10.5.x binding to Windows AD?

[randomlinh]

*got it*
Ugh, apparently I'm authenticated to join computers to the domain, but i'm not an actual domain admin. THAT was the issue... ughaskfhsadl;kfjwajefio



Seems more fitting here since Apple users are generally a minority in the enterprise market... but.. I keep getting the error:

"Failed to changed computer password in Active Directory domain mydomain.dom" Google/live search give me the same thing... basically the only possible thing was open up port 464. Well, it's open (both tcp/udp).

Basically, I get to the point of Binding the computer to the domain, and it fails with an unknown error. Above is what is in the system.log file.

Anyone have any suggestions or ever encounter this? The account I'm using to join the domain has rights to join, I have no problems w/ windows machines. SMB fileshares work fine.

thanks

 

[AsianriceX]

Is the computer object pre-created in the domain or are you attempting to create the object as you bind?

 

[randomlinh]

create as I bind. I did notice it created it, and then disappeared once... never did that again.

 

[AsianriceX]

Hmm. Did you specify the OU where the object was to be created in when you typed in your credentials? If so, do you have permissions to create objects in that OU? You might also need permissions on the computer objects within that OU, not just the ability to create and delete computer objects.

I only have access to a specific OU in our AD, and rather than typing in the long OU path, I'll just pre-create the object in the OU I want and bind to that.

 

[randomlinh]

By default, everything that gets joined is dumped into an OU to be sorted out after the fact. I have no problems joining windows machines. I actually was able to join a 10.4 machine a while back, but backed off because I wasn't ready to support our few macs to our domain (non-priority, and issues w/ Quark in that setup).

I'm not looking to go backwards (and I'm not sure I can, will 10.4 won't install on a brand new imac will it?), as there was an SMB signing issue that has been resolved in 10.5 in a Windows AD environment.

 

[randomlinh]

argh, predefining the machine in AD does not seem to help.

 

[AsianriceX]

The new iMacs probably won't be able to support Tiger since they've had numerous hardware revisions since Tiger stopped being available for new Macs.

The only thing I can suggest now is to make sure you're on the latest point release of Leopard and kill any and all firewall restrictions between the Mac and your AD controller.

In my experience, AD + OS X has been temperamental at best. Apple has a penchant for touting AD support in one point release and suddenly breaking the AD plug-in on the next. I've had an OD+AD project on the backburner (http://www.bombich.com/mactips/activedir.html) so we can apply policies to our Macs without having to extend the AD schema, but there are so many quirks and the management tools aren't the most stable.

 

[randomlinh]

it's frustrating. We only have a a handful systems, so it's not imperative, but it would make life a whole lot easier to manage users (lately, a few of the rotational users muck up the systems). Well, more so manage file share access to our file server.

 

[umrigar]

we use 10.4.10 and 10.5.5 macs in a mixed environment at work... there may be scripts to bind to AD, but it works.

edit: in 10.5, use Directory Utility 2.0 to bind to AD.

 

[randomlinh]

Yeah, already using Directory Utility to try and bind. Like I said, I've had 10.4 work before. Last time it was an issue w/ a security setting on the domain server, it couldn't authenticate. Now it's this issue. I will talk w/ our server admin to monitor ports next week since he's out for the week.

 

[randomlinh]

bumpy for a long shot. All ports wide open to test, so that's not the issue unfortunately.