Jamf Nation Community

catfeetstop · ‎12-28-2011

Binding to AD during the imaging process has always been iffy for me. Sometimes it works, sometimes it doesn't. I can't figure out any rhyme or reason as to why this is happening. I want to be able to log into an AD account immediately after imaging. I have a first boot script that is run during the imaging process. The end of that script pauses for 2 minutes and reboots itself when complete. At one point I thought that might help the AD binding process finish. Do you guys have any ideas how I can fix this?

Jamie Bell
Apple Technology Specialist
The Westminster Schools
Ph: 404-609-6345

catfeetstop · ‎12-28-2011

Thanks for all the help you guys. I'm going to try removing the AD binding from the imaging configuration and I'm going to add a manual policy trigger for the AD binding in the firstboot script to see what happens.

Jamie Bell
Apple Technology Specialist
The Westminster Schools
Ph: 404-609-6345

View solution in original post

catfeetstop · ‎12-29-2011

I wanted to say thanks to everyone for all their help on this issue. After upgrading the JSS and removing old computer records from AD I'm able to bind during imaging just fine. Thanks again!

Jamie Bell
Apple Technology Specialist
The Westminster Schools
Ph: 404-609-6345

View solution in original post

Matt · ‎12-28-2011

Try using a smart group. I have a smart group that finds all computers that aren't bound and bind them on the any trigger.
--
Matt Lee, CCA/ACA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

catfeetstop · ‎12-28-2011

For some reason I'm not even able to bind once I boot up, open Terminal and use a manual binding trigger. It appears as if the policy works but then when I look in Directory Utility I am not bound nor can I log in to AD user accounts. I am able to bind manually through Directory Utility though.

Jamie Bell
Apple Technology Specialist
The Westminster Schools
Ph: 404-609-6345

catfeetstop · ‎12-28-2011

I'm still running Casper 8.22. I wonder if the newer versions are better at binding Lion machines to AD?

Jamie Bell
Apple Technology Specialist
The Westminster Schools
Ph: 404-609-6345

Matt · ‎12-28-2011

10.7.2 + the newest JSS version will most likely fix the issue.
--
Matt Lee, CCA/ACA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

ernstcs · ‎12-28-2011

So you aren't using the AD binding capabilities within Casper? Or are you?

Craig E

catfeetstop · ‎12-28-2011

I am. In the imaging configuration there is a step to use an AD directory binding.

Jamie Bell
Apple Technology Specialist
The Westminster Schools
Ph: 404-609-6345

ernstcs · ‎12-28-2011

On systems that have failed have you dug into the Directory Services logs or into the JAMF log to see what it says happens during that step during imaging?

catfeetstop · ‎12-28-2011

Here's what the jamf.log says:

jamf [1236]: Binding jhstu-0001 to domain.net<http://domain.net>
jamf [1236]: Bound to Active Directory (domain.net<http://domain.net>)
jamf [1303]: Running Script CommonSettings.sh...

According to that it worked. I wonder if I should put a pause at the beginning of the CommonSettings.sh? I can't find the DirectoryServices.log, where is that in Lion?

Jamie Bell
Apple Technology Specialist
The Westminster Schools
Ph: 404-609-6345

nessts · ‎12-28-2011

just out of curiosity are you using a 10.7.2 lion base image?
AD binding was very broken in previous versions…
--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

catfeetstop · ‎12-28-2011

It is 10.7.2. I had this same issue with 10.6 machines too. I'm going to put a little break at the beginning of the script and see what happens.

Jamie Bell
Apple Technology Specialist
The Westminster Schools
Ph: 404-609-6345

bentoms · ‎12-28-2011

Works fine for me on 10.6 & 10.7.

Does it work when manually bound? Are any settings different?

Regards,

Ben.

ernstcs · ‎12-28-2011

I actually didn't dig much into Lion for AD, I waited until 10.7.2 and things worked OK.

It appears the log may have changed and uses the name opendirectoryd.log instead of Directory Services. I'd have to look it up otherwise. What wasn't helpful before was that you didn't always get enough detail in the log until you put it into a higher logging/debug mode.

I wish I had more time to help today...

Craig E

bentoms · ‎12-28-2011

Rather than directory services being under different versions of the app. They are now plugins, so during the transistion I guess they've not tidied up the logs.

Regards,

Ben.

catfeetstop · ‎12-28-2011

Thanks for all the help you guys. I'm going to try removing the AD binding from the imaging configuration and I'm going to add a manual policy trigger for the AD binding in the firstboot script to see what happens.

Jamie Bell
Apple Technology Specialist
The Westminster Schools
Ph: 404-609-6345

catfeetstop · ‎12-28-2011

Excellent, I'll upgrade tomorrow. Thanks to you all for all your help!

Jamie Bell
Apple Technology Specialist
The Westminster Schools
Ph: 404-609-6345

catfeetstop · ‎12-29-2011

I wanted to say thanks to everyone for all their help on this issue. After upgrading the JSS and removing old computer records from AD I'm able to bind during imaging just fine. Thanks again!

Jamie Bell
Apple Technology Specialist
The Westminster Schools
Ph: 404-609-6345

Matt · ‎12-29-2011

Thats great!
--
Matt Lee, CCA/ACA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

Jamf Nation Community

Binding to AD during imaging