User profile for user: BishBashB0sh
BishBashB0sh Author
User level: Level 1
5 points

Problems binding Sierra/High Sierra to AD

I’ve recently setup a new Windows Server 2016 AD Domain for a client. It is a single DC domain. They have several Macs in their environment and I’m struggling to get the Mac’s to stay bound to AD.


We can get them bound to AD initially, seemingly without a hitch and we can log in and out as various users. Our problems start when the Macs are restarted. When we get to the login screen there is a red dot next to the username box stating that ‘Network accounts are unavailable’. When binding the Macs initially, I ticked on the option to setup as a mobile user and this allows us to login as the users that were logged in before the first restart, but no other users can login after this point and it doesn’t accept the Network Admin account’s credentials to do administrative tasks despite setting the domain admins group as being able to administer the mac.


The domain has been setup as companyname.co.uk. Mac’s are getting their network config through DHCP with the sole DNS being that of the Domain Controller and the search domain being companyname.co.uk. I have tried creating a computer account in AD before binding and letting the binding process create the computer account both ways without success.


I have checked the DNS settings which appeared OK using the following commands:


dig -t SRV _gc_tcp.server.companyname.co.uk


dig -t SRV _ldap_tcp.server.companyname.co.uk


dig -t SRV _kerberos_tcp. server.companyname.co.uk


dig -t SRV _kpassword_tcp. server.companyname.co.uk


The time on both the DC and Macs while not using the same time source are correct.


I read somewhere of someone having a similar issue, where switching off File Vault solved it, but this has not been enabled on any of the Macs I have tried so far.


After logging in as local admin user and going back into the user account settings, the bind still seems to be active but the ‘allow network users to login’ option is missing and if I open network account server details there is a message stating ‘the server is not in your authentication search policy’.

Apple support have suggested it might be a problem with Kerberos encryption, which is a possibility but don't want to change the settings on the DC until I am onsite in case it causes other issues.


Any thoughts or help would be gratefully appreciated.

Mac Pro, OS X Server

Posted on Feb 15, 2018 9:01 AM

Reply

Similar questions

There are no replies.

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Problems binding Sierra/High Sierra to AD

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up