Join multiple machines to AD Domain

lmollard
New Contributor

Hi all, I am trying to create a configuration profile to join a couple of classrooms to our Windows active directory domain. So far it has not been working, and I'm not sure exactly why. 

I guess the main thing I don't know is what goes in the Client ID field? Do I have to enter in the name of the machine? That would be sort of inconvenient because it would mean that I have to change the config profile every time I wanted to bind a machine to the domain. 

But I have everything else filled in and looking correct. It's set to SMB. 

Any thoughts? 

20 REPLIES 20

SGill
Contributor III

We leave the "Client ID" field blank in our profiles, and things work fine for joining macs to AD.  It should pull the computer name set by jamf automatically.  You do need an admin account set in the profile that has domain joining authority from your domain admins.

lmollard
New Contributor

Thank you, yes, I'm using my domain account, which has privileges to bind machines to the domain (which I do a lot of).

What about the "Set primary user account naming convention: "forest" or "domain"? That's another setting I've never had to do, I picked "domain".

SGill
Contributor III

Depends on your site, but that setting is at default in our Directory payload, which would be "domain".

talkingmoose
Moderator
Moderator

The "Client ID" is just the name you see in Active Directory. It's set during binding. Because this is a configuration profile, you can use a payload variable to specify information from Jamf Pro. I typically used $SERIALNUMBER because usernames and computer names can change.

lmollard
New Contributor

Thanks everyone. I wonder why it's failing, then. Seems like I'm doing everything right.

mainelysteve
Valued Contributor II

I'd say before going down the troubleshooting rabbit hole much further let me ask two questions:

1. Have you bound Macs to your domain before?

2. Have you tried interactively binding one of these specific Macs?

Hi Steve,

1) Yes, hundreds of times. Thousands, probably. Always using the Mac OS GUI. I also was able to get Deploy Studio to do it when I was using that software.

2) If by interactively you mean by using the GUI in the Mac OS, no, actually. I just assumed it would work. You can see that the config profile fails in the JAMF console, although it's not clear to me why.

I think he means bind locally using the same configuration profile.. also I know there is a specific spot in settings for Bindings, I have never actually used that.. just the configuration profile with directory pay load. 

mainelysteve
Valued Contributor II

Yep that's correct, in the GUI itself. Either try @jpeters21 suggestion below or go into Users & Groups and try binding there. You can sometimes get clearer reasons for configuration profile installation failures if you install it manually on the machine. Binding in the GUI can also help rule out client connectivity or configuration issues.

lmollard
New Contributor

I did bind with the GUI, it worked as expected. I thought it might fail since this particular machine is running High Sierra, but I guess the Windows AD doesn't care about that. The error message is:

 

"The ‘Directory Binding Account’ payload could not be installed. Attempts
to bind to the server ‘accounts.ad.****.edu’ returned an unspecified
problem." (I added the asterisks.)

I can try manually installing the certificate.

lmollard
New Contributor

Manually installing the config profile (which was a great idea) also failed, with the exact same message as above. So somehow this a problem with the profile. I used the iMazing Profile creator... new software to me. Maybe I'll try a different method.

 

lmollard
New Contributor

I guess while I've gor your attention, what do you all use to create your config profiles to join to the domain? Profile Creator is dead, I'm not getting anywhere with iMazing Profile Creator and Apple Configurator 2 doesn't have the active directory domain join feature that I can tell.

mainelysteve
Valued Contributor II

Well I guess now that you have peaked my interest as well. Why aren't you using Jamf Pro to create one? It has the Directory payload as well as the ability to bind using a Policy. 

Honestly, I didn't know that JAMF had that- still learning it.

Oh, wait, now I remember: I don't have permissions to edit that. I need to reach out.

if you are going to administer macs the basically need to give you all access on the computer side, and really some settings as well. Dont get me wrong I have a couple device manager only people that can only enroll and change assignments of the devices but that is also their only tasks. alternate for you if you can not get appropriate permissions, could be a terminal/bash script  us dsconfigad commands

Yeah, it's been a source of frustration. We are moving our department from Munki to JAMF, and the central IT folks sometimes aren't aware of our permissions limitations until we tell them. Right now, for instance, I can upload all my packages but bizarrely not scripts. 

extra note .. check out Jamf training it will cover alot of the foundation, who ever the system owner is will have to email the success team and put you on the account. 

jpeters21
Contributor II

I was using profile creator and apple configurator myself, but it has been a while since i did that outside of Jamf. Really anything capable of XML editing can create a profile it you know the proper syntax, but why dont you give something like this a try right in jamf and see how it works for you. (stripped of company info) 

jpeters21_0-1655413647236.png

 

 

That looks like what I have. Maybe the software compiler I'm using isn't working right somehow. I'll try with the JAMF tool when I get access to it, should be tomorrow.