Skip to main content

Recently I've been running into a problem with Casper binding to AD.
If I try to bind a Mac to AD, and it already has a computer record in AD, it will fail.
This scenario comes up if you are rebuilding a Mac that was bound to AD.



I have "rebound" other Macs in the past. I know it was working back in June using 10.7.x and Casper 8.5.x.
If I manually join using Directory Utility I get the "Join Existing Account?" message. Click OK then it joins it properly.



Here is the policy log.



/usr/sbin/jamf is version 8.63
Executing Policy my.domain.com AD...
Binding eric-ml15 to dockside.benfer.com...
An error occurred binding to Active Directory: dsconfigad: This computer is already 'bound' to Active Directory. You must 'unbind' with '-remove' first. (Attempt 1)
An error occurred binding to Active Directory: dsconfigad: This computer is already 'bound' to Active Directory. You must 'unbind' with '-remove' first. (Attempt 2)
An error occurred binding to Active Directory: dsconfigad: This computer is already 'bound' to Active Directory. You must 'unbind' with '-remove' first. (Attempt 3)
An error occurred binding to Active Directory: dsconfigad: This computer is already 'bound' to Active Directory. You must 'unbind' with '-remove' first. (Attempt 4)
An error occurred binding to Active Directory: dsconfigad: This computer is already 'bound' to Active Directory. You must 'unbind' with '-remove' first. (Attempt 5)
Error: Giving up on Active Directory binding after 5 attempts.
Running Recon...
Blessing i386 OS X System on /...
Creating Reboot Script...



Thoughts?

@Bhughes So you have your AD binding triggered on enrolment?

Why not scope to a smart group that has directory status "not bound" & the policy is triggered post enrolment?


Thanks for the idea @bentoms a co-worker was able to solve the issue by removing the ad bind:
/usr/sbin/dsconfigad -remove -force -u a -p a



in our computer naming policy that runs first.



Then created a custom event called "adbind" to run after naming the computer.


If your AD binding account has permission to join an existing account, pipe the yes command. If unbinding did not happen or did not happen correctly, or if the machine account still exists, the system will continue to bind assuming 'Yes' to "join to existing account".
/usr/bin/yes | dsconfigad -add DOMAIN -computer scutil --get ComputerName -username binduser -password pass -ou "ou=path"


Reply