Help

AD binding "lost" after a year or two....have to rebind

kateswist
New Contributor

Posted on ‎09-26-2016 02:29 PM

Does anyone else have this problem?

We have fleets of MacBooks deployed in carts all across our schools. Users complain of very flakey authentication and wireless network connectivity (meraki wireless). I was troubleshooting this and it looks like the DNS isn't updating properly. Our DNS is also on a Active Directory server. This seems to be happening to laptops with a AD binding that is over 1 or two years old.

I remember this being an issue years ago but its resurfacing again. The only workaround I can find is to rename the computer (I append an "x" to the end of the computer name) and then force an unbind and then rebind to the domain. Once this happens, students can log on w/ their AD accounts without issue.

Can anyone explain to me why this is occurring? I have a suspicion it has to do with the age of the computer account, but I can't find anything in my ad settings that can confirm this.

0 Kudos
3 REPLIES 3

Nix4Life
Valued Contributor

Posted on ‎09-26-2016 03:16 PM

@kateswist also in K-12, use meraki access points, but I have not seen this. How is your wireless configured? profiles? as far as the age of the account, not sure if you mean on the AD side, but our students keep the same account from 6th-12th. the only time anything is "changed" is when we move to new hardware, so I'm not sure if that's the issue. If it's DNS them that may be on the AD side

0 Kudos

daz_wallace
Contributor III

Posted on ‎09-27-2016 12:30 AM

Hi @kateswist

By default, the computers will try and rotate their AD computer object password every 14 days. If this doesn't work (or the device doesn't contact the AD domain within this time) then it is common for the Macs to 'loose' their AD binding.

You can adjust the password change interval using the command below (remove sudo if running this in a script as root / triggered by a Casper policy):
sudo dsconfigad disable -passinterval 0
Replace 0 with the number of days you wish to set this at, or leave it at 0 to have the computer never need to update its object password.

Hope that helps!

Darren

0 Kudos

kateswist
New Contributor

Posted on ‎09-27-2016 09:57 AM

Thanks Darren, we will try that. I appreciate it.

Katie

0 Kudos