Connection failed to node '/Active Directory

Question

Level 1

8 points

Connection failed to node '/Active Directory

Hello,

I work in corporate environment and have been having some issues getting Active Directory to work properly with OS X 10.9. It seems the same problem exists in 10.8 as well.

I'm able to join the domain without any issues:

user:~ domain$ dsconfigad -show

Active Directory Forest = [domain].net

Active Directory Domain = [domain].co

Computer Account = user-test13$

Advanced Options - User Experience

Create mobile account at login = Enabled

Require confirmation = Disabled

Force home to startup disk = Enabled

Mount home as sharepoint = Enabled

Use Windows UNC path for home = Enabled

Network protocol to be used = smb

Default user Shell = /bin/bash

Advanced Options - Mappings

Mapping UID to attribute = not set

Mapping user GID to attribute = not set

Mapping group GID to attribute = not set

Generate Kerberos authority = Enabled

Advanced Options - Administrative

Preferred Domain controller = not set

Allowed admin groups = not set

Authentication from any domain = Enabled

Packet signing = allow

Packet encryption = allow

Password change interval = 14

Restrict Dynamic DNS updates = not set

Namespace mode = domain

After getting joined up, I noticed that I was still unable to log in as a AD user.

It seems to be because for some reason OS X is unable to search Active Directory for any information.

user:~ domain$ dscl /Search -read /

CSPSearchPath:

/Local/Default

/Active Directory/[COMPANY]/All Domains

LSPSearchPath: /Local/Default

NodeOptions: QuerySkippedSubnode;Boolean

NodePath: Search

NSPSearchPath: /Local/Default

ReadOnlyNode: ReadOnly

RealName: Search

SearchPath:

/Local/Default

/Active Directory/[COMPANY]/All Domains

SearchPolicy: dsAttrTypeStandard:CSPSearchPath

TrustInformation: Anonymous

When I try to launch the Directory Utility and then use the Directory Editor tab, then try to view users on my domain I get an error. ( I cencored the domain in the images. )

I've been searching on the internet to find a solution for this but haven't had much luck.

I'm trying to join to a Windows 2012 Active Directory Server.

I didn't see anything in console when this error happens. And I haven't seen anything on the Windows Server though I might just not know where to look.

Any help would be appreciated.

Posted on Oct 23, 2013 12:37 PM

Reply

Answer 1

deoson Author

Level 1

8 points

Oct 30, 2013 7:37 AM in response to mguertin

Would it be possible for you to expound? As you can see in my screenshots the AD server is already available but just isn't connecting. Are you saying something needs to happen on the AD server itself? Any greater detail would be appreciated 🙂.

Reply

Answer 2

alabin

Level 1

9 points

Dec 2, 2013 7:46 AM in response to deoson

I'm having this problem while 10.9 machines are being joined by DeployStudio. No problems with 10.7 or 10.8, but 10.9 will not have the search path added. Manually adding the searchpath in Directory Utility solves the problem, but I'd like this automated.

Reply

Answer 3

nebbbben

Level 1

2 points

Dec 4, 2013 3:02 PM in response to alabin

Could you elaborate how you got this to work? I am also having issues with machines which were bound to AD using DS then upgraded to 10.9, and also with newly imaged 10.9 machines letting DS do the binding.

So far, I have gone down the DNS route, and making sure various syntaxes of custom search paths are there. No luck 😟.

Reply

Answer 4

nebbbben

Level 1

2 points

Mar 19, 2014 12:33 PM in response to deoson

Eventually, I traced this back to my original DeployStudio imaging setup, specifically where it binds a machine to AD. I had it set in the AD binding setup to "always require packet signing" and "always require encypted packets". In my environment, it seems that when my DS imaged 10.7 or 10.8 machines would get upgraded to 10.9 via the app-store (while being bound to our AD), the new OS would fail to talk to my AD because of this packet signing/encryption scheme.

Once I set up the DS images to not force encryption or packet signing in AD, it would succeed in this case.

Reply

Answer 5

mguertin

Level 1

0 points

Oct 29, 2013 12:18 PM in response to deoson

Make sure you ahve updated your Search Policy to include the new AD server, I've had this happen to clients before, for some reason they don't always get added to the search policy.

Reply

Answer 6

Apr 1, 2014 7:36 AM in response to nebbbben

I'm still having this problem and I've done the same thing you did. What are your other config settings? This has been hampering my progress towards SSO for weeks at this point.

Reply

Answer 7

declure

Level 1

0 points

Jun 26, 2014 9:03 AM in response to deoson

I disabled packet signing and set encryption to "Allow" in the Deploy Studio "AD Bind" workflow. Fixed my issue like this. Good tip!

Reply