AD binding "lost" after a year or two....have to rebind

New Contributor

Does anyone else have this problem?

We have fleets of MacBooks deployed in carts all across our schools. Users complain of very flakey authentication and wireless network connectivity (meraki wireless). I was troubleshooting this and it looks like the DNS isn't updating properly. Our DNS is also on a Active Directory server. This seems to be happening to laptops with a AD binding that is over 1 or two years old.

I remember this being an issue years ago but its resurfacing again. The only workaround I can find is to rename the computer (I append an "x" to the end of the computer name) and then force an unbind and then rebind to the domain. Once this happens, students can log on w/ their AD accounts without issue.

Can anyone explain to me why this is occurring? I have a suspicion it has to do with the age of the computer account, but I can't find anything in my ad settings that can confirm this.


Valued Contributor

@kateswist also in K-12, use meraki access points, but I have not seen this. How is your wireless configured? profiles? as far as the age of the account, not sure if you mean on the AD side, but our students keep the same account from 6th-12th. the only time anything is "changed" is when we move to new hardware, so I'm not sure if that's the issue. If it's DNS them that may be on the AD side

Contributor III

Hi @kateswist

By default, the computers will try and rotate their AD computer object password every 14 days. If this doesn't work (or the device doesn't contact the AD domain within this time) then it is common for the Macs to 'loose' their AD binding.

You can adjust the password change interval using the command below (remove sudo if running this in a script as root / triggered by a Casper policy):
sudo dsconfigad disable -passinterval 0
Replace 0 with the number of days you wish to set this at, or leave it at 0 to have the computer never need to update its object password.

Hope that helps!


New Contributor

Thanks Darren, we will try that. I appreciate it.