Hanging on Step 5 of AD Bind

[joelmwatson]

Hi everyone!
Yes, this is the infamous step 5 hang problem… I’ll start out by saying that I’ve done my best to make sure I’ve tried everything I found mentioned previously here and elsewhere before posting… Here’s the deal.
I work at a small school (less than 200 user accounts) that has a single W2k3 domain controller that also handles DNS, another W2k3 mail server, and a single Xserve running 10.4.8. When I started working here 2 weeks ago, the mail server had been “retired” (i.e., turned off and ignored), so I decided to swap IP numbers from the mail server to the Xserve so I would have an external IP (the domain controller and mail server had external addresses mapped to them at the router) to work with. So, I reinstalled 10.4.8 on the Xserve to start fresh and proceeded to follow [url=http://www.bombich.com/mactips/activedir.html]Mike Bombich’s guide on integrating AD/OD[/url] (specifically, section VII). Unfortunately, I got ahead of myself and bound to AD prior to destroying my OD kerberos realm (Yes, it bound perfectly and I could view AD users in WGM). I decided to cut my losses and just start over fresh since I hadn’t spent much time on it yet. This is where things went south.
I installed a fresh copy of 10.4.8 on the Xserve, deleted the computer account in AD for it and proceeded with the guide. Promoted to Open Directory Master, then destroyed the OD kerberos realm. At this point I opened Directory Access and tried binding to AD the same as the previous attempt. It failed immediately with an “Unknown error” (forget the exact wording–but very generic). I did some digging for quite a while and discovered what I thought was the problem. I had forgotten to remove the DNS entries for the mail server, so there were two sets of forward/reverse DNS entries for the server (why it worked the first time when this was the case I don’t know). I deleted all entries referencing the now defunct mail server and gave it another shot. This time it breezed right through steps 1-4 and hung at step 5. This is where I’ve been stuck since last weekend. It creates the computer account without a problem… I suspect it’s something to do with DNS, but am not too sure at this point. I have since switched the Xserve’s IP back to what it had originally to avoid possible DNS problems that existed with the other IP, but no dice. Here’s what the debug log is giving me now:
[code]
006-11-16 09:05:14 PST – ADPlugin: Initialize Called
2006-11-16 09:05:14 PST – ADPlugin: Initialize Returned
2006-11-16 09:05:14 PST – ADPlugin: State Changed Called 4
2006-11-16 09:05:14 PST – ADPlugin: Received ServerRunLoop Mutex
2006-11-16 09:05:14 PST – ADPlugin: Received Kerberos Mutex
2006-11-16 09:05:14 PST – ADPlugin: State Changed Called 2
2006-11-16 09:05:14 PST – ADPlugin: State Changed Called 2
2006-11-16 09:05:14 PST – ADPlugin: Calling OpenDirNode
2006-11-16 09:05:14 PST – ADPlugin: Calling CustomCall
2006-11-16 09:05:14 PST – ADPlugin: Calling CustomCall
2006-11-16 09:05:14 PST – ADPlugin: Calling CloseDirNode
2006-11-16 09:05:37 PST – ADPlugin: Calling OpenDirNode
2006-11-16 09:05:37 PST – ADPlugin: Calling CustomCall
2006-11-16 09:05:37 PST – ADPlugin: Doing CheckServerRecords……
2006-11-16 09:05:37 PST – ADPlugin: mydomain.com – Start checking servers for site “any”
2006-11-16 09:05:37 PST – ADPlugin: Total Servers “any” LDAP – 1, Kerberos – 1, kPasswd – 1
2006-11-16 09:05:37 PST – ADPlugin: Server #1 picked – “domaincontroller.mydomain.com”
2006-11-16 09:05:37 PST – ADPlugin: mydomain.com – Finished checking servers for domain
2006-11-16 09:05:37 PST – ADPlugin: Got rootDSE for server domaincontroller.mydomain.com to determine forest
2006-11-16 09:05:37 PST – ADPlugin: Determined Forest of mydomain.com from Domain Controller domaincontroller.mydomain.com
2006-11-16 09:05:37 PST – ADPlugin: Found Default Domain mydomain.com
2006-11-16 09:05:37 PST – ADPlugin: Global Catalogs – Start checking servers for site “any”
2006-11-16 09:05:37 PST – ADPlugin: Total Servers “any” LDAP – 1, Kerberos – 1, kPasswd – 1
2006-11-16 09:05:37 PST – ADPlugin: Server #1 picked – “domaincontroller.mydomain.com”
2006-11-16 09:05:37 PST – ADPlugin: Global Catalogs – Finished checking servers for domain
2006-11-16 09:05:37 PST – ADPlugin: Found Forest Domain GC mydomain.com
2006-11-16 09:05:37 PST – ADPlugin: Something wrong, unable to determine domain information from Config container……
2006-11-16 09:05:37 PST – ADPlugin: Finished CheckServerRecords……
2006-11-16 09:05:37 PST – ADPlugin: Created KerberosClient record Generation ID 185389537
2006-11-16 09:05:37 PST – ADPlugin: Rebuilt Kerberos File
2006-11-16 09:05:37 PST – ADPlugin: Calling CloseDirNode
2006-11-16 09:05:37 PST – ADPlugin: Calling OpenDirNode
2006-11-16 09:05:37 PST – ADPlugin: Calling CustomCall
2006-11-16 09:05:37 PST – ADPlugin: Doing CheckServerRecords……
2006-11-16 09:05:37 PST – ADPlugin: Good credentials for [email protected]
2006-11-16 09:05:37 PST – ADPlugin: No existing connection in connection mgr for [email protected]@mydomain.com:389
2006-11-16 09:05:37 PST – ADPlugin: Secure BIND Session with server domaincontroller.mydomain.com:389
2006-11-16 09:05:37 PST – ADPlugin: Read Context information from server for configurationNamingContext of CN=Configuration,DC=mydomain,DC=com
2006-11-16 09:05:37 PST – ADPlugin: Processing Site Search with found IP
2006-11-16 09:05:37 PST – ADPlugin: Returning connection to pool for domain mydomain.com with dsStatus 0.
2006-11-16 09:05:37 PST – ADPlugin: mydomain.com – Start checking servers for site “any”
2006-11-16 09:05:37 PST – ADPlugin: Total Servers “any” LDAP – 1, Kerberos – 1, kPasswd – 1
2006-11-16 09:05:37 PST – ADPlugin: Server #1 picked – “domaincontroller.mydomain.com”
2006-11-16 09:05:37 PST – ADPlugin: mydomain.com – Finished checking servers for domain
2006-11-16 09:05:37 PST – ADPlugin: Got rootDSE for server domaincontroller.mydomain.com to determine forest
2006-11-16 09:05:37 PST – ADPlugin: Determined Forest of mydomain.com from Domain Controller domaincontroller.mydomain.com
2006-11-16 09:05:37 PST – ADPlugin: Found Default Domain mydomain.com
2006-11-16 09:05:37 PST – ADPlugin: Global Catalogs – Start checking servers for site “any”
2006-11-16 09:05:37 PST – ADPlugin: Total Servers “any” LDAP – 1, Kerberos – 1, kPasswd – 1
2006-11-16 09:05:37 PST – ADPlugin: Server #1 picked – “domaincontroller.mydomain.com”
2006-11-16 09:05:37 PST – ADPlugin: Global Catalogs – Finished checking servers for domain
2006-11-16 09:05:37 PST – ADPlugin: Found Forest Domain GC mydomain.com
2006-11-16 09:05:37 PST – ADPlugin: Good credentials for [email protected]
2006-11-16 09:05:37 PST – ADPlugin: Retrieved existing connection from connection mgr [email protected]@mydomain.com:389
2006-11-16 09:05:37 PST – ADPlugin: Read Context information from server for configurationNamingContext of CN=Configuration,DC=mydomain,DC=com
2006-11-16 09:05:37 PST – ADPlugin: Returning connection to pool for domain mydomain.com with dsStatus 0.
2006-11-16 09:05:37 PST – ADPlugin: Finished CheckServerRecords……
2006-11-16 09:05:37 PST – ADPlugin: Created KerberosClient record Generation ID 185389537
2006-11-16 09:05:37 PST – ADPlugin: Rebuilt Kerberos File
2006-11-16 09:05:37 PST – ADPlugin: Closing All Connections – Connection Manager
2006-11-16 09:05:37 PST – ADPlugin: Closing Connection – [email protected]@mydomain.com:389
2006-11-16 09:05:37 PST – ADPlugin: Closing All Connections – Connection Manager Completed
2006-11-16 09:05:37 PST – ADPlugin: Calling CloseDirNode
2006-11-16 09:05:37 PST – ADPlugin: Calling OpenDirNode
2006-11-16 09:05:37 PST – ADPlugin: Calling CustomCall
2006-11-16 09:05:37 PST – ADPlugin: Verify called for [email protected]
2006-11-16 09:05:37 PST – ADPlugin: Verify successful for [email protected]
2006-11-16 09:05:37 PST – ADPlugin: Calling CloseDirNode
2006-11-16 09:05:38 PST – ADPlugin: Calling OpenDirNode
2006-11-16 09:05:38 PST – ADPlugin: Calling CustomCall
2006-11-16 09:05:38 PST – ADPlugin: Good credentials for [email protected]
2006-11-16 09:05:38 PST – ADPlugin: No existing connection in connection mgr for [email protected]@mydomain.com:389
2006-11-16 09:05:38 PST – ADPlugin: Secure BIND Session with server domaincontroller.mydomain.com:389
2006-11-16 09:05:38 PST – ADPlugin: Read Context information from server for schemaNamingContext of CN=Schema,CN=Configuration,DC=mydomain,DC=com
2006-11-16 09:05:40 PST – ADPlugin: Returning connection to pool for domain mydomain.com with dsStatus 0.
2006-11-16 09:05:40 PST – ADPlugin: Updating Mappings from Schema……….
2006-11-16 09:05:40 PST – ADPlugin: Doing Computer search for Ethernet address – 00:0d:93:9e:a0:d5
2006-11-16 09:05:40 PST – ADPlugin: Doing DN search for account – xserve
2006-11-16 09:05:40 PST – ADPlugin: Good credentials for [email protected]
2006-11-16 09:05:40 PST – ADPlugin: Retrieved existing connection from connection mgr [email protected]@mydomain.com:389
2006-11-16 09:05:40 PST – ADPlugin: Returning connection to pool for domain mydomain.com with dsStatus 0.
2006-11-16 09:05:40 PST – ADPlugin: Calling CloseDirNode
2006-11-16 09:05:42 PST – ADPlugin: Calling OpenDirNode
2006-11-16 09:05:42 PST – ADPlugin: Calling CustomCall
2006-11-16 09:05:42 PST – ADPlugin: Looking for existing Record of xserve
2006-11-16 09:05:42 PST – ADPlugin: Doing DN search for account – xserve
2006-11-16 09:05:42 PST – ADPlugin: Good credentials for [email protected]
2006-11-16 09:05:42 PST – ADPlugin: Retrieved existing connection from connection mgr [email protected]@mydomain.com:389
2006-11-16 09:05:42 PST – ADPlugin: Returning connection to pool for domain mydomain.com with dsStatus 0.
2006-11-16 09:05:42 PST – ADPlugin: Good credentials for [email protected]
2006-11-16 09:05:42 PST – ADPlugin: Retrieved existing connection from connection mgr [email protected]@mydomain.com:389
2006-11-16 09:05:42 PST – ADPlugin: KerberosID Found for account CN=xserve,CN=Computers,DC=mydomain,DC=com – xserve$
2006-11-16 09:05:42 PST – ADPlugin: Returning connection to pool for domain mydomain.com with dsStatus 0.
2006-11-16 09:05:42 PST – ADPlugin: Existing record found @ CN=xserve,CN=Computers,DC=mydomain,DC=com with [email protected].
2006-11-16 09:05:42 PST – ADPlugin: Changing Password for User [email protected] as [email protected]
2006-11-16 09:05:43 PST – ADPlugin: Setting Computer Password worked……
2006-11-16 09:05:43 PST – ADPlugin: Good credentials for [email protected]
2006-11-16 09:05:43 PST – ADPlugin: Retrieved existing connection from connection mgr [email protected]@mydomain.com:389
2006-11-16 09:05:43 PST – ADPlugin: ADSEngine Setting Values for Attribute: dNSHostName Record: CN=xserve,CN=Computers,DC=mydomain,DC=com
2006-11-16 09:05:43 PST – ADPlugin: Returning connection to pool for domain mydomain.com with dsStatus 0.
2006-11-16 09:05:43 PST – ADPlugin: Good credentials for [email protected]
2006-11-16 09:05:43 PST – ADPlugin: Retrieved existing connection from connection mgr [email protected]@mydomain.com:389
2006-11-16 09:05:43 PST – ADPlugin: ADSEngine Setting Values for Attribute: userAccountControl Record: CN=xserve,CN=Computers,DC=mydomain,DC=com
2006-11-16 09:05:43 PST – ADPlugin: Returning connection to pool for domain mydomain.com with dsStatus 0.
2006-11-16 09:05:43 PST – ADPlugin: Good credentials for [email protected]
2006-11-16 09:05:43 PST – ADPlugin: Retrieved existing connection from connection mgr [email protected]@mydomain.com:389
2006-11-16 09:05:43 PST – ADPlugin: ADSEngine Setting Values for Attribute: operatingSystem Record: CN=xserve,CN=Computers,DC=mydomain,DC=com
2006-11-16 09:05:43 PST – ADPlugin: Returning connection to pool for domain mydomain.com with dsStatus 0.
2006-11-16 09:05:43 PST – ADPlugin: Good credentials for [email protected]
2006-11-16 09:05:43 PST – ADPlugin: Retrieved existing connection from connection mgr [email protected]@mydomain.com:389
2006-11-16 09:05:43 PST – ADPlugin: ADSEngine Setting Values for Attribute: operatingSystemVersion Record: CN=xserve,CN=Computers,DC=mydomain,DC=com
2006-11-16 09:05:43 PST – ADPlugin: Returning connection to pool for domain mydomain.com with dsStatus 0.
2006-11-16 09:05:43 PST – ADPlugin: Good credentials for [email protected]
2006-11-16 09:05:43 PST – ADPlugin: Retrieved existing connection from connection mgr [email protected]@mydomain.com:389
2006-11-16 09:05:43 PST – ADPlugin: ADSEngine Setting Values for Attribute: networkAddress Record: CN=xserve,CN=Computers,DC=mydomain,DC=com
2006-11-16 09:05:43 PST – ADPlugin: Returning connection to pool for domain mydomain.com with dsStatus 0.
[/code]
Any help would be GREATLY appreciated! Thanks!
-Joel

[joelmwatson]

No thoughts, anyone? 🙁

[jdyck]

I think I’m having the EXACT same problem as you and I’m completely stumped… We recently created a new domain, I’m at one site and have successfully bound several client machines to the new Domain with no problem. However, I have a Tiger server on site that we use for imaging and want to use as an OD replica that I cannot bind to the new domain…
I just reloaded the whole server OS and tried to bind with the exact same problem… I’ve tried giving the machine a new name (including removing the old DNS record and creating a new one with the new name, and running the changeip command to make sure hostnames were all good…).
I’m stumped… the only message I get from Directory Access is that an “Unknown error occured…” The computer account *IS* created in the AD Domain, but the DirectoryService Error log stops with two lines stating that it was attempting to change password, so I’m wondering if that is failing for some reason… I am a Domain Admin so my account shouldn’t have any permission problems I don’t think…
Help anyone?

[Author]

Posts