Binding Issue with multiple domain controllers

[traveler400]

Hi all- For a very, very long time we have had issues binding macs to our domain. The process went along fine until step 5 where it failed with an unknown error. This happened time and time again with all different version of OS X. After many months of frustration we finally determined the problem. Our domain consists of 3 domain controllers each of which sits behind it’s own firewall. The DC’s use NAT IP addresses, that is, the firewall translates their real IP in to a local address. We setup a test environment with one domain controller behind one firewall. If we changed the firewall to transparent mode, that is, we turn off address translation, we could get any and all macs that we tested to bind with no problem.

Now that we had solved this problem our next task was to get it working on our production domain. Like I said our production domain has three domain controllers, each behind their own firewall. One thing we want to avoid at all costs is having to turn off address translation on all 3 of our firewalls/DCs. Instead we turned it off on just one, the idea being that if we could specify to the Mac clients to bind to just that one DC that is connected with an untranslated address. The problem is that the dns record for our.domain.com is linked to three IPs, one for each DC. We can’t change this because our sizable windows population needs it to be that way.

For the sake of explanation, our environment is setup as follows:
Domain: our.domain.com
First domain controller (setup WITHOUT address translation): dc1.our.domain.com
Second domain controller (uses address translation): dc2.our.domain.com
Third domain controller (uses address translation): dc3.our.domain.com

Client OS is Mac OS 10.5.7 (but we’ve also had this problem with 10.5.6 and even going back to 10.4)

I have tried the following so far with no luck:

1) In directory utility, check the “Prefer this domain server:” box and specify the IP of the one DC that is not using address translation
2) Edit the hosts file so that our.domain.com points to the IP of the one DC that is not using address translation
3) Edit the hosts file so that dc1.our.domain.com points to its real IP, set dc2.our.domain.com and dc3.our.domain.com to point to non-existent IPs, the rationale being that if the Mac cannot find those two IPs it would have no choice but to use dc1.our.domain.com.

The biggest problem, I think, is that I cannot get the OS X Directory Utility on the client to use the local hosts file. No matter what we change in /etc/hosts, the Directory utility uses DNS and, in turn, attempts to contact dc2.our.domain.com or dc3.our.domain.com which are both using translated IPs and therefore fail at step 5. For what it’s worth, here is the relevant text of the error we get when it fails at step 5. Remember, though, that we know that this problem is directly related to translated IPs on the firewall:

2009-05-28 11:18:51 EDT – T[0xF0185000] – Active Directory: Deleting Record CN=macdesktop,CN=Computers,DC=our,DC=domain,DC=com…
2009-05-28 11:18:51 EDT – T[0xF0185000] – Active Directory: Setting Computer Password FAILED Deleted Record……
2009-05-28 11:18:51 EDT – T[0xF0185000] – Internal Dispatch, API: dsOpenDirService(), Server Used : DAR : Dir Ref 16777485 : Result code = 0
2009-05-28 11:18:51 EDT – T[0xF0185000] – Client: Requesting dsOpenDirNode with PID = 0, UID = 0, and EUID = 0
2009-05-28 11:18:51 EDT – T[0xF0185000] – Internal Dispatch, API: dsOpenDirNode(), Local Used : DAC : Dir Ref = 16777485 : Node Name = /Local/Default
2009-05-28 11:18:51 EDT – T[0xF0185000] – Internal Dispatch, API: dsOpenDirNode(), Local Used : DAR : Dir Ref = 16777485 : Node Ref = 16777486 : Result code = 0
2009-05-28 11:18:51 EDT – T[0xF0185000] – Internal Dispatch, API: dsOpenRecord(), Local Used : DAC : Node Ref = 16777486 : Rec Type = dsRecTypeStandard:Config : Rec Name = Kerberos:OUR.DOMAIN.COM
2009-05-28 11:18:51 EDT – T[0xF0185000] – Internal Dispatch, API: dsOpenRecord(), Local Used : DAR : Node Ref = 16777486 : Record Ref = 16777487 : Result code = 0
2009-05-28 11:18:51 EDT – T[0xF0185000] – Internal Dispatch, API: dsDeleteRecord(), Local Used : DAC : Rec Ref = 16777487
2009-05-28 11:18:51 EDT – T[0xF0185000] – CDSLocalPluginNode::DeleteRecord(): deleting file “/var/db/dslocal/nodes/Default/config/Kerberos:OUR.DOMAIN.COM.plist”
2009-05-28 11:18:51 EDT – T[0xF0185000] – CDSLocalPlugin::CloseRecord(): Got error -14105
2009-05-28 11:18:51 EDT – T[0xF0185000] – Internal Dispatch, API: dsDeleteRecord(), Local Used : DAR : Rec Ref = 16777487 : Result code = 0
2009-05-28 11:18:51 EDT – T[0xF0185000] – Internal Dispatch, API: dsCloseDirNode(), Local Used : DAC : Node Ref = 16777486
2009-05-28 11:18:51 EDT – T[0xF0185000] – Internal Dispatch, API: dsCloseDirNode(), Local Used : DAR : Node Ref = 16777486 : Result code = 0
2009-05-28 11:18:51 EDT – T[0xF0185000] – Internal Dispatch, API: dsCloseDirService(), Server Used : DAC : Dir Ref 16777485
2009-05-28 11:18:51 EDT – T[0xF0185000] – Internal Dispatch, API: dsCloseDirService(), Server Used : DAR : Dir Ref 16777485 : Result code = 0
2009-05-28 11:18:52 EDT – T[0xF0185000] – Active Directory: Computer password change date is 2009-04-22 13:59:31 -0400
2009-05-28 11:18:52 EDT – T[0xF0185000] – Active Directory: Scheduled computer password change every 1209600 seconds – starting 2009-05-28 11:18:52 -0400
2009-05-28 11:18:52 EDT – T[0xF0185000] – Active Directory: Closing All Connections
2009-05-28 11:18:52 EDT – T[0xF031C000] – Active Directory: Failed to changed computer password in Active Directory domain our.domain.com
2009-05-28 11:18:52 EDT – T[0xF0185000] – Client: Directory Utilit, PID: 143, API: dsDoPlugInCustomCall(), Active Directory Used : DAR : Node Ref = 16777460 : Request Code = 80 : Result code = -14093
2009-05-28 11:18:52 EDT – T[0xF0185000] – Plug-in call “dsDoPlugInCustomCall()” failed with error = -14093.
2009-05-28 11:18:52 EDT – T[0xF0185000] – Port: 0 Call: dsDoPlugInCustomCall() == -14093
2009-05-28 11:18:52 EDT – T[0xF0185000] – Client: Directory Utilit, PID: 143, API: API, Server Used : dsmig DAR : Excessive request time 2.662834 seconds
2009-05-28 11:18:52 EDT – T[0xF0103000] – Client: Directory Utilit, PID: 143, API: dsCloseDirNode(), Active Directory Used : DAC : Node Ref = 16777460
2009-05-28 11:18:52 EDT – T[0xF0103000] – Client: Directory Utilit, PID: 143, API: dsCloseDirNode(), Active Directory Used : DAR : Node Ref = 16777460 : Result code = 0

Can anyone tell me how to force OS 10.5.7 to use hosts files to override DNS for ALL applications and not just certain ones?

Any help would be greatly appreciated.

Thanks,

-A.F.

[bezzoh]

-14105 = eDSBadContextData
-14093 = eDSAuthParameterError

Not sure what either of these really signify without googling the h3ll out of them to be honest, however I’m in a similar situation with multiple DC’s on my domain, only a few of which are accessible by clients on any 1 site due to firewalls. 1 or 2 local servers dependent on the site, and 4 in a central server farm. I suffer a lot from these computer account passwords not changing correctly, the Kerberos files becoming 0kb in size and errors if trying to rebind at this point such as -14120 (eDSPermissionError).

Manually deleting the Kerberos files however resolves in the short term… until the next time it happens…

[traveler400]

Our environment is a little different then most people in that our clients and DCs are spread out across many different subnets and locations. We are also in a situation where our organization’s policy does not permit us to put up one firewall with all the clients/DCs/Servers etc behind it. The reasons for this are too numerous and complex to go in to, but the bottom line is that our DCs are each behind their own firewall and the clients need to access them through those firewalls.

[traveler400]

Ok, we have FINALLY resolved this issue. The problem in our case is that our DNS SRV records were not setup correctly. We needed to explicitly include all three DCs for each of the 6 SRVs. Once we published each of the three DCs in the SRV record, binding works without a problem. If anyone else is experiencing similar issues and needs help, feel free to contact me.

Thanks,

-A

[bezzoh]

Are you hosting the DNS service on a Mac Server or Windows 2003 Server?

I wouldnt mind seeing how you’ve resolved this because I’m still having problems.

We currently have about 12 DC’s on multiple sites, each managing its own sites DHCP & DNS (for windows and mac clients) and there will soon be more DC’s popping up in the very near future.

[bezzoh]

I might be being stupid here but when you run a dig -t _kpasswd.tcp.mydomain.com should the results displayed not be my own servers on the domain rather than the root servers on the internet???

[traveler400]

So the DNS is hosted on a linux server that we do not manage. We’re in a large academic environment so we have some unconventional things going on like this. While I don’t have direct access to the server itself I do have access to the records, so by changing the SRV record and having it point to to just the one DC that I’d configured to run in transparent mode behind its firewall, I was able to bind…hope that helps, let me know if you need more info.

[Author]

Posts