Skip to main content

I'm starting to see an issue with our Mac's (bond to AD) will lose their connection to AD. Here are the symptoms that I notice when I start having odd issues:
My wireless will not connect. (We use Computer Authentication, which requires your Mac to be bond to our AD) My Domain admin account will no longer be able to "unlock" preferences or do any admin task.
If I try to use dscl to browse AD, I'm able to do a "ls" at the top level and see "/Active Directory" and then cd (change directory) to /Active Directory. Next I do "ls" again and see our domain LPCDOMAIN1, but I can't change directory to it. It will give me an error message. (sorry I don't have that wrote down)

Troubleshooting step:
When I check the "Login Options" under Uesr&Groups, it show that I'm joined to AD and will list my domain name and the green light.
I'm able to find my computer name in AD, when searching with "MS Active Directory Users and Computers" tool.
My Search Path will show /Local/Default and /Active Directory
I'm able to ping my DC by IP and name.
It acts like the mac is bond to AD, but can't talk to it.

Work around:
Unbind from AD
Rebind to AD
Reboot

I'm wondering if anyone has seen something like this. This has only happened on a few Macs and all of them were running 10.10.2.
Most of our Mac's are still on 10.9.5 and never experienced this issue.

I know this is an old thread, but I saw that behavior on machines that were upgraded to 10.10.x. Computers with fresh installs of 10.10.x would stay bound, but any machine upgraded from a previous OS would keep unbinding itself.

I haven't seen this happen now that we are upgrading machines to 10.11.x


@bentoms @jhalvorson I know this is old but ever since we moved to 8021x authentication, this problem has been becoming more popular on our El Capitan machines. I was wondering if the command to disable the password change interval ( dsconfigad -passinterval X) needs to be run prior to or after the domain binding. @jhalvorson , the Apple article you mentioned instructs you to do it prior to binding but @bentoms said it works after binding.

Thanks


As best I can tell, when the computer is not bound, there aren't any configs to adjust.
When you attempt to set it on a computer that is is not bound, the response is:

dsconfigad: No operation specified nor update requested

I have been issuing the command after the computer has been bound to AD. Then the command will result in:

Settings changed successfully.

You can see the status of the dsconfigad by using the

dsconfigad -show

command. Here's an example:

Active Directory Forest = mydomain.org Active Directory Domain = mysomething.mydomain.org Computer Account = ComputerID$ Advanced Options - User Experience Create mobile account at login = Enabled Require confirmation = Disabled Force home to startup disk = Enabled Mount home as sharepoint = Enabled Use Windows UNC path for home = Disabled Network protocol to be used = smb Default user Shell = /bin/bash Advanced Options - Mappings Mapping UID to attribute = not set Mapping user GID to attribute = not set Mapping group GID to attribute = not set Generate Kerberos authority = Enabled Advanced Options - Administrative Preferred Domain controller = not set Allowed admin groups = not set Authentication from any domain = Enabled Packet signing = allow Packet encryption = allow Password change interval = 30 Restrict Dynamic DNS updates = not set Namespace mode = domain

I was working on a script to unbind and rebind a mac to our domain. When I run dsconfigad -show on some existing computers that are already bound to AD, some computers have Packet signing and Packet encryption as "allow" and some have it as "disable." Now Im not sure which option to use in the script. I'm not exactly sure what these settings do.

Also when I add groups to Allowed Admin groups in the script, I try to add 3 groups as admingroups="domain admins, enterprise admins, tier2-support" as the variable and use /usr/sbin/dsconfigad -groups $admingroups as the command. It doesnt seem to like the space in the group name because it ends up adding just "domain" in the Admin groups. Do I need another set of parentheses or brackets?

Thanks


This issue has plagued us for years and still does on 10.13.5 Thanks for these helpful scripts. Hopefully, they will work as a band-aid.


We have around 70 macs in our environment and in the past 3 or 4 months have seen this happen 3 or 4 times, all on different machines. The strange part is that from almost every aspect it looks as though the mac and the server are still communicating and connected properly. In Users & Groups preference pane the domain is shown with a green light, the Active Directory entry is still shown in the keychain, running dsconfigad shows proper name and domain, the server side listing shows a recent last logon entry, are able to ping the domain controller from the affected machine, but when running "id ACCOUNT" command with a known working account it comes back no such user, and if we try to unbind and rebind it gives the "Unable to access domain controller" and the option to force unbind. Doing a force unbind and deleting the computer entry from the server and rebinding fixes the problem, but we would like to find a way to possibly prevent the issue. If not we will attempt to set up an extension attribute to do a rebind if this happens. Any suggestions would be greatly appreciated


We are experiencing this EXACT thing in 2022. Have you found a solution to this (7 years after posting....?)


This issue has plagued us for years and still does on 10.13.5 Thanks for these helpful scripts. Hopefully, they will work as a band-aid.


Hey Adam, looks like I found you on this ancient thread! We are still suffering this issue worse than ever. Did you find a solution or move to Jamf Connect? What's interesting is that our machines are becoming "unbound" they seem to be still bound, but unable to communicate with the domain controller. Still scratching our heads and Apple has no idea.


Hey Adam, looks like I found you on this ancient thread! We are still suffering this issue worse than ever. Did you find a solution or move to Jamf Connect? What's interesting is that our machines are becoming "unbound" they seem to be still bound, but unable to communicate with the domain controller. Still scratching our heads and Apple has no idea.


It still happens periodically, but it's not at epidemic proportions so we just live with it. What Mac OS are you on? We are on 12.5.1 for our entire fleet. I have a theory that it may have to do with a loss of internet blip at the wrong time. Also, we learned the hard way that AD truncates computer names after a certain number of characters (I don't remember how many). So if you have a naming scheme like Building36-Lab3-Computer-1 it will truncate and when you add Building36-Lab3-Computer-2 it will overwrite the AD record for Building36-Lab3-Computer-1 (which was probably stored as Building36-Lab3-Com) and break the AD connection for the first machine. 

 

We tried JAMF connect, but we are a Google school and JAMF connect does not react well to password changes when using Google as the auth source so that was a deal breaker for us. 


It still happens periodically, but it's not at epidemic proportions so we just live with it. What Mac OS are you on? We are on 12.5.1 for our entire fleet. I have a theory that it may have to do with a loss of internet blip at the wrong time. Also, we learned the hard way that AD truncates computer names after a certain number of characters (I don't remember how many). So if you have a naming scheme like Building36-Lab3-Computer-1 it will truncate and when you add Building36-Lab3-Computer-2 it will overwrite the AD record for Building36-Lab3-Computer-1 (which was probably stored as Building36-Lab3-Com) and break the AD connection for the first machine. 

 

We tried JAMF connect, but we are a Google school and JAMF connect does not react well to password changes when using Google as the auth source so that was a deal breaker for us. 


That's interesting about the network blip that could be causing that. We manually rebound a bunch of laptops before deployment and found that after they were shut down for an hour and started up again, they weren't communicating with AD again. We use an AD name that is less than 15 characters so we don't run into the truncated name scenario. We are really feeling the pain with the AD stuff now because we rely on it for authenticated printing, lightspeed and getting wifi access of course. 

That is not great to hear about Jamf Connect, because Google would be the next logical step for authentication since we use it for almost everything else here at school.