- Jamf Nation Community
- Products
- Jamf Pro
- AD Rebind Self Service policy "Fails" but works...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
AD Rebind Self Service policy "Fails" but works...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-12-2015 01:17 PM
Anyone have any idea how I can fix this?
I have a self service policy for AD bind issues, it first runs a script that does a forced unbind then it applies the Directory Binding from the JSS.
Everytime I run it, it throws up a failled message but when you check... it actually succeeded and bound the machine perfectly.
Here's the policy log from one such event:
Executing Policy AD Re-Bind...
[STEP 1 of 2]
Running script Force Un-Bind...
Script exit code: 0
Script result:
[STEP 2 of 2]
Binding usernamemac to domain.foo.local...
An error occurred binding to Active Directory: . (Attempt 1)
An error occurred binding to Active Directory: dsconfigad: This computer is already 'bound' to Active Directory. You must 'unbind' with '-remove' first. (Attempt 2)
An error occurred binding to Active Directory: dsconfigad: This computer is already 'bound' to Active Directory. You must 'unbind' with '-remove' first. (Attempt 3)
An error occurred binding to Active Directory: dsconfigad: This computer is already 'bound' to Active Directory. You must 'unbind' with '-remove' first. (Attempt 4)
An error occurred binding to Active Directory: dsconfigad: This computer is already 'bound' to Active Directory. You must 'unbind' with '-remove' first. (Attempt 5)
Error: Giving up on Active Directory binding after 5 attempts.Anything I can try? Since it works it's really just an annoyance factor of throwing up that failed message so I never really know if it did or did not fail unless I double check it.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-12-2015 01:42 PM
We don't try to unbind because it takes a while to replicate to all of the AD servers. We run a script to check to see if it is bound and if not, calls another policy manually to bind. If it is bound, we log that and quit.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-12-2015 02:01 PM
The problem that we are running into that actually spawned this are occasional Macs which show as bound in dsconfigad and in Directory Utility but are actually not communicating with the domain. So we have to force the unbind in order to force the rebind... since they think they are bound.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-12-2015 02:29 PM
The error is most likely due to the computer object already existing in AD. The force unbind leaves it behind as it can't communicate with the domain controller.
I think @mm2270 has a script that checks for connectivity and rebinds that he's posted on jamfnation somewhere.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-12-2015 02:42 PM
As @kwr33v35 mentioned, if you have multiple AD servers, then unless you hit the same AD server for the re-bind, until replication has taken place you will get a message that you are still bound.
Perhaps it's worth finding out the actual issue, rather than trying to bypass it.
DNS could be an issue, do you have good forward and reverse DNS with no duplication on machines that aren't working correctly for example?
There are a bunch of tips in Apple's doc, e.g. running 'dig' and you can even check which AD server you contacted and also choose which server to bind against.
http://www.training.apple.com/pdf/wp_integrating_active_directory_yosemite.pdf