Skip to main content
Question

AD Rebind Self Service policy "Fails" but works...

  • August 12, 2015
  • 4 replies
  • 52 views
H
Forum|alt.badge.img+16

Anyone have any idea how I can fix this?

I have a self service policy for AD bind issues, it first runs a script that does a forced unbind then it applies the Directory Binding from the JSS.

Everytime I run it, it throws up a failled message but when you check... it actually succeeded and bound the machine perfectly.

Here's the policy log from one such event:

Executing Policy AD Re-Bind...
[STEP 1 of 2]
Running script Force Un-Bind...
Script exit code: 0
Script result:
[STEP 2 of 2]
Binding usernamemac to domain.foo.local...
An error occurred binding to Active Directory: . (Attempt 1)
An error occurred binding to Active Directory: dsconfigad: This computer is already 'bound' to Active Directory. You must 'unbind' with '-remove' first. (Attempt 2)
An error occurred binding to Active Directory: dsconfigad: This computer is already 'bound' to Active Directory. You must 'unbind' with '-remove' first. (Attempt 3)
An error occurred binding to Active Directory: dsconfigad: This computer is already 'bound' to Active Directory. You must 'unbind' with '-remove' first. (Attempt 4)
An error occurred binding to Active Directory: dsconfigad: This computer is already 'bound' to Active Directory. You must 'unbind' with '-remove' first. (Attempt 5)
Error: Giving up on Active Directory binding after 5 attempts.

Anything I can try? Since it works it's really just an annoyance factor of throwing up that failed message so I never really know if it did or did not fail unless I double check it.

    4 replies

    K
    Forum|alt.badge.img+3
    • kwr33v35
    • New Contributor
    • August 12, 2015

    We don't try to unbind because it takes a while to replicate to all of the AD servers. We run a script to check to see if it is bound and if not, calls another policy manually to bind. If it is bound, we log that and quit.

    H
    Forum|alt.badge.img+16
    • hkabik
    • Author
    • Honored Contributor
    • August 12, 2015

    The problem that we are running into that actually spawned this are occasional Macs which show as bound in dsconfigad and in Directory Utility but are actually not communicating with the domain. So we have to force the unbind in order to force the rebind... since they think they are bound.

    davidacland
    Forum|alt.badge.img+18
    • davidacland
    • Valued Contributor
    • August 12, 2015

    The error is most likely due to the computer object already existing in AD. The force unbind leaves it behind as it can't communicate with the domain controller.

    I think @mm2270 has a script that checks for connectivity and rebinds that he's posted on jamfnation somewhere.

    S
    Forum|alt.badge.img+12
    • sean
    • Contributor
    • August 12, 2015

    As @kwr33v35 mentioned, if you have multiple AD servers, then unless you hit the same AD server for the re-bind, until replication has taken place you will get a message that you are still bound.

    Perhaps it's worth finding out the actual issue, rather than trying to bypass it.

    DNS could be an issue, do you have good forward and reverse DNS with no duplication on machines that aren't working correctly for example?

    There are a bunch of tips in Apple's doc, e.g. running 'dig' and you can even check which AD server you contacted and also choose which server to bind against.

    http://www.training.apple.com/pdf/wp_integrating_active_directory_yosemite.pdf
    Terms & ConditionsCookie settingsAccessibility statement