10 Replies Latest reply: Sep 27, 2006 10:59 AM by Trent Geerdes
Shan Younker Level 1 Level 1 (115 points)
When binding a computer to Active Directory the plug-in asks for the AD forest, AD domain and computer ID. My assumption is that the computer ID is the Active Directory user ID and it needs to be unique for every computer you bind to AD. Is this correct?

G5, Mac OS X (10.4.6)
  • macguitarman Level 1 Level 1 (5 points)
    I may be able to help, Shan, have been doing Active Directory 2003 Mac Integration.

    In Directory Access, Configure tab, we just put the domain (FQDN), fully qualified domain name, ours is something like la.ad.?.org

    Forest gets filled automatically in my experience as long as you have a valid FQDN.

    the computer name, or Machine name (as windows calls it) MUST be unique, a unique identifier on the AD network.

    We name all the Macs and PC's by their asset tag info, example, AE123456, this asset tag is the computer name, that goes in OS X Sharing prefs pane and in the D Access Computer ID field.

    Next, your Windows Admin, must put this Computer ID name as a(Container) into Active Directory, that is how AD keeps track of machines, by this machine name (object). He then gave my AD user name rights to be able to add machines (Bind) to AD.

    Tick, create mobile login (so macs can authenticate even when network is down or is a laptop
    We untick, require confirmation....
    We untick, Use UNC path....
    last one is automatically ticked

    Click bind, you will see 1-2-3-4-5, Join Existing account, say OK, wa la your Mac is now Bound to AD.

    When you log out, at the Mac OS X Login screen, Under, Mac OS X, you will see in gray letters, the machine name if you click it, it will give you great info: I love this: SN, IP address, OS X version, build, and a green or red ball, green ball means you have a Network account (in this case, you are Bound to AD for AD authentication).

    Note: If you never see 1-2-3, etc and Join Existing Account to Bind to AD, in other words it fails.

    Go to Sys Prefs, Network and look at your Search Domains and DNS entries, take this info out, this is why it is failing to Bind.

    I take it all out, And wa la, Binds every time, AD server provides all this info.

    later, macguitarman



    Power Mac G5 Dual 2.0   Mac OS X (10.4.7)  
  • Trent Geerdes Level 1 Level 1 (70 points)
    Any ideas about what to do to clients when an AD domain is to be renamed? In testing, the rename breaks the Macs. I suspect all the Macs would have to be unbound and rebound which is not a very good solution for me. Thanks.
  • macguitarman Level 1 Level 1 (5 points)
    Interesting scenario, I would venture to guess that, in the event of an AD rename, the old AD name is no longer valid, therefore, i would presume and Unbinding and a Rebinding would be in order.

    The unbinding probably clears the old Directory Services prefs (info contained in it) and the rebinding collects the new AD name, data etc.

    Try it on one Mac and see what you get, my guess is this will work. Is it the only way?, and to do mass Macs?, Not sure about that.

    Not sure how many Macs you have but hopefully you have ARD (3) and can manage many macs remotely.

    The Win PC's seem to have it better here, since it it MS Windows on both the client and AD servrer, there are probably tools or feature on the AD server to make this easier, probably automatic on Windows clients.
  • Trent Geerdes Level 1 Level 1 (70 points)
    I do use ARD 3 and it looks like a scripted unbind rebind is about the only option. That isn't the end of the world though. I ran into this roadblock yesterday so I'll throw the solution out there. If you try to bind a Mac to an AD domain with the name of xxx.local the Mac will never "find" the domain when trying to bind. Easy workaround.

    http://support.microsoft.com/kb/836413/en-us
  • James Nennemann Level 1 Level 1 (55 points)
    macguitarman,

    Have you had any experience with binding over a VPN? Our Win03 AD is on subnet 192.168.100.x and I have a 10.4 server on subnet 192.168.1.x. The two nets route correctly and they appear to have fqdn (dig/host). I am having the same problems as above.



    MacBook Pro   Mac OS X (10.4.7)  
  • mineforums@mac.no Level 1 Level 1 (0 points)
    Hi!
    I have followed your description point by point, but it does not work: "Unknown error"..
    After I click on bind, I have to enter a nettworkadministrator name and password. My "netadm"-person is not very skilled (this is not his main profession, and he has never seen a Mac before)and does not know hos to establish my computer in AD in any other way. He says that when he let Win-PCs into the domain/AD, he always does it from the actual PC, not via some other PC or server.

    Please help!

    Sitara
  • macguitarman Level 1 Level 1 (5 points)
    OK, here's the deal.

    "After I click on bind, I have to enter a nettworkadministrator name and password"

    Yes, your Windows admin, has to make your AD ID a "Domain Admin (adding machines into AD), if he will and knows how to. When you input your AD name and password, it will work.

    Now, you could also do this with the Win Admin in front of you, when he is in front of his PC, controlling the Win 2003 / AD server, or in front of the actual server.

    My guess is he has not created the "container / object name", just ask him to do it just as he would for a Win PC being added to the AD domain, what is he using to name the PC's, they should not be "User names", but Unique ID's, like Asset tag info, as long as they are unique.

    Now I also suspect, the Fully Qualified Domain Name, FQDN. It must be used in the Active Directory (Directory Access) app. Don't worry about forest, it is automatic. The admin or someone, must know the FQDN, ours is something like, LA.AD.'companyname'.ORG

    Once you know this and are sure it is correct, go to a PC and do Start, RUN, CMD, to get a dos / command line:

    and do: ping 'your FQDN here'

    if the DNS in AD is working properly, it will return an actual IP address, if this happens, then we know the FQDN is correct and the name is being resolved by DNS in AD and that it won't be an issue with OS X Directory Access.

    Also, take anything out that you might have in OS X "Network" prefs pane on DNS, even if it is right , not needed to bind, but if it is wrong, won't find the AD server.

    And the network time must be right, AD is picky about this, if your Mac is even minutes off, it will not Bind, but it will also give you a Message saying your Mac time is off.

    In Sys Prefs, Date/Time, I input the internal AD server, FQDN, not the Apple's time server (since I think the Win Admins are blocking NTP outgoing), plus you want your time synced, internally anyhow.

    Just some tips that got AD working for us.

    E-mail me if you have any further questions, I am sure we can get you bound to your AD server, I can email you some screen shots if needed.


    macguitarman@mac.com

    Power Mac G5 Dual 2.0   Mac OS X (10.4.7)  

    Power Mac G5 Dual 2.0   Mac OS X (10.4.7)  

    Power Mac G5 Dual 2.0   Mac OS X (10.4.7)  

    Power Mac G5 Dual 2.0   Mac OS X (10.4.7)  

    Power Mac G5 Dual 2.0   Mac OS X (10.4.7)  
  • mineforums@mac.no Level 1 Level 1 (0 points)
    Thanks so far, I will forward your reply to my IT-responsible, and we'll see how it ends.

    Sitara
  • Blind-Apple Level 1 Level 1 (0 points)
    Question 1:
    I've just binding a Mac (Windows File Service) to a W2K3 Domain controller. After that I will configure the Mac share point using W2K3 Domain's account. From Mac Workgroup Manager I can't find the Active Directory account, the opposite from W2K3 Explorer I can't adding Active Directory users or groups to Mac sharing object. Do I missed some steps for Active Directory Binding?

    Question 2:
    Why I can't unbind my Mac (Windows File Service) from W2K3 Active Directory clearly? I should using Force Unbind, after that I cannot rebinding againt to that Active Directory. Is there any missing of my Mac component or driver?
  • Trent Geerdes Level 1 Level 1 (70 points)
    Our domain rename was an absolute disaster for my Mac customers. They can only log in with cached credentials after rebinding to the new domain. The can't change passwords or do anything with the new domain at all. Interesting enough is the fact that if machines weren't unbound and rebound they can't even login with cached credentials. Binding my Macs to AD is the worst IT decision I've ever made.