Jamf Nation Community

cfullerton · ‎11-09-2015

Hey Everyone,
So I've got a predicament here. This is the back story:

We have 4 DC's, DC1, DC2, DC01 and DC02

LDAP binding was setup for DC1
The Directory Binding setup within the Casper Policy went to CORP.xxxx.xxxx (FQDN)

DC1 at some point stopped replicating changes made.

We decommissioned DC1 and moved the DHCP and DNS roles to another DC

Now Mac users cannot change their password. It says "the Server is Unavailable"

I've changed the LDAP server settings to match the new DC that has the DHCP and DNS roles but the computers that were bound to AD with the Casper policy won't allow the password change.

Unbinding and re-binding to AD allows them to change their password.

Also, specifying a preferred domain controller WITHOUT unbinding does not work.

Is there a way to force the LDAP server changes to the computers that were joined to the domain with Casper without having to unbind and rebind?

davidacland · ‎11-09-2015

Are you using cached accounts? It sounds like they've completely lost communication with the domain.

There is some info in /Library/Preferences/OpenDirectory/Configurations/Active Directory/YOURDOMAIN.plist that might allow you to alter the DC the clients are looking at, although it does sound like a re-bind is needed to me.

cfullerton · ‎11-09-2015

We have mobile accounts setup as part of the domain binding.

It doesn't look like there's anything in that PLIST that shows the old, decommissioned DC ther than the FQDN under "trust domain", "domain" and "forest"

davidacland · ‎11-09-2015

Another route could be to re-bind one of the Macs to AD and compare the different between the two files. That might indicate a change that could correct the issue.

Jamf Nation Community

LDAP Server with AD Binding - Cannot change password