Directory Utility - Authentication Failed

You presumably have 'real' PCs as well as Macs, you could try the same settings on a PC to confirm things. Other things to check are finding out the host name of the Active Directory controller and pinging it from the Mac to confirm both that the Mac can resolve it and can reach it.

You should also set the Mac to use the Active Directory server as the network time server. Both Active Directory and Open Directory rely on computers having the clocks set to match within a reasonable amount.

The Macs should be using the same DNS server as the PCs and this should normally be provided by your DHCP server.

When you join a PC to Active Directory you need to enter the same AD forrest name, and use the same administrator account and password as you do from the Mac. If they work on a PC it would suggest they are correct, if they don't work it suggests you have the wrong details.

Active Directory is totally different to the old fashioned Windows Workgroups.

Hi

"Active Directory Domain is entered correctly, alongside the Computer ID . . ."

"If I was linking a Windows PC to AD, I would use the same domain name . . ."

What are you using exactly?

Let's pretend your domain is example.com. Entering EXAMPLE (as you might do on a windows device) won't necessarily work? You should enter the full domain. If you are entering "example" and nothing else, then check if the DHCP service is providing the domain string properly. It's option 15 in the service.

If the above checks out, the other issue may be time synchronization? In an SSO environment, server and client clocks must be within 5 minutes of each other. On all macs set the DC's IP address (assuming this is the NTP Server?) in the Date & Time Preference Pane. Try binding again.

Prior to binding any mac you should always test DNS services and ease of connectivity to AD first. From any mac launch terminal and issue any/all of these commands (using example.com as the example):

host -t SRV _ldap._tcp.example.com

host -t SRV _kpasswd._tcp.example.com

host -t SRV _kpasswd._udp.example.com

host -t SRV _kerberos._tcp.example.com

host -t SRV _kerberos._udp.example.com

Before doing the above you should try to ping the primary DC on both pointers first

HTH?

Tony

Hi

That's OK. No need to apologise.

You actually do have experience of what a domain name is. Let's break it down further. Using google as an example, google.co.uk would be the domain or, more properly, the domain name and www would be the server's name.

Your schoolxp domain would have a suffix on it somewhere? At least .here, .internal, .private, .lan, .local etc. Try looking at the DNS snap-in module on your DCs for more information.

From any PC or Mac you only have to ping the DC's name (srv01) and it should print to screen something like this:

ping srv01

PING srv01.schoolxp.whatever (xxx.xxx.xxx.xxx): 56 data bytes

64 bytes from xxx.xxx.xxx.xxx: icmp_seq=0 ttl=126 time=1.027 ms

If you're not seeing anything like the above then you're either doing it wrong or there's potentially something fundamentally 'wrong' with your network.

This statement:

"DNS works fine as we remote into computers all the time using their names and not ip's"

Does not necessarily have anything to do with your internal DNS service.

"Also... does it matter that Active Directory Forest is set to Automatic and i cannot change it?"

No.

HTH?

Tony

Hi

"We don't have a suffix."

That can't be right? I know PCs are more tolerant but if this is true I'd not be surprised if your Windows network is experiencing problems. You're probably not aware that it is as you may have nothing to compare it to. However I can assure you not having a domain suffix is not ideal by any means. I've seen hundreds of windows networks and all of them have a domain suffix.

"Any ideas?"

Beyond sorting out your DNS Service, not really. If DNS is not resolving properly on both pointers and is not using something that looks like a valid domain, your macs won't bind as they should and if they did it will barely work well if at all.

Do you have access to another school's AD? If you do, go and have a look. It should give you a clearer idea.

HTH?

Tony

Hi

"Where specifically would I find a suffix if it existed?"

As already mentioned, access and view the DNS Snap-in module on your server.

Start Menu > Administrative Tools > DNS.

Click on the Forward Zone Container/Folder. In the right hand window there will be a folder called something. What is that folder called? Double click the folder to view its contents. Look for the Name Server (NS) & (SOA) Records. What name is listed there?

"I've never recalled having a suffix . . . just speaking to the network manager neither has he"

With respect the above statement worries me.

"Our only macs are the 20 . . . if we can't get it working because it requires a suffix . . . it's no biggy"

Again with respect, are you sure? If it was me I'd be thinking that's a waste of the school's fairly substantial investment. 20 macs are not exactly cheap are they?

HTH?

Tony