Hi there,
I posted quite some time ago about problems relating to a large AD integration I was doing with a couple of Xserves. Basically using anything other than 10.3.3 Mac OS X Server did not see any AD groups. It would see the users, but no groups. Under 10.3.3 it would list the groups after a few seconds. The binding process was exactly the same.
In the end we just left the Xserves on 10.3.3 because it was working, but now they're wanting to use Xsan so we can setup a proper failover system.
Some other things about the system:
- Kerberos has never really worked despite trying pretty much everything.
- The company's forest is set out as: company.local with the domain we want to connect to as eu.company.local. If we try using those as the forest/domain combo in Directory Access we get "An unknown error occurred" at Step 2 of 5 (Finding nearest domain controllers). If I set debug mode on the logs have error messages of -14008 (I think, something near that, not near the server atm). If we use eu.company.local for both the domain and the forest it binds successfully, but again on anything higher than 10.3.3 we don't see the groups in WGM.
- We need to set the "Prefer this domain server" to a local server otherwise the AD plugin runs off to Milan and Rotherham to pick one up (and this is a London based company with the main servers 2 feet from the Xserve).
- Forward and reverse DNS is all set up.
- The AD DCs are currently on a separate subnet to the Xserves, but they used to be on the same and there was no noticeable difference.
- The company already had Apple engineers out and they didn't get anywhere.
If anyone can solve this I will (seriously) buy them an iPod Shuffle or iWork or something. This is driving me crazy and I don't mind resorting to bribery if it gets me somewhere!
Thanks for any help.
JP.