Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Cerniuk
Cerniuk Author
User level: Level 1
27 points

"Invalid Domain and Forest combination" During an Active Directory (AD) Bind

I am using 10.6.8 and trying to bind to an active directory server over which I have complete control. DNS has an entry for the fully qualified domain name of the Active Directory Domain Controller (AD DC). Regardless of what I enter into the dialogs in Directory Utility, I get the error below:


Invalid domain

An invalid Domain and Forest combination was specified. You should enter a fully qualified DNS name for the domain and forest (e.g., ads.company.com).


  1. The Directory Utility tool does not permit editing the "Active Directory Forest".
  2. I enter a valid fully qualified host name in for the "Active Directory Domain:".
  3. I enter a simple "titan" in the "Computer ID" field.
  4. I press the I let Directory Utility generate the "Bind..." button.
  5. I let Directory Utility generate the "Computer OU:" field.
  6. I enter my username and password for the account on the Active Directory server; the account with god privileges on the AD server.
  7. I press the OK button
  8. and ... invalid domain.


Mind you, the forest and the computer OU are all entered into the Directory Utility by the AD plugin at this point. Is the AD plugin telling me it itself is defective? (ah sweet irony). If it is not, then the AD plugin is tossing up a pretty darn useless error dialog. (had more helpful fortune cookies)


http://support.apple.com/kb/TS1206 states updating to 10.5.3 and beyond will fix this problem. If that were trully the case, why is the error dialog even present in Mac OS X 10.6.8? (ah huh... buggy is as buggy does!)


What comes to mind is the guessing game of what the AD plugin is assuming as the forest name as it will not let me enter it. Does anyone know what assumption the AD plugin makes? I can try and shave the AD square plug to fit Apple's round hole if I knew the diameter ;-)


Someone should just tell Microsoft to fix their stuff to work like Apple wants!

Posted on Apr 18, 2013 11:13 AM

Reply
4 replies
User profile for user: OSXPhil
OSXPhil
User level: Level 1
0 points

Sep 13, 2013 2:58 PM in response to Cerniuk

I'd been having this problem for a long time now, and discovered the problem wasn't OS X, but rather errors in how Active Directory and DNS are configured. Even though AD will work fine in binding Windows systems with DNS configuration problems, OS X is very picky with allowing binding to AD.


The first thing I discovered on the Active Directory domain controller was that the main CA certificate on the domain had expired. Once I generated a new CA certificate I could then see "Active Directory / All Domains" under the custom search policy in the Directory Utility. Cleared that hurdle.


The next step was to verify the health of the domain and DNS entries by running a series of commands in a command prompt on the domain controller itself.




DCDIAG /test:DNS /DNSALL /e /v


dcdiag /test:DcPromo /DnsDomain:domain.company.com /Operation /e /v


dcdiag /test:RegisterInDNS /DnsDomain:domain.company.com /<Operation> /e /v

/<Operation > may be /NewForest, /NewTree, /ChildDomain or /ReplicaDC




I didn't even have to run more than the first command before I started seeing where the configuration problems were. The domain SOA was not responding and the ldap_tcp test was failing.


In the DNS manager on the domain controller I found I had incorrectly added an additional full domian as a forward zone in DNS instead of a child. Copied down all the records and deleted the problem domain, then created a child domain and re-entered the records. Still didn't fix it, but better results on the test.


Then, on the new child domain I launched the 'new delegation' wizard (right click on the forward zone domain) and configured it to name the correct FQDN and resolve both DNS servers on my LAN. After giving it a few minutes to replicate (you can also use ipconfig /registerdns to push) I re-ran the first test and all but IPv6 passed. After that I was able to bind and add to the kerberos realm.


So, bottom line is: run what ever tests you can to make sure your AD health is good, then you should be able to bind.

Reply

"Invalid Domain and Forest combination" During an Active Directory (AD) Bind

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up