Unable to bind OS X Mavericks to Active Directory

Question

Level 1

0 points

Unable to bind OS X Mavericks to Active Directory

Recently I had one of my iMacs lose its trust relationship with Active Directory. I tried unbinding and then rebinding it but that's where I ran into problems. Of course, unbinding was simple and easy. Now, I can't get this bound back to the domain. Everytime I try, it fails with a very vague error message and it doesn't tell me what's causing the problem. I know for sure that it's not a username and password problem. I've tried using just the basic Join... button on the Login Options screen. I've tried using the Directory Utility. I've even tried using dsconfigad. All seem to be giving the same error.

Authentication server failed to complete the requested operation. (5103)

Several forums seem to indicate that it was a problem with the version of OS X that I was using. Originally, it was version 10.7.5, but I just upgraded it today to vesion 10.9.2, hoping that it might help. That too failed. Still the same problem and same error.

Can anyone give me some assistance with this problem?

iMac, OS X Mavericks (10.9.2), Active Directory, Win Server '08 R2

Posted on Mar 18, 2014 12:26 PM

Reply

Answer 1

Best reply

Strontium90

Level 5

4,821 points

Mar 19, 2014 4:39 AM in response to mcamcintyrem

Start with the basics.

• Confirm that your time is in sync with the DC. (ntpq -p)

• Make sure your client is using the DC's DNS records. (nslookup name.yourserver.com)

If all that is checking out, you simply may have some damaged configuration file. You can:

• Navigate to /Library/Preferences/ and move the entire Open Directory folder to the Trash and reboot

• On reboot, the folder will be recreated with default values.

• Try binding with clean configuration records.

Or,

• Connect to the DC and search it and all replicas for a stall computer record. Manually delete it from the directory.

Beyond this, you can place directory services into debug mode (sudo odutil set log debug). Then try the bind and find the error.

R-

Apple Consultants Network

Apple Professional Services

Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Reply

Answer 2

mcamcintyrem Author

Level 1

0 points

Mar 19, 2014 7:30 AM in response to Strontium90

Thank you for your response. It was very helpful. The iMac was already synchronized in time with the domain controller. The second section of your response was most helpful. After deleting the Open Directory folder, I rebooted. Binding to the domain still failed, but in the process of deleting the Open Directory folder, I noticed another folder called Directory Service. After rebooting, I deleted that folder too. Still binding to the domain using the Directory Utility failed. However, when I used the dsconfigad command with my desired variables, it worked. My iMac is now connected to Active Directory and I was able to login with one of my network accounts. Thank you very much for your help.

Reply

Answer 3

mcamcintyrem Author

Level 1

0 points

Mar 31, 2014 12:02 PM in response to Strontium90

Strontium90,

I am again having the exact same problem with another iMac. This time, your steps are not helping. I am not normally a Mac user and don't know where to look to find the debug log that you recommend. I would appreciate any additional tips or information that you can provide me. Thank you.

Reply

Answer 4

Mar 31, 2014 5:14 PM in response to mcamcintyrem

To enable debug logging, run this command on the Mac that is giving you trouble:

sudo odutil set log debug

Then use tail to watch the log as you attempt to perform your bind:

tail -f /var/log/opendirectoryd.log

You can filter by Active or error if needed (debug logging is verbose).

By any chance does your Active Directory domain end in .local?

Generally speaking, AD binding is a relatively simply process. While there is a chance for bound Macs to fall out of trust every 14 days based on failure to update the hidden system password, you should not have too much issues as long as time and DNS are correct. Any chance you have round robin DNS?

Reply

Answer 5

mcamcintyrem Author

Level 1

0 points

Apr 1, 2014 9:04 AM in response to Strontium90

This problem appears to be caused by one of two things.

1) There was no entry for this particular machine listed on the DNS server. Usually, on a Windows computer, when it obtains an IP address from DHCP it also registers a DNS entry. It was not doing this and I don't know the commands on Mac to release and register DNS.

2) This particular workstation was running Mac OS X 10.9.1. All of the others are running 10.9.2.

After updating the machine and registering a DNS entry, I tried binding it again to the domain. It worked. So, I really don't know which of the two fixes word, or if it was both of them.

In regards to your question about our domain, yes, it is a .local domain.

Reply

Answer 6

Apr 1, 2014 11:18 AM in response to mcamcintyrem

.local domains and the Apple AD plugin have had a very contentious relationship. It works, then it doesn't, then it does.

The issue is that .local is reserved for Bonjour. And Bonjour and DNS use two different name spaces. Bonjour name is defined by a host.local while DNS is defined as host.domain.tld. So your Mac may have a Bonjour name of mcamcintyrem.local but a DNS name of mcamcintyrem.yourdoamin.local. This causes a lot of issues since unicast and multicast resolutions is all handled by the same process.

Microsoft has been trying to break people of this bad habit since (http://technet.microsoft.com/en-us/library/cc738121(WS.10).aspx) 2003. Not the line "Using single label names or unregistered suffixes, such as .local, is not recommended."

If 10.9.2 is working for you, stick with it. When the next version comes out, test before deploying to production systems.

Reply

Answer 7

mcamcintyrem Author

Level 1

0 points

Apr 1, 2014 11:26 AM in response to Strontium90

Thanks, Strontium. As most of us do, we follow after those who taught us. I've had many people use domain names that end with .local. I don't think we'll be changing the domain name anytime soon, but I agree with you about testing this before deploying the next update. Thanks for your help.

Reply

Answer 8

Dec 26, 2014 6:37 PM in response to mcamcintyrem

We had this exact issue when changing servers from one domain to another. We followed the directions above and none of it worked. It turned out that the machine lost all its routes and could not route data outside the subnet. All we had to do is down the interface and then bring it back up. Of course, a reboot would have accomplished the same thing. Hope this helps some one.

Reply