Adding Computers to AD - Scripting Issues and Questions

joemamasmac
New Contributor III

Good Morning All,

I am in the process of switching from OD to AD. My first task is to get newly imaged machines to start joining AD rather than OD. The way I was thinking about doing the domain join was with a script rather than using Caspers built in method. Currently in OD I have each lab on my campus set-up as a folder, and all office machines go into just 1 folder. When I move to AD, I could get that granular and separate out each lab, but I don't think I need to since nothing will really be managed in AD. All profiles will move to Casper Management so my thought was to do 2 folders, Offices and Labs. This brings me to a couple of questions.

First off I found this script referenced on the forums and thought it would be a good starting point.

#!/bin/sh

HOSTNAME=`scutil --get HostName`
U='your_service_account'
P='service_account_pword'
DOMAIN='your_domain'
OU='OU_for_the_macs'

echo $HOSTNAME

/usr/sbin/dsconfigad -f -a "$HOSTNAME" -u "$U" -p "$P" -ou "$OU" -domain "$DOMAIN"

I have been trying to test the script and keep getting an error though when I plug in all of the correct variables. ERROR MESSAGE:" dsconfigad: Computer name must be less than 15 characters."
I checked, and our naming convention is 123456-om for Offices and 123456-lm for labs. The machines hostname that I am testing with is not 15 characters, so why am I getting this error?

The second question I have would be in regards to imaging office machine vs lab machines. I would like office machines to go to one OU based on the -om and lab machines to populate to another ou based on the -lm. Does anyone have any suggestion as to how I can do this?

Thanks for any suggestions.

Joe

10 REPLIES 10

mm2270
Legendary Contributor III

You're getting that error because the command to pull the Mac name is actually pulling the hostname, which is typically the computer name PLUS the domain name, like "domain.company.com" So in your above case, a Mac name its trying to bind with might be something like "123456-om.domain.company.com"

Switch this line in the script:

HOSTNAME=`scutil --get HostName`

To:

HOSTNAME=`scutil --get ComputerName`

And that should work better.

Regarding the second question, if you're naming convention is pretty solid as you've outlined, you can dynamically set the OU in the script based on the computer name that gets pulled. Just off the cuff, something like this might work. I did not test this at all-

HOSTNAME=`scutil --get ComputerName`
HOSTNAME_EXT=`echo "$HOSTNAME" | cut -d- -f2`

if [[ "$HOSTNAME_EXT" == "om" ]]; then
      OU="OM_OU"   ## Set the actual OM OU here
elif [[ "$HOSTNAME_EXT" == "lm" ]]; then
      OU="LM_OU"    ## Set the actual LM OU here
else
      OU="Something else"   ## You can set an OU here that it should go to if it fails to meet either above criteria
fi

alexjdale
Valued Contributor III

Hmm, not sure if your arguments are correct (or they are deprecated but still working?). I do all of our joins with a Cocoa app I wrote in Xcode that calls shell scripts for things like the join. Here is how ours looks, basically:

dsconfigad -add $domain -computer $hostname -username $username -password $password -ou $ou

mm2270
Legendary Contributor III

Hmm, @alexjdale is likely correct. I hadn't looked that closely at the rest of your script once I saw the hostname issue, but your syntax and flags don't look correct to me either. I would use what he posted as an example.
But the same thing applies to grabbing the Mac name, don't get the hostname, get the computer name instead.

alanmcseveney
New Contributor

If you are not doing anything clever in regards to destination OU's, why not use the built-in AD binding plugin in the JSS, and make one policy for Offices and another for Labs? What does using a script gain you?

joemamasmac
New Contributor III

Thanks for the responses everyone and the suggestions on the script. I will test it in my environment and let you know what I get.

As for why I don't want to use the Jamf Built in options, I've been told by some that they have had issues with using the Jamf Built in bindings. In addition, I only want to bind users to AD for new installs and re-images. I don't know how I would manage the multiple OU's scenario and placing specific machines in specific OU's if I started using Jamf to do the binding. I am however open to suggestions..

I also have not come up with a plan yet on how we are going to handle existing users on OD and migrate them to AD. We could wait until their machines are imaged or replaced. I have seen some scripts available to remove machines from OD, but then once you add them to AD there are permission issues on the home directories.

Joe

asegura
Contributor

Hello Joe I use the built-in JAMF binding and have no issues. My company has about 20 different O/U in AD. What I have done is create a separate binding for each location and name is accordingly so the tech that is imaging knows what binding to use. I have no ran into any issues doing that. I have the JAMF binding move the computer to that O/U and its been flawless. I don't see a point in using a script myself when JAMF is doing the job. Thats just my 2 cents. Take what you like and leave the rest.

bentoms
Release Candidate Programs Tester

@joemamasmac, i'd like to echo @asegura's experience with the JAMF AD Binding.. it works for me... has done since v5 in various environments.

mm2270
Legendary Contributor III

I guess to each his own. In your case @joemamasmac, you could probably use the built in JSS AD binding, although to be fair, there are sometimes issues with it, which leads some folks to go the scripting route. So while what you heard isn't necessarily wrong, it may all depend on your environment. There are still valid reasons one could use a script instead, In our case, we don't image with Casper Imaging, still using DeployStudio here and so a script is the way we do it. Also, scripting it allows you to set a couple of additional items during binding that the JSS binding doesn't give you a GUI for I believe, but that depends on your needs.

As others have mentioned you could create separate binding configs and just use the one you need at any given time or put them into different Casper Admin imaging configurations. But, if your naming convention is very standard and strict, I don't see a reason you can't script it and use a single script that will put the Mac into the correct AD OU. Less clutter or worry that someone may accidentally bind a Mac to the wrong OU that way. Just my 2¢ on this.

gachowski
Valued Contributor III

Or another idea, because I don't trust my scripting. I use Casper code from the 1st run script for my binding.

Bind to AD from jamf
/usr/sbin/jamf bind -type ad -domain 'XXXXXXXXt' -username "xusernamex" -passhash “XXXXXXXXXXXXXXXXX” -ou "CN=Computers,DC=XXXXX,DC=XXX” -mountStyle smb -uid "uidNumber" -cache -multipleDomains -localHomes -useUNCPath -shell none

joemamasmac
New Contributor III

Thanks again to everyone for the suggestions. I think I am on board with trying JAMF's built in binding option, but I want to run my process by everyone to see if they have any suggestions.

Currently we image each and every Mac that comes through the door using netboot and pushing a monolithic image. So far there are not tons of customizations in the initial image, mostly wiping out the dock for the dock template to just have a few items and setting up some security settings for remote access.

After the machine is done imaging, I will have 2 pre-canned bindings set-up, 1 for labs and 1 for Offices. Machines would then populate to smart groups that have my criteria for office naming and lab naming. I am thinking this should be fairly easy and I could then set-up 2 policies to be run once per computer,(for either office or labs) and the trigger being enrollment complete to execute the binding. Would this cover new and existing machines if the existing machine has been re-imaged?

Joe