We leave the "Client ID" field blank in our profiles, and things work fine for joining macs to AD.  It should pull the computer name set by jamf automatically.  You do need an admin account set in the profile that has domain joining authority from your domain admins.

Thank you, yes, I'm using my domain account, which has privileges to bind machines to the domain (which I do a lot of).

What about the "Set primary user account naming convention: "forest" or "domain"? That's another setting I've never had to do, I picked "domain".

Depends on your site, but that setting is at default in our Directory payload, which would be "domain".

The "Client ID" is just the name you see in Active Directory. It's set during binding. Because this is a configuration profile, you can use a payload variable to specify information from Jamf Pro. I typically used $SERIALNUMBER because usernames and computer names can change.

Thanks everyone. I wonder why it's failing, then. Seems like I'm doing everything right.

I'd say before going down the troubleshooting rabbit hole much further let me ask two questions:

1. Have you bound Macs to your domain before?

2. Have you tried interactively binding one of these specific Macs?

Hi Steve,

1) Yes, hundreds of times. Thousands, probably. Always using the Mac OS GUI. I also was able to get Deploy Studio to do it when I was using that software.

2) If by interactively you mean by using the GUI in the Mac OS, no, actually. I just assumed it would work. You can see that the config profile fails in the JAMF console, although it's not clear to me why.

I think he means bind locally using the same configuration profile.. also I know there is a specific spot in settings for Bindings, I have never actually used that.. just the configuration profile with directory pay load. 

Yep that's correct, in the GUI itself. Either try @jpeters21 suggestion below or go into Users & Groups and try binding there. You can sometimes get clearer reasons for configuration profile installation failures if you install it manually on the machine. Binding in the GUI can also help rule out client connectivity or configuration issues.

I did bind with the GUI, it worked as expected. I thought it might fail since this particular machine is running High Sierra, but I guess the Windows AD doesn't care about that. The error message is:

"The ‘Directory Binding Account’ payload could not be installed. Attempts
to bind to the server ‘accounts.ad.****.edu’ returned an unspecified
problem." (I added the asterisks.)

I can try manually installing the certificate.

Manually installing the config profile (which was a great idea) also failed, with the exact same message as above. So somehow this a problem with the profile. I used the iMazing Profile creator... new software to me. Maybe I'll try a different method.

I guess while I've gor your attention, what do you all use to create your config profiles to join to the domain? Profile Creator is dead, I'm not getting anywhere with iMazing Profile Creator and Apple Configurator 2 doesn't have the active directory domain join feature that I can tell.

Well I guess now that you have peaked my interest as well. Why aren't you using Jamf Pro to create one? It has the Directory payload as well as the ability to bind using a Policy. 

Honestly, I didn't know that JAMF had that- still learning it.

Oh, wait, now I remember: I don't have permissions to edit that. I need to reach out.

I was using profile creator and apple configurator myself, but it has been a while since i did that outside of Jamf. Really anything capable of XML editing can create a profile it you know the proper syntax, but why dont you give something like this a try right in jamf and see how it works for you. (stripped of company info) 

if you are going to administer macs the basically need to give you all access on the computer side, and really some settings as well. Dont get me wrong I have a couple device manager only people that can only enroll and change assignments of the devices but that is also their only tasks. alternate for you if you can not get appropriate permissions, could be a terminal/bash script  us dsconfigad commands

extra note .. check out Jamf training it will cover alot of the foundation, who ever the system owner is will have to email the success team and put you on the account. 

Yeah, it's been a source of frustration. We are moving our department from Munki to JAMF, and the central IT folks sometimes aren't aware of our permissions limitations until we tell them. Right now, for instance, I can upload all my packages but bizarrely not scripts. 

That looks like what I have. Maybe the software compiler I'm using isn't working right somehow. I'll try with the JAMF tool when I get access to it, should be tomorrow.