JSS enrollment is not binding my macs to Active Directory

vishelp
New Contributor III

I have the JSS setup so that when I enroll it in the JSS it also binds the user to AD so that they can login using our domain accounts. We have a mixed windows and Mac environment so we want one login for everything and binding to AD allows us to do this.

Recently however when I either netboot and image a machine or just from enrolling using Recon the machines are failing to join AD. I've been manually binding them in System Preferences so that I could get them out the door but I want to be able to stop doing this.

It doesn't affect machines that are already bound, they are all working fine. Any ideas? I couldn't find a thread on this so sorry if there already is one.

1 ACCEPTED SOLUTION

vishelp
New Contributor III

Solved this by just re-writing the bash script to add machines to the domain. Thanks for the help!

View solution in original post

6 REPLIES 6

Chris_Tavenner
New Contributor II

Have you been into the logs to see why it's failing? Could be a time skew or the service account you are using to join the machines is locked out.

vishelp
New Contributor III

My Logs seem to be showing that all tasks are completing. I though it might be the service account too, I tried re-adding them as well as making sure the accounts were not locked in AD but still doesn't seem to be working.

Chris_Tavenner
New Contributor II

You could try making a policy with the AD Bind in it and run it next time a machine fails to join on enrollment/ on a test machine. If the machine joins without any issues you know its not the Directory Binding and can eliminate that and if it doesn't then you can check the log to see where it failed.

mconners
Valued Contributor

e3775db7e8f34eff8d8dfa13d6e04fd7

Hello @vishelp what we have done is systematically name all of our policies through a new work flow, it works really well. Essentially, the first the computers do is get named properly. We can do this via the JSS. Once named, they run the active directory binding policy. As you can see by the attached image, the 1st policy runs across all of our new computers. Then active directory binding happens against all new computers that are not reporting as bound. Our interval for checkin is 15 minutes. By the way, we also have an update inventory payload configured for each of our policies so we ensure the computers are reporting back correct information. Hopefully this helps.

vishelp
New Contributor III

Solved this by just re-writing the bash script to add machines to the domain. Thanks for the help!

marklamont
Contributor III

@vishelp I have to ask why you don't use the built in bind policy for this rather than a script?