Setting up Mac OS X.x as a PDC

[mlcdigital]

I’m in the process of setting up a new OD/AD Mac OS X.4 server and having no luck with the AD side.
I’ve been searching for a little bit through here on any How-Tos but have yet to find one.

I’ve currently set the server up as the OD Master and have tested Kerberos authentication.
It is working just fine and OD is running 100%.

Now I am trying to setup and configure Windows(Samba) as the Primary Domain Controller(PDC).
Here is what I have for configs…
Description: File and Print Server
Computer Name: Server (does this have to be the computer name under System Preferences?)
Domain: our.fully.qualiofied.domain

But when I try to join the domain it gives me errors on the client like this….

Apple Mac OS X.4 Bind Error
An invalid Domain and Forest combination was specified. You should enter a fully qualified DNS name for the domain and forest (e.g., ads.company.com).

Windows XP Domain Error
DNS name does not exist

Does anyone know where there is a great How-To on setting this up?
I have a feeling that I’ve tweaked the configurations so much that something maybe corrupt.

[Ross]

First you shouldn’t be binding X.4 clients via the AD plug-in to your OSX PDC. The client plug-in is for AD servers not a PDC which is NT and not even close to the same thing.

Now for your windows setting on your OSX server, the domain should not be a fully qualified domain. Its your NT domain so just make it “MYDOMAIN” or something. The OSX server shouldn’t even except a fully qualified domain in that field. Then just make sure WINS is working right and you should be able to bind your XP clients to your PDC.

[mlcdigital]

I was meaning to edit my post…

On the OS X server I am using the domain name something.com not pdc.something.com.
Then on an XP machine I try to bind to the domain something.com but I get errors that the domain doesn’t exist.

I am not binding the OS X clients via AD they are binding via DHCP supplied LDAPv3.

[mlcdigital]

The following is the error I get when trying to bind Windows XP to the Mac OS X.4 PDC.

[code]
Note: This information is intended for a network administrator. If you are not your network’s administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain fake.domain.name:

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.fake.domain.name

Common causes of this error include the following:

– The DNS SRV record is not registered in DNS.

– One or more of the following zones do not include delegation to its child zone:

fake.domain.name
domain.name
name
. (the root zone)

For information about correcting this problem, click Help.
[/code]

DNS is working just fine.
I can resolve the server name and domain name from the WinXP client.
OD and Kerberos is working perfect on the Mac OS X.4 Server.
I’ve ran ipconfig /flushdns /release /renew and have rebooted but this error still happens.

Any Ideas???!!!

[Ross]

its sounds like your trying to bind the XP machine to the Domain “somthing.com” this is not right. The NT domain should not have any “.” dots in it. What you should be binding to is what is listed in the Windows section for the OSX server under domain. This should not have dots and should just be “SOMEDOMAIN”. OSX server shouldn’t even allow dots in a PDC domain.

[mlcdigital]

So no . at all?
I’ve setup tons of Win2K AD servers in my career and have always used full domain names ‘something.com’ or fake ones like ‘something.local’.
I’ll have to try setting up the PDC on the Mac OS X.4 Server with the domain ‘something’ and see if I can bind to it with the XP machine.
I did try setting it up ‘something.local’ but that didn’t work.
Thanks for the replies…

[Ross]

Thats your problem….. its not an AD server, its an NT server. Just try it

[mlcdigital]

I think my problem is bigger then that…
I’ve changed the Windows PDC Domain Settings on the Mac OS X.4 Server to SOMETHING and then tried binding to it via a Windows XP client.
I tried binding to the PDC from the Win XP client through simply changing the Domain under Computer Name and I also tried using the Network ID wizard.
These are the errors I get…
[code]
The domain name SOMETHING might be a NetBIOS domain name. If this is the case, verify that the domain name is properly registered with WINS.

If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain SOMETHING:

The error was: “This operation returned because the timeout period expired.”
(error code 0x000005B4 ERROR_TIMEOUT)

The query was for the SRV record for _ldap._tcp.dc._msdcs.SOMETHING

The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:

10.1.0.1
10.1.0.2
10.1.0.3

Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.

For more information on how to correct this problem, click Help.[/code]

[code]
The domain name SOMETHING might be a NetBIOS domain name. If this is the case, verify that the domain name is properly registered with WINS.

If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain SOMETHING:

The error was: “DNS server failure.”
(error code 0x0000232A RCODE_SERVER_FAILURE)

The query was for the SRV record for _ldap._tcp.dc._msdcs.SOMETHING

Common causes of this error include the following:

– The DNS servers used by this computer contain incorrect root hints. This computer is configured to use DNS servers with following IP addresses:

10.1.0.1
10.1.0.2
10.1.0.3

– One or more of the following zones contains incorrect delegation:

SOMETHING
. (the root zone)

For information about correcting this problem, click Help.[/code]

Here is the server configuration from DHCP to DNS…
DHCP supplied DNS Default Domain: something.com, Name Servers: 10.1.0.3, 10.1.0.2, 10.1.0.1, WINS Primary/Secondary: 10.1.0.3, 10.1.0.2, NBDD Server: 10.1.0.2, NBT Node Type: Mixed, NetBIOS Scope ID: SOMETHING
DNS: Name Servers: server.something.com, server.something.com points to 10.1.0.2 and 10.1.0.3, Server IP Address: 10.1.0.2

Again, I’ve release/renewed/flushed IP/DNS. I’ve rebooted the server and the client. LDAP, OpenDirectory, and Kerberos are working 100% on Mac OS X.x clients and the server.

What am I overlooking?

[Ross]

Take a look at this, see if it helps

http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=22988&DisplayTab=Article

[mlcdigital]

Whelp guess what…???
I’ve enabled NetBIOS over TCP/IP as described at that site.
Then I tried binding to the domain via the Network ID wizard and the Change Name.
I got the same errors as before.
So then I installed the ‘NWLink IPX/SPX NetBIOS Compatible Transport Protocol’ and gave it a try binding the two ways listed above and it gave me the same errors.
I’ve restarted the Win XP machine after making these adjustments each and every time.
Is there something else that might be causing the conflict?

[Ross]

Well, it seems to be an issue with your client since that error is not the typical error when Windows can’t see a Domain. Maybe is the way your joining…. Are you right clicking My Computer then going into the “Computer Name” tab and changing it to DOMAIN and putting in the “SOMETHING” for the domain.

This is an XP client right out of the box?

[mlcdigital]

I am binding to the domain two ways.
Right clicking My Computer -> Properties -> Computer Name -> Network ID -> Walk through the wizard to connect to a domain
And I’ve done it this way…
Right clicking My Computer -> Properties -> Computer Name -> Change -> Select Domain and input the domain -> I’m never prompted for an Admin Username/Password to join the domain.

I’ve built and designed Windows NT/2000/2003 Server domains/networks and understand DNS, DHCP, and NetBIOS/WINS/ActiveDirectory.
I’ve also designed Mac OS X.1/4 Server NetInfo/OpenDirectory networks.

The server is running DNS, DHCP, AFP, OD, and Kerberos perfectly. I’ve even tested the SingleSignOn capabilities with success.

What I have noticed in the Samba logs is that both IP/NICs are listening for WINS/NetBIOS. I know having more then one Master Browser on the network can/could cause trouble.
I configured both NICs to listen for OD/LDAP and WINS assuming that the server would do some traffic balancing decreasing latency/lag.

[Ross]

Here it should ask for your directory admin login and password or tell you it can’t find the domain. I have never seen it just allow you to put in a DOMAIN with out an error or asking you for authentication. Now selecting workgroup never asks for auth…

Maybe the dual NIC is the issue… The master needs to be on en0 or you will have problems. Have you tried binding a Mac to your OD server to see if the master and OD is working right?

Not sure what to tell you, I have done about 100 of these setups the same way I’m telling you. If I’m having a WINS issue it always gives an error when trying to change it to the DOMAIN. WINS/Master browser issues are pretty common but I have never seen what you are describing caused by either of those. Sorry I couldn’t be of more help.

[mlcdigital]

It does give me errors when trying to bind to the domain…
[code]The domain name SOMETHING might be a NetBIOS domain name. If this is the case, verify that the domain name is properly registered with WINS.

If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain SOMETHING:

The error was: “This operation returned because the timeout period expired.”
(error code 0x000005B4 ERROR_TIMEOUT)

The query was for the SRV record for _ldap._tcp.dc._msdcs.SOMETHING

The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:

10.1.0.1
10.1.0.2
10.1.0.3

Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.

For more information on how to correct this problem, click Help.[/code]
Windows service configured as PDC, Domain: SOMETHING, Enabled:WINS…
I’ve tried binding Mac OS X.4 to ActiveDirectory but I also get errors (don’t have them documented).
I know that NetBIOS/WINS isn’t working off the server correctly because the clients can’t even find the server. Also, I have the log settings at high in order to debug this but I get nothing as far as client connection requests/errors.

[mlcdigital]

Since the server isn’t live and doesn’t have any users in the OD DB I started from scratch.
Installed OS X.4 Server -> Updated -> Setup DNS -> Setup DHCP -> Setup OpenDirectory -> Tested everything on a client machine (including Kerberos) -> Setup Windows (Samba) as PDC -> Tested Windows (Samba) by binding a Win XP client.
This time I was able to get an authentication box when I tried binding the WinXP client to the server but I get some kind of authentication errors.
[code]Your computer could not be joined to the domain because the following error has occurred:
No mapping between account names and security IDs was done.[/code]
I was reading someplace on AFP548.com about granting certain users in OD through terminal AD admin permissions.
Would this be my next step?

[Author]

Posts