T[0x0000000101B87000] - Active Directory: DomainConnection:periodicTask - Status Node: med.wayne.edu -- Server: med-dhcp01b.med.wayne.edu.:389 -- User mmoor@MED.WAYNE.EDU -- Time: 2 sec -- Idle
2010-12-01 11:25:26 EST - T[0x0000000101A81000] - Internal Dispatch, API: dsOpenDirNode(), Active Directory Used : DAC : Dir Ref = 16777216 : Node Name = /Active Directory/med.wayne.edu
2010-12-01 11:25:26 EST - T[0x0000000101A81000] - Internal Dispatch, API: dsOpenDirNode(), Active Directory Used : DAR : Dir Ref = 16777216 : Node Ref = 33556876 : Result code = -14002
2010-12-01 11:25:26 EST - T[0x0000000101A81000] - * Error NULL plug-in pointer for node /Active Directory/med.wayne.edu. Returning error = -14008.
2010-12-01 11:25:26 EST - T[0x0000000101D10000] - Internal Dispatch, API: dsOpenDirNode(), Active Directory Used : DAC : Dir Ref = 16777216 : Node Name = /Active Directory/med.wayne.edu
2010-12-01 11:25:26 EST - T[0x0000000101A81000] - CSearchPlugin::CheckNodes: calling dsOpenDirNode failed on node </Active Directory/med.wayne.edu>
2010-12-01 11:25:26 EST - T[0x0000000101D10000] - Internal Dispatch, API: dsOpenDirNode(), Active Directory Used : DAR : Dir Ref = 16777216 : Node Ref = 33556877 : Result code = -14002
2010-12-01 11:25:26 EST - T[0x0000000101D10000] - * Error NULL plug-in pointer for node /Active Directory/med.wayne.edu. Returning error = -14008.
2010-12-01 11:25:26 EST - T[0x0000000101D10000] - CSearchPlugin::CheckNodes: calling dsOpenDirNode failed on node </Active Directory/med.wayne.edu>
2010-12-01 11:25:37 EST - T[0x0000000101C0F000] - Active Directory: Setting Computer Password FAILED for existing record......
2010-12-01 11:25:37 EST - T[0x0000000101C0F000] - Active Directory: Computer password change date is 2010-11-23 15:48:03 -0500
2010-12-01 11:25:37 EST - T[0x0000000101C0F000] - Active Directory: Scheduled computer password change every 1209600 seconds - starting 2010-12-01 11:25:37 -0500
2010-12-01 11:25:37 EST - T[0x0000000101C0F000] - Active Directory: Closing All Connections
2010-12-01 11:25:37 EST - T[0x0000000101C0F000] - Active Directory: stopWatching socket = 22, 146.9.40.77 -> 146.9.21.5
2010-12-01 11:25:37 EST - T[0x0000000101C0F000] - Active Directory: LDAP connection closed - med-dhcp01b.med.wayne.edu.:389 - cache MEMORY:dIlRCuE user mmoor@MED.WAYNE.EDU
2010-12-01 11:25:37 EST - T[0x0000000101C0F000] - Active Directory: stopWatching socket = 20, 146.9.40.77 -> 146.9.21.5
2010-12-01 11:25:37 EST - T[0x0000000101C0F000] - Active Directory: LDAP connection closed - med-dhcp01b.med.wayne.edu.:389 - cache MEMORY:dIlRCuE user mmoor@MED.WAYNE.EDU
2010-12-01 11:25:37 EST - T[0x0000000101C0F000] - Active Directory: Destroying cache name MEMORY:dIlRCuE user mmoor@MED.WAYNE.EDU
2010-12-01 11:25:37 EST - T[0x0000000101C0F000] - Client: dsconfigad, PID: 146, API: dsDoPlugInCustomCall(), Active Directory Used : DAR : Node Ref = 33556835 : Request Code = 81 : Result code = -14093
2010-12-01 11:25:37 EST - T[0x0000000101C0F000] - Client: dsconfigad, PID: 146, API: dsCloseDirNode(), Active Directory Used : DAC : Node Ref = 33556835
2010-12-01 11:25:37 EST - T[0x0000000101C0F000] - Client: dsconfigad, PID: 146, API: dsCloseDirNode(), Active Directory Used : DAR : Node Ref = 33556835 : Result code = 0
2010-12-01 11:25:37 EST - T[0x0000000100404000] - Active Directory: Failed to changed computer password in Active Directory domain med.wayne.edu

Reply

Answer 10

UPGTech

Level 1

0 points

Dec 3, 2010 6:06 AM in response to UPGTech

Our problem appeared to be resolved by a firewall issue that was taking place. Below are the notes.

OK I looked at david_imac which would not join the domain because it couldn’t set the password on its account. While googling, I came across someone have the same error in the debug logs and they said it was because the Mac was using Kerberos port 464 to change the password. I watched the firewall logs while trying to join and sure enough, I found that mac trying to talk on that port. I created a service port object for it (because it has never existed here) and added to the domain controller rule and the computer joined successfully.

.when Macs joined the domain in the past, they may have been successful at joining because they were able to talk to the DC which for 10 years was never behind the server farm firewall. Now that it is behind the firewall as Nov , the inability to change the password during joining via port 464 on any domain controller would have prevented joining. But this can’t be the only hypothesis because this Mac issue where they just stop talking to domain started in Oct or so. It’s possible that this 464 could have been a factor in that but I don’t know why it would have become one Oct since Macs have been joined to the domain longer than that unless folks haven’t communicated the problem until now. Port 464 is not used for authentication, but for changing passwords. Obviously, Windows computers don’t use Kerberos to change passwords.

Reply

Answer 11

Jan 3, 2011 9:40 AM in response to rehabcare

Hello, Did you resolve the issues you were having with binding the Macs to AD? I am seeing the exact same issues, but do not see any resolution. Could you share your resolution?

Reply