Mac OS X Active Directory Binding issues

I think it’s pretty common knowledge that Macs in an Active Directory environment tend to run into binding issues. In our environment we have issues attempting to bind, as well as already bound macs losing binding.

Recently the problem got a lot worse in our AD environment. It’s a rare occasion that I can get a Mac to bind to the domain on the first attempt. Usually I get an error message “Authentication Server cannot be contacted”. If I’m using the Directory Services GUI, I will have to sit at the computer and repeatedly enter the user name and password to keep attempting to bind computer. Sadly, I’ve counted and it’s taken over 30 attempts in some cases to get a computer to bind. Many of my fellow SA’s experience the same problems.

The other problem is that we are a large organization with sites all across the country. The binding issues seems to be isolated to our center. I’ve opened up several tickets with the network and domain controller team, but they can’t replicate the problem on their end. At this point we are stuck in a finger pointing game.

The following commands can help you troubleshoot Active Directory issues with your Mac.

The first command is odutil

A quick look at the man page for odutil shows its used to look at the internal state information for opendirectoryd. There are various commands you can run with odutil. The one that we are interested in is to enable debugging logs.

Type odutil set log debug to turn on debugging. This will allow you to look at the logs after a binding attempt.

The debug logs will be located in /var/log/opendirectoryd.log 

Grep out the Acitive Directory entries using

cat /var/log/opendirectoryd.log | grep “ActiveDirectory”

Hopefully there will be some debugging information to point you in the right directory to troubleshoot the AD issue.

Once you are finished looking at the logs make sure you set the logging back to default so its not in debugging mode anymore. Run the following command:

odutil set log default

Next, make sure the OU information is correct. I’m definitely guilty of making a typo and getting an error like “Computer Container does not exist”.

Finally, you will need to check the DNS servers are able to resolve the AD domain controllers. Here are a few commands to use.

dig -t SRV_ldap._tcp.your.domain.com

This command will check the LDAP records and return a list of the LDAP servers that are registered in DNS.

dig -t SRV _gc._tcp.your.domain.com

This command checks the Global Catalog records. If these two records are present than computer should be ready for binding.

The following two commands can also be checked for a more detailed troubleshooting.

dig -t SRV _kerberos._tcp.your.domain.com

dig -t SRV _kpasswd._tcp.your.domain.com

These queries should return the IP addresses of your domain controllers. If no valid IP address is found then that could be the reason the computer won’t bind. If this is the case, then more DNS troubleshooting needs to be performed.

Finally, I wrote a script that automates the binding process. It will attempt to bind the computer until it reaches 100 max attempts or it is successful. I have used this script on systems running 10.11, and 10.12. At the time of this writing 10.13 has been released. I have seen lots of chatter that there are some serious bugs with AD Binding in 10.13. I have not yet attempted to use this script on 10.13. As always use this script at your own risk, and always test on a test machine first.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s