Monday
I am new to the community. I have a configuration policy for AD binding. The policy has been in place for well over a year. There has been no changes to the Active Directory settings, however its giving failing messages. What's causing this?
Solved! Go to Solution.
Wednesday
Have these systems previously been bound to AD? If so, have the objects been removed after the system was wiped? I have seen in the past where a device failed bind, and after deleting the object from AD the bind was completed successfully.
Tuesday
Check your able to reach the AD from the Mac, it looks like a network issue .
Tuesday
Tuesday
Can you check and verify the binding account which is being used hasn't been expired or locked. Had a similar issue and changing resetting the password fixed it.
Tuesday
Think of this as a favor by whatever broke. Friends not let friends domain bind Mac’s.
As far as a serious answer (not that my previous statement was not serious), check the service account you are using for the domain binding. If nothing else changed, and the devices is on a network where it can see the domain, there is a really good chance the credentials expired or were rotated.
Tuesday
Thank you for the suggestion. We haven't made any changes on the AD side recently. Its working on some iMacs though and failing on the rest. Could you let me know what's the alternate solution to AD binding? I understand domain binding is not that reliable.
Wednesday
Apple stopped designing macOS with domain binding in mind over a decade ago, there are all kinds of problems with it in the OS. Apple has moved to modern authentication with PSSO, and your IDP of choice (Okta, Entra, etc). Aside of PSSO there are other solutions like Jamf Connect and XCreds.
If its working on your iMacs and not your other devices, I'm guessing its more network related. You can put one of your MacBooks in the same location as your iMac and see if it works. Ensure whatever network your other devices are on can see your domain controller, if they cant see the domain controller they cant domain join.
Wednesday
Have these systems previously been bound to AD? If so, have the objects been removed after the system was wiped? I have seen in the past where a device failed bind, and after deleting the object from AD the bind was completed successfully.
Wednesday
And to tag along with removing the object in AD, you may need to force unbind on the Mac client (if it is bound.)
• In Terminal, enter this: dsconfigad -show
If you get list of items, it's bound. And you can Force Unbind...
• Run in Terminal: sudo dsconfigad -force -remove -u johndoe -p nopasswordhere
Wednesday - last edited Wednesday
I think you need to address that error message and find why the affected machine gives it. That is, why can't it find that server?
For example, is it because it's on a network that has no access to the domain? Does the machine have correct network settings to use the correct DNS servers?
Thursday
@dlondon @Shyamsundar @AJPinto @obi-k @Jason33 Thank you all for the suggestions. I will continue to troubleshoot it.