Help

AD binding fails

jishelp
New Contributor

Monday

I am new to the community. I have a configuration policy for AD binding. The policy has been in place for well over a year. There has been no changes to the Active Directory settings, however its giving failing messages. What's causing this?

jishelp_0-1732000858218.png

 

0 Kudos
Reply
9 REPLIES 9

Shyamsundar
New Contributor III

Tuesday

Check your able to reach the AD from the Mac, it looks like a network issue .

0 Kudos
Reply

jishelp
New Contributor
In response to Shyamsundar

Tuesday

I can ping the server from the iMac. Also, when I go to Users & Groups, it
shows as connected to AD.

[image: image.png]


--
Regards,
JIS Helpdesk
Helpdesk Firefly Page
<>
Phone: 2411000 Ext: 1200

--
0 Kudos
Reply

JamfUser01
New Contributor II

Tuesday

Can you check and verify the binding account which is being used hasn't been expired or locked.  Had a similar issue and changing resetting the password fixed it.

Reply

AJPinto
Honored Contributor III

Tuesday

Think of this as a favor by whatever broke. Friends not let friends domain bind Mac’s.

 

As far as a serious answer (not that my previous statement was not serious), check the service account you are using for the domain binding. If nothing else changed, and the devices is on a network where it can see the domain, there is a really good chance the credentials expired or were rotated.

Reply

jishelp
New Contributor
In response to AJPinto

Tuesday

Thank you for the suggestion. We haven't made any changes on the AD side recently. Its working on some iMacs though and failing on the rest. Could you let me know what's the alternate solution to AD binding? I understand domain binding is not that reliable.

0 Kudos
Reply

AJPinto
Honored Contributor III
In response to jishelp

yesterday

Apple stopped designing macOS with domain binding in mind over a decade ago, there are all kinds of problems with it in the OS. Apple has moved to modern authentication with PSSO, and your IDP of choice (Okta, Entra, etc). Aside of PSSO there are other solutions like Jamf Connect and XCreds. 

 

If its working on your iMacs and not your other devices, I'm guessing its more network related. You can put one of your MacBooks in the same location as your iMac and see if it works. Ensure whatever network your other devices are on can see your domain controller, if they cant see the domain controller they cant domain join.

0 Kudos
Reply

Jason33
Contributor III

yesterday

Have these systems previously been bound to AD? If so, have the objects been removed after the system was wiped? I have seen in the past where a device failed bind, and after deleting the object from AD the bind was completed successfully.

0 Kudos
Reply

obi-k
Valued Contributor III
In response to Jason33

yesterday

And to tag along with removing the object in AD, you may need to force unbind on the Mac client (if it is bound.)

• In Terminal, enter this: dsconfigad -show

If you get list of items, it's bound. And you can Force Unbind...


• Run in Terminal: sudo dsconfigad -force -remove -u johndoe -p nopasswordhere

0 Kudos
Reply

dlondon
Valued Contributor

yesterday - last edited yesterday

I think you need to address that error message and find why the affected machine gives it.  That is, why can't it find that server? 

For example, is it because it's on a network that has no access to the domain?  Does the machine have correct network settings to use the correct DNS servers?

0 Kudos
Reply