You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: richardfromnacogdoches
richardfromnacogdoches Author
User level: Level 1
0 points

os x server loses active directory binding

I am running an open directory/active directory network. Authentication is from the Windows server 2003 active directory. It has worked fine until the last month. Now clients stop authenticating & when I check the AD plugin it says network accounts are not available. I can force the server to unbind, then renew the binding & everything works great.

Is there any work around or fix for this other than upgrading the windows server to 2008?


Thanks

OS X server-OTHER, Mac OS X (10.6.8)

Posted on May 15, 2012 5:12 AM

Reply
Question marked as Top-ranking reply
User profile for user: Strontium90
Strontium90
User level: Level 5
5,061 points

Posted on May 16, 2012 4:26 AM

Yes. You are likely experiencing one of two common issues. 1: You time skew is too large (although an unbind/bind will not solve this) or 2: you are failing to properly set the random machine password.


Try this command on the server:


sudo dsconfigad -passinterval 0


Then:


sudo dsconfigad -show


to confirm the setting. This will prevent the machine from refeshing its machine password with the domain every 14 days (default setting). The issue is that Apple's plugin does not properly catch an exception. What happens is the plugin detects that it should re-randomize the machine password so it creates a new one, records it to the config file, and THEN tries to write it to the domain. When the write to the domain fails, the system then sends the new password already recorded in the config file and now they mismatch. This is a common AD integration issue and is likely associated with your binding rights in AD.


As for time, make sure you are pointing all your Macs to the DC for time info or to a mutually agreed upon external server.


Hope this helps. Easy to fix.

View in context
2 replies
Question marked as Top-ranking reply
User profile for user: Strontium90
Strontium90
User level: Level 5
5,061 points

May 16, 2012 4:26 AM in response to richardfromnacogdoches

Yes. You are likely experiencing one of two common issues. 1: You time skew is too large (although an unbind/bind will not solve this) or 2: you are failing to properly set the random machine password.


Try this command on the server:


sudo dsconfigad -passinterval 0


Then:


sudo dsconfigad -show


to confirm the setting. This will prevent the machine from refeshing its machine password with the domain every 14 days (default setting). The issue is that Apple's plugin does not properly catch an exception. What happens is the plugin detects that it should re-randomize the machine password so it creates a new one, records it to the config file, and THEN tries to write it to the domain. When the write to the domain fails, the system then sends the new password already recorded in the config file and now they mismatch. This is a common AD integration issue and is likely associated with your binding rights in AD.


As for time, make sure you are pointing all your Macs to the DC for time info or to a mutually agreed upon external server.


Hope this helps. Easy to fix.

Reply

os x server loses active directory binding

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up