Help

Automatic AD rebinding on 10.6.x - how to tell AD binding to try mult. times?

rtrouton
Release Candidate Programs Tester

Posted on ‎04-09-2012 11:59 AM

We had some problems with AD last week. Since then, we've started seeing a large number of our 10.6.x Macs come unbound from our AD domain.

To help address this, we've set up a smart group on our JSS to detect unbound Macs. We're also using a procedure for remotely connecting to the affected Macs via SSH and manually unbinding/rebinding.

I'd like to automate this, but another symptom of our problems seems to be that it now takes up to three or four rebind attempts to rebind Macs to AD. (This is also new, before it would succeed on the first try.)

While I'm working on the root cause, what's the best way to set a policy to rebind our Macs to AD via Casper, where the bind process is trying as many times as needed to rebind the Mac?

0 Kudos
3 REPLIES 3

NowAllTheTime
Contributor III

Posted on ‎04-10-2012 09:30 AM

Build a Smart Group for Macs not bound to AD (OS Configuration Information > Active Directory Status > is > Not bound), and set up a policy scoped to this group that does your binding and runs an "update inventory". Set the execution frequency to ongoing. If the bind is successful the machine should fall out of the Smart Group and stop running the policy, if it is not successful then the policy should run again at the next every15 trigger; it will try again, and again, at ever trigger until it is no longer in the smart group. Once the smart group shrinks down you can address the remaining problem machines that refuse to successfully run the policy as manual one offs.

I hope that helps!

Jason Butler
Mac System Administrator
Cincinnati Children's Hospital Medical Center

0 Kudos

Matt
Valued Contributor

Posted on ‎04-10-2012 10:21 AM

Setup binding as a policy and then just check the policy logs. The logs will give you the exact error message. I have used this many times to dissect issues. Always good to have a smart group automatically binding unbound machines as stated above.

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎04-10-2012 10:37 AM

I would approach this with a while/do bash script in the policy. I wouldn't necessarily want my unbound Macs (if I had a situation like this) to keep submitting inventory on the every 15 check in. We use a boatload of Extension Attributes in addition to all the other inventory items (Software Update check, etc) so it would put some unnecessary load on both clients and server.

t haven't worked out anything exact, but just thinking quickly, something like this may get you in the right direction-

#!/bin/sh

BindStat=$(dsconfigad -show | awk '/Directory Domain/{print $5}')

while [ $BindStat != "corp.yourdomain.com" ];
do
    jamf bind (bind stuff goes here)
    echo "Mac is not bound to AD. Trying again in 10..."
    sleep 10
done
    echo "Mac was bound to AD successfully"

jamf recon

Note that I haven't tested this because I don't have systems that are having trouble binding.
But with the above, only the systems that have successfully been bound will do the inventory report if my syntax is correct, which is what you really want. The script will continue to try the bind operation until its successful. The 'jamf recon' at the end will pull the Mac out of the Smart Group, and out of the scope of your policy.

I put the sleep in there just to give a few seconds between each attempt, but again, I can't really test this to see if its even necessary. You may want to increase or decrease this based on the results you see.

Lastly, you didn't mention if the multiple tries was when doing the bind via the GUI or through a script, so I have no idea if the above will work, but it should.

0 Kudos