Help

Unable to Bind to Active Directory

st00789
New Contributor II

Posted on ‎11-08-2016 03:17 PM

Hey all,

My school just got setup for Casper last week, at the start everything seemed to work alright, but now the Configuration Profile" that supposed to Bind macs to Active Directory fails.

I can manually bind the Mac to AD.

If i Bind the Mac manually then unbind it, the Configuration Profile runs successfully.

Any help, would be great.

Thanks,

Scott.

0 Kudos
7 REPLIES 7

znilsson
Contributor II

Posted on ‎11-08-2016 04:33 PM

have you tried setting up a binding under Settings > Computer Management > Directory Bindings, and then using that in a policy rather than doing it via config profile?

st00789
New Contributor II

Posted on ‎11-08-2016 04:50 PM

I may have actually found the problem, but has caused another problem.

It seems my Domain Controller(s) act like a RODC, when they are in fact Writeable, if i add the computer name manually it binds the Mac, i'll have to have a look further into it.

If anyone else has some suggestions, it would be welcome.

Thanks,

Scott.

0 Kudos

ericbenfer
Contributor III

Posted on ‎11-09-2016 06:13 AM

Make sure the AD account you are using to bind has the proper privileges in the OU you are binding.
For instance, the default Computer OU is "CN=Computers,DC=yourdomain,DC=com"
If you are trying to bind into "OU=Macs,DC=yourdomain,DC=com" but the AD account cannot write into that OU, the bind will fail.

Another tip is to use a service account. Give it write privileges for the specific OU, and a complex passcode that does not change. Use that account in the Jamf PRO Directory Binding.

Eric

0 Kudos

jhuls
Contributor III

Posted on ‎11-09-2016 07:36 AM

I second using a policy with the directory bindings or if you prefer...a script.

I've used a Configuration Profile and had too many problems with it. Systems would randomly not get or lose the profile. I also have more to work with in terms of logs when not using configuration profiles.

I don't think that's part of the problem you're experiencing but I would recommend going this route to be in a better position when things don't work.

0 Kudos

tyra_robertson
New Contributor II

Posted on ‎01-19-2017 02:37 PM

@ericbenfer Thanks for posting the OU details, I believe that's the issue we are experiencing. Do I understand you correctly that if our setup is this:

  1. In JSS > Directory Bindings > Computer OU the container field is OU=iMac Workstations, OU=Laptop Workstations
  2. The binding account used is an AD Service Account but the container for that account in AD does not have the OU=iMac Workstations, OU=Laptop Workstations containers.

If the above is true then we need to add OU=iMac Workstations, OU=Laptop Workstations to the AD Service Account in AD, correct?

0 Kudos

osxadmin
Contributor II

Posted on ‎01-23-2017 08:11 AM

I can't find the specific document, but if the service account password that you are using to bind contains an exclamation anywhere in the password "!" it will not let you bind.
(hopefully it makes sense what I'm trying to explain)

once I find that document/note from Jamf I'll post it.

0 Kudos

osxadmin
Contributor II

Posted on ‎01-23-2017 08:17 AM

(fyi: this is for JSS version 9.96)
This is what I was talking about:

[D-008806] The dsconfigad binary fails to bind a computer to a directory service if the service account password contains an exclamation point (!).

0 Kudos