Best way to set search domain?

mm10
New Contributor

In order for our systems to bind to AD and map network drives they need to have a specific search domain set (i.e. company.com) and we do this via a 'initial system settings' script which runs when a system first enrolls.

However, we find that the relevant search domain doesn't always get set, causing the system to not get bound and/or not map network drives and we get into a bit of a tangle trying to resolve this (most of our policies run at Enrolment time) after the event, using Casper Remote.

Can anybody walk me through the best way to address this, would it be via a smart group and policy?

12 REPLIES 12

AVmcclint
Honored Contributor

You should be able to set this up in your DHCP server. You don't want to hard code search domains on the computers if you have laptops that connect to other networks.

cmarker
Contributor

Script that runs:

#!/bin/sh
networksetup -setsearchdomains Ethernet YOURDOMAIN.COM

Have that as an Enrollment policy, then maybe call the rest of your policies after with a custom trigger.

rlandgraf
Contributor

This is the script I run to set it for any Wi-Fi or Ethernet port, incase it uses thunderbolt ethernet.

#!/bin/bash
## Sets Proxys and inactives unused Network Services
#hardwarePorts=`networksetup -listallnetworkservices | grep -B 1 Device | grep -vE 'Device|^--$' | cut -d ":" -f2 | sed -e 's/^[ 	]*//'`
hardwarePorts=`networksetup -listallnetworkservices`
OLDIFS=$IFS
IFS=$'
'
for i in $hardwarePorts; do 
#echo $i

if [[ "$i" == *Ethernet* ]] || [[ "$i" = "Wi-Fi" ]]; then
echo $i 
networksetup -setsearchdomains $i YourDomains.com
#else networksetup -setnetworkserviceenabled "$i" off 
fi

done
IFS=$OLDIFS

DBrowning
Valued Contributor II

I use this script to set mine. it set the search domains on the primary adapter.

#!/bin/sh
scutil_query()
{
    key=$1

    scutil<<EOT
    open
    get $key
    d.show
    close
EOT
}

SERVICE_GUID=`scutil_query State:/Network/Global/IPv4 | grep "PrimaryService" | awk '{print $3}'`

SERVICE_NAME=`scutil_query Setup:/Network/Service/$SERVICE_GUID | grep "UserDefinedName" | awk -F': ' '{print $2}'`

echo $SERVICE_NAME


/usr/sbin/networksetup -setsearchdomains "$SERVICE_NAME" DOMAIN_NAMES_LISTED

mm10
New Contributor

Thanks for the responses guys, but further suggestions are most welcome.

I'm setting search domains in our AD Bind script which runs at Casper Imaging time, our system defaults script at Enrolment, and I even set a couple of the scripts in this thread to run as well as a catch-all before the final reboot, but still the relevant search domains don't get picked up....

donmontalvo
Esteemed Contributor III

@franton has an awesome script to do this using a loop...but as @AVmcclint mentioned, it is the DHCP team's responsibility to manage Search Domains (along with DNS Servers).

Manually setting something that should be dynamically set seems like an awful hack, to compensate for the DHCP team not managing what is theirs to manage. Just saying.

I suppose @franton's script can be set to Make Available Offline, using Network State Change trigger. This should enforce the list, and catch any new ports (dongles).

Don

--
https://donmontalvo.com

kerouak
Valued Contributor

Here's my little script for setting search domains on MacPro's.. Simple but effective!

networksetup -setsearchdomains "Ethernet 1" ad.xx.xx.uk, xx.xx.uk
networksetup -setsearchdomains "Ethernet 2" ad.xx.xx.uk, xx.xx.uk

:-)

kerouak
Valued Contributor

I set this script to run 'at reboot' and it's all good!

Malia
New Contributor

This did exactly what I was looking for, thank you!

jonscott
New Contributor

The DHCP route won't work in my environment (education), which is pretty complex. But I've been doing something similar to that posted by @ddcdennisb for a long time, and it's worked well enough. The field separator in the second awk statement has given me trouble, and doesn't always deliver the service name. So here's what I use now:

#!/bin/sh

serviceID=`
   echo -e "open
get State:/Network/Global/IPv4
d.show" |
   ${scutil} |
   awk '/PrimaryService/{print $3}'
`
serviceName=`
   echo -e "open
get Setup:/Network/Service/${serviceID}
d.show" |
   ${scutil} |
   awk '/UserDefinedName/{print $3}'
`

$networksetup -setsearchdomains "${serviceName}" "Empty"
$networksetup -setsearchdomains "${serviceName}" "domain1" "domain2"
$networksetup -setv6off "${serviceName}"

easyedc
Valued Contributor II

So we have issues where our VPN goes nuts and runs amok on DNS and search domains... effectively blocking you from ANY internet access (so self service becomes an issue). Since most of our users are non-admins, I wrote an applescript and wrapped it as an .app that they can use with hard coded passwords and "RUN ONLY" as it's export option. It's not the prettiest but it's pretty affective:

tell current application
    display dialog "This repairs network settings (DNS entries & Search Domains) that may be corrupt as a result of the corporate VPN - Array.  You can view the results once completed. 

On the next page, select the network connection that you would like to fix.

Click "Proceed" to fix your Mac's network settings.
" with title ¬
        "Corporate IT DNS Repair" with icon note ¬
        buttons {"Proceed", "Cancel"} default button 1



    set PORTS to do shell script "networksetup -listallnetworkservices | tail -n +2"
    set {oldtid, AppleScript's text item delimiters} to {AppleScript's text item delimiters, return}
    set newList to every text item of PORTS
    set chosenPort to choose from list newList with prompt "How are you connected to the internet?"

    set NIC to item 1 of the result

    do shell script "networksetup -setsearchdomains '" & NIC & "' empty" user name "SERVICEACCOUNT" password "SERVICEPASSWORD" with administrator privileges
    do shell script "networksetup -setdnsservers '" & NIC & "' empty" with administrator privileges
    do shell script "networksetup -setsearchdomains '" & NIC & "' DOMAINS GO HERE" with administrator privileges
    set the_result to do shell script "scutil --dns | egrep -wiA11 'DNS Configuration'"
    display dialog the_result with title "Your Results"
end tell

Since hardware changes, that's why the option to select how you connect changes. Also, I think en0 and en1 aren't always wifi, etc. So this made it easier.

csa
New Contributor III

Just my two cents, it seems this should be easy to do if you concentrate only on the active NIC. If you use something like this logic in your script and set it to run at say checkin then whatever connection is active (even multiple connections) will get the "proper" search domains list.

#!/bin/sh Services=$(networksetup -listallnetworkservices|grep -v "") OLDIFS=$IFS IFS=$' ' for NetSvc in $Services; do SvcInfo=$(networksetup -getinfo "$NetSvc") if [[ "$SvcInfo" == "Subnet mask"* ]]; then networksetup -setsearchdomains "${NetSvc}" <space separated list of domains> fi done IFS=$OLDIFS

Basically you are searching for each network service that has a valid subnet mask set indicating its connected to a network. Then set whatever setting you need to for that service and leave disconnected and disabled services alone. Should also work even if the user changes the service name to some other name (Ethernet 1 to Joe-Network for example).