Hey all,
My school just got setup for Casper last week, at the start everything seemed to work alright, but now the Configuration Profile" that supposed to Bind macs to Active Directory fails.
I can manually bind the Mac to AD.
If i Bind the Mac manually then unbind it, the Configuration Profile runs successfully.
Any help, would be great.
Thanks,
Scott.
have you tried setting up a binding under Settings > Computer Management > Directory Bindings, and then using that in a policy rather than doing it via config profile?
I may have actually found the problem, but has caused another problem.
It seems my Domain Controller(s) act like a RODC, when they are in fact Writeable, if i add the computer name manually it binds the Mac, i'll have to have a look further into it.
If anyone else has some suggestions, it would be welcome.
Thanks,
Scott.
Make sure the AD account you are using to bind has the proper privileges in the OU you are binding.
For instance, the default Computer OU is "CN=Computers,DC=yourdomain,DC=com"
If you are trying to bind into "OU=Macs,DC=yourdomain,DC=com" but the AD account cannot write into that OU, the bind will fail.
Another tip is to use a service account. Give it write privileges for the specific OU, and a complex passcode that does not change. Use that account in the Jamf PRO Directory Binding.
Eric
I second using a policy with the directory bindings or if you prefer...a script.
I've used a Configuration Profile and had too many problems with it. Systems would randomly not get or lose the profile. I also have more to work with in terms of logs when not using configuration profiles.
I don't think that's part of the problem you're experiencing but I would recommend going this route to be in a better position when things don't work.
@ericbenfer Thanks for posting the OU details, I believe that's the issue we are experiencing. Do I understand you correctly that if our setup is this:
If the above is true then we need to add OU=iMac Workstations, OU=Laptop Workstations to the AD Service Account in AD, correct?
I can't find the specific document, but if the service account password that you are using to bind contains an exclamation anywhere in the password "!" it will not let you bind.
(hopefully it makes sense what I'm trying to explain)
once I find that document/note from Jamf I'll post it.
(fyi: this is for JSS version 9.96)
This is what I was talking about:
[D-008806] The dsconfigad binary fails to bind a computer to a directory service if the service account password contains an exclamation point (!).
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.