Connecting Computer to Active Directory

[sgstuart]

HI all,
I am having a problem connecting my Computer to its Computer Account, that has already been created for it. There are 5 steps when trying to Bind, and I am failing on 4 of 5. I am being authenticated with my Active Directory account.
I get the following error.
Unable to access domain controller
This computer is unable to access the domain
controller for an unknown reason.

I have many OU’s that the computer account is buried under. I have placed those in reverse order, as I believe is correct, I also have the domain showing correct as DC=’s Here is an example of what I am putting in
OU=computerID,OU=OU-5,OU=OU4,OU=OU3,OU=OU 2,OU=OU1,DC=my,DC=domain,DC=net

I do have a space in the name of the 2nd OU, and I have a – in the name of the 5th OU.

This is all I am placing, do I need the CN=Computers, at the front of this? Please let me know.

Thanks,
Steven Stuart

[sgstuart]

update

I am finding out when doing the debug, that my authentication is failing most of the time, but works once in a while.

When it works it has the proper account name and domain. However, the majority of the time it is sending the domain twice.
It is sending [email protected]@my.domain.net

It should be sending [email protected]

Thanks,
Steven Stuart

[sgstuart]

Hi macshome,
Yes, I mean I put DirectoryService in debug logging mode and then trying to bind.

I will use mycomputer as the name of this desktop.

When I do a ping of mycomputer with the “network Utility” it comes back as mycomputer.myfacility.domain.net and ip address xxx.xx.xx.xxx, which is the same IP address that shows up under Network (TCP/IP)

When I bring up Terminal, mycomputer is what shows up in the front. So I would say yes, I think DNS is okay.

However, in some places the letters show up as lower case, and in other places UPPER CASE, but they are all one or the other, no mix.

Thanks,
Steven Stuart

[sgstuart]

Hi Macshome,
I did a ‘host’ and everything looks fine both ways to me. I also did nslookups on a PC and DNS and IP come back properly, The WINS name does not know what to do, but I think that is okay.

For the Computer ID, I am just putting the name, not the FQDN.
On our network, just to make sure that you are fully understanding it. My user ID is authenticated on my.domain.net. My Computer is on a subset of that network myfacility.domain.net
Do I need to somehow tell the Directory Access Utility that somehow? At this point I am placing my.domain.net in the Active Directory Domain. However, when I am doing the Computer OU string, it is basically in there, so maybe that is okay.

Where I really think the problem is is the @my.domain.net showing up twice in the majority of the authentications?

If I can also work with you offline and not have things published, I can give you full information, if you promise not to pass it around. We can then publish the solution on here. I am okay either way though.

Thanks,
Steven Stuart

[Anonymous]

steve, i am getting the same thing, it goes through all steps and stop at step 4 which is where i see "[email protected]@my.domain.net"

kerberos seems to authenticate correctly then it just fails sometimes telling me i don’t have the rights. I am the domain admin. I do have the rights. I also tried manually adding the computer name then just binding with the same name.

in addition i have done some of the other suggestions on afp for steering my machine more directly to dns including adding the dns server to my list, modifying rendezvous (bonjour), shutting off rendezvous, as well as editing my hosts file. nothing works. I am beginning to think it doesn’t work.

i have also done several reformats, clean installs, panther, tiger. same deal. i am pretty close to recommending that we blow off the server purchases we are looking at.

if you find a solution or get it to work can you please post the solution here. i will give it another couple of weeks then I am going to fold up.

thanks!

[Anonymous]

Joel, when you refer to the DS debug logs what are you talking about?
I used:
"sudo killall -USR1 DirectoryService"
[then]
"tail -f /Library/Logs/DirectoryService/DirectoryService.debug.log | grep ADPlug"

I am game to try packet traces to see what is happening, but I have no clue what would be best and what I would be looking for.

I found the following link on Apples site:

"http://developer.apple.com/qa/qa2001/qa1176.html"

…which recommends using one of the following. Since the first is expensive I will probably use tcpdump…

EtherPeek, Ethereal, FrameSeer, Interarchy, NetMinder, tcpdump (included with all versions of Mac OS X)

So what exactly will I be looking for here? Will it be a clearly labled "ERROR" or something more subtle?

You mention common issues at this stage include very locked down security policies on the domain controller. This is a good possibility do I have to turn off digital signing like when setting up SMB shares?

As far as Time issues, I take it to mean that I need to make sure all clocks are in sync with the DC so that kerberos is happy.

~still looking/

[Author]

Posts