AFP548

Binding Issue with multiple domain controllers

traveler400
Hi all- For a very, very long time we have had issues binding macs to our domain. The process went along fine until step 5 where it failed with an unknown error. This happened time and time again with all different version of OS X. After many months of frustration we finally determined the problem. Our domain consists of 3 domain controllers each of which sits behind it's own firewall. The DC's use NAT IP addresses, that is, the firewall translates their real IP in to a local address. We setup a test environment with one domain controller behind one firewall. If we changed the firewall to transparent mode, that is, we turn off address translation, we could get any and all macs that we tested to bind with no problem. Now that we had solved this problem our next task was to get it working on our production domain. Like I said our production domain has three domain controllers, each behind their own firewall. One thing we want to avoid at all costs is having to turn off address translation on all 3 of our firewalls/DCs. Instead we turned it off on just one, the idea being that if we could specify to the Mac clients to bind to just that one DC that is connected with an untranslated address. The problem is that the dns record for our.domain.com is linked to three IPs, one for each DC. We can't change this because our sizable windows population needs it to be that way. For the sake of explanation, our environment is setup as follows: Domain: our.domain.com First domain controller (setup WITHOUT address translation): dc1.our.domain.com Second domain controller (uses address translation): dc2.our.domain.com Third domain controller (uses address translation): dc3.our.domain.com Client OS is Mac OS 10.5.7 (but we've also had this problem with 10.5.6 and even going back to 10.4) I have tried the following so far with no luck: 1) In directory utility, check the "Prefer this domain server:" box and specify the IP of the one DC that is not using address translation 2) Edit the hosts file so that our.domain.com points to the IP of the one DC that is not using address translation 3) Edit the hosts file so that dc1.our.domain.com points to its real IP, set dc2.our.domain.com and dc3.our.domain.com to point to non-existent IPs, the rationale being that if the Mac cannot find those two IPs it would have no choice but to use dc1.our.domain.com. The biggest problem, I think, is that I cannot get the OS X Directory Utility on the client to use the local hosts file. No matter what we change in /etc/hosts, the Directory utility uses DNS and, in turn, attempts to contact dc2.our.domain.com or dc3.our.domain.com which are both using translated IPs and therefore fail at step 5. For what it's worth, here is the relevant text of the error we get when it fails at step 5. Remember, though, that we know that this problem is directly related to translated IPs on the firewall: 2009-05-28 11:18:51 EDT - T[0xF0185000] - Active Directory: Deleting Record CN=macdesktop,CN=Computers,DC=our,DC=domain,DC=com... 2009-05-28 11:18:51 EDT - T[0xF0185000] - Active Directory: Setting Computer Password FAILED Deleted Record...... 2009-05-28 11:18:51 EDT - T[0xF0185000] - Internal Dispatch, API: dsOpenDirService(), Server Used : DAR : Dir Ref 16777485 : Result code = 0 2009-05-28 11:18:51 EDT - T[0xF0185000] - Client: Requesting dsOpenDirNode with PID = 0, UID = 0, and EUID = 0 2009-05-28 11:18:51 EDT - T[0xF0185000] - Internal Dispatch, API: dsOpenDirNode(), Local Used : DAC : Dir Ref = 16777485 : Node Name = /Local/Default 2009-05-28 11:18:51 EDT - T[0xF0185000] - Internal Dispatch, API: dsOpenDirNode(), Local Used : DAR : Dir Ref = 16777485 : Node Ref = 16777486 : Result code = 0 2009-05-28 11:18:51 EDT - T[0xF0185000] - Internal Dispatch, API: dsOpenRecord(), Local Used : DAC : Node Ref = 16777486 : Rec Type = dsRecTypeStandard:Config : Rec Name = Kerberos:OUR.DOMAIN.COM 2009-05-28 11:18:51 EDT - T[0xF0185000] - Internal Dispatch, API: dsOpenRecord(), Local Used : DAR : Node Ref = 16777486 : Record Ref = 16777487 : Result code = 0 2009-05-28 11:18:51 EDT - T[0xF0185000] - Internal Dispatch, API: dsDeleteRecord(), Local Used : DAC : Rec Ref = 16777487 2009-05-28 11:18:51 EDT - T[0xF0185000] - CDSLocalPluginNode::DeleteRecord(): deleting file "/var/db/dslocal/nodes/Default/config/Kerberos:OUR.DOMAIN.COM.plist" 2009-05-28 11:18:51 EDT - T[0xF0185000] - CDSLocalPlugin::CloseRecord(): Got error -14105 2009-05-28 11:18:51 EDT - T[0xF0185000] - Internal Dispatch, API: dsDeleteRecord(), Local Used : DAR : Rec Ref = 16777487 : Result code = 0 2009-05-28 11:18:51 EDT - T[0xF0185000] - Internal Dispatch, API: dsCloseDirNode(), Local Used : DAC : Node Ref = 16777486 2009-05-28 11:18:51 EDT - T[0xF0185000] - Internal Dispatch, API: dsCloseDirNode(), Local Used : DAR : Node Ref = 16777486 : Result code = 0 2009-05-28 11:18:51 EDT - T[0xF0185000] - Internal Dispatch, API: dsCloseDirService(), Server Used : DAC : Dir Ref 16777485 2009-05-28 11:18:51 EDT - T[0xF0185000] - Internal Dispatch, API: dsCloseDirService(), Server Used : DAR : Dir Ref 16777485 : Result code = 0 2009-05-28 11:18:52 EDT - T[0xF0185000] - Active Directory: Computer password change date is 2009-04-22 13:59:31 -0400 2009-05-28 11:18:52 EDT - T[0xF0185000] - Active Directory: Scheduled computer password change every 1209600 seconds - starting 2009-05-28 11:18:52 -0400 2009-05-28 11:18:52 EDT - T[0xF0185000] - Active Directory: Closing All Connections 2009-05-28 11:18:52 EDT - T[0xF031C000] - Active Directory: Failed to changed computer password in Active Directory domain our.domain.com 2009-05-28 11:18:52 EDT - T[0xF0185000] - Client: Directory Utilit, PID: 143, API: dsDoPlugInCustomCall(), Active Directory Used : DAR : Node Ref = 16777460 : Request Code = 80 : Result code = -14093 2009-05-28 11:18:52 EDT - T[0xF0185000] - Plug-in call "dsDoPlugInCustomCall()" failed with error = -14093. 2009-05-28 11:18:52 EDT - T[0xF0185000] - Port: 0 Call: dsDoPlugInCustomCall() == -14093 2009-05-28 11:18:52 EDT - T[0xF0185000] - Client: Directory Utilit, PID: 143, API: API, Server Used : dsmig DAR : Excessive request time 2.662834 seconds 2009-05-28 11:18:52 EDT - T[0xF0103000] - Client: Directory Utilit, PID: 143, API: dsCloseDirNode(), Active Directory Used : DAC : Node Ref = 16777460 2009-05-28 11:18:52 EDT - T[0xF0103000] - Client: Directory Utilit, PID: 143, API: dsCloseDirNode(), Active Directory Used : DAR : Node Ref = 16777460 : Result code = 0 Can anyone tell me how to force OS 10.5.7 to use hosts files to override DNS for ALL applications and not just certain ones? Any help would be greatly appreciated. Thanks, -A.F.
Exit mobile version