AD binding fails

jishelp
New Contributor

I am new to the community. I have a configuration policy for AD binding. The policy has been in place for well over a year. There has been no changes to the Active Directory settings, however its giving failing messages. What's causing this?

jishelp_0-1732000858218.png

 

1 ACCEPTED SOLUTION

Jason33
Contributor III

Have these systems previously been bound to AD? If so, have the objects been removed after the system was wiped? I have seen in the past where a device failed bind, and after deleting the object from AD the bind was completed successfully.

View solution in original post

10 REPLIES 10

Shyamsundar
Contributor

Check your able to reach the AD from the Mac, it looks like a network issue .

I can ping the server from the iMac. Also, when I go to Users & Groups, it
shows as connected to AD.

[image: image.png]


--
Regards,
JIS Helpdesk
Helpdesk Firefly Page
<>
Phone: 2411000 Ext: 1200

--

JamfUser01
New Contributor II

Can you check and verify the binding account which is being used hasn't been expired or locked.  Had a similar issue and changing resetting the password fixed it.

AJPinto
Honored Contributor III

Think of this as a favor by whatever broke. Friends not let friends domain bind Mac’s.

 

As far as a serious answer (not that my previous statement was not serious), check the service account you are using for the domain binding. If nothing else changed, and the devices is on a network where it can see the domain, there is a really good chance the credentials expired or were rotated.

Thank you for the suggestion. We haven't made any changes on the AD side recently. Its working on some iMacs though and failing on the rest. Could you let me know what's the alternate solution to AD binding? I understand domain binding is not that reliable.

AJPinto
Honored Contributor III

Apple stopped designing macOS with domain binding in mind over a decade ago, there are all kinds of problems with it in the OS. Apple has moved to modern authentication with PSSO, and your IDP of choice (Okta, Entra, etc). Aside of PSSO there are other solutions like Jamf Connect and XCreds. 

 

If its working on your iMacs and not your other devices, I'm guessing its more network related. You can put one of your MacBooks in the same location as your iMac and see if it works. Ensure whatever network your other devices are on can see your domain controller, if they cant see the domain controller they cant domain join.

Jason33
Contributor III

Have these systems previously been bound to AD? If so, have the objects been removed after the system was wiped? I have seen in the past where a device failed bind, and after deleting the object from AD the bind was completed successfully.

obi-k
Valued Contributor III

And to tag along with removing the object in AD, you may need to force unbind on the Mac client (if it is bound.)

• In Terminal, enter this: dsconfigad -show

If you get list of items, it's bound. And you can Force Unbind...


• Run in Terminal: sudo dsconfigad -force -remove -u johndoe -p nopasswordhere

dlondon
Valued Contributor

I think you need to address that error message and find why the affected machine gives it.  That is, why can't it find that server? 

For example, is it because it's on a network that has no access to the domain?  Does the machine have correct network settings to use the correct DNS servers?

jishelp
New Contributor

@dlondon @Shyamsundar @AJPinto @obi-k @Jason33  Thank you all for the suggestions. I will continue to troubleshoot it.