Need help binding my mac to my AD

[Brandon1234]

Hello everyone,

I am stuck and I need some help. I am attempting to bind my Mac to my AD server and I have hit a wall. My mac is running the latest El Capitan 10.11.4 version. While my active directory (AD) server is running Windows 2008 R2. I can not seem to get them to be able to talk to each other. I receive an "Authentication server failed to complete the requested operation" error. Very generic unfortunately. I have done a Wireshark packet capture and I have been able to identify where the issue seems to be coming from but I cant find a remedy.

Has anybody had to bind a mac to a windows AD?

I can post the wireshark capture if needed.

 

[pigoo3]

When you say "bind" do you mean "connect"? As in "not able to connect to your AS server"?

- Nick

 

[Brandon1234]

Hi Nick,

Well I can ping my AD server from my mac. So connections are good. I need to connect/bind the computer so I can use the same login credentials on all of my computers. The credentials get run against the AD server and assign certain GPO's and what not.

-Brandon

 

[pigoo3]

Well I can ping my AD server from my mac. So connections are good. I need to connect/bind the computer so I can use the same login credentials on all of my computers. The credentials get run against the AD server and assign certain GPO's and what not.

Ahh…no problems connecting…good.

- So is your goal to have all devices using the same network login information?
- Or another way of saying it…do your devices (computers) currently have differing network login information?

* Nick

p.s. Just trying to clarify the goal. So anyone reading this thread with a solution/suggestion can jump right in.

 

[Brandon1234]

No worries, I know this is kind of an out there topic. So I have 3 computers. A Mac, a windows surface, and a windows desktop. As of right now, I have the same network login for the two windows devices, everything is working for those. For the mac though it has its own login info. I guess you can say it is self-managed. I have my user account then my administrator account with elevated privileges.

 

[lclev]

I am running 2008 R2 on our work network. I have four Macs currently on the network. While all my windows machines are registered in Active Directory, I have never seen the need to do so with the Macs.

Here is why -
1. The server will never push out updates to the Macs.
2. I have enough fun dealing with people having brain farts and forget their password thus destroying the trust relationship with the server. (Welcome to my world. )
3. I can connect to shared drives without joining it to the network - ie: active directory. Just open Finder and click on Go -> Connect to Server. I use smb to set up the server name and connect. I have to input my user name and password that is in AD and has permission to share the folders I need. And yes, the Macs will loose the share connections - especially if you let them sleep or shut them down, but it is easy to reestablish as it will remember the name of the server and your login information.
4. Sometimes the cosmic stars do not align causing AD and Macs to not play nice with each other.... and that way can lead to madness.

Now I realize some organizations have strict password policies and want AD to control all computers, therefore you will have to set it up.

If you really must - here is a link that will walk you through it. http://icomputerdenver.com/how-to-integrate-mac-os-x-with-windows-active-directory/

Actually it is pretty simple. System Preferences -> Users & Groups -> Click and unlock the lock -> Click on Login Options -> Under Automatic Login select the user's name and put in their password -> Click on Network Account Server - Join ->put in the name and make your selections for your network. The link provides more specifics - and saves me typing them out.

Lisa

 

[Brandon1234]

I will review this link that you have posted Lisa.

 

[Brandon1234]

Lisa, or anybody else that can help...

I was going through the website on working on binding my mac to the AD. and I still get caught on the same error as before.

I am on the section that states Enter the domain name in the server drop-down menu

So I enter the full path to my AD server beep.blank.com

enter in domain credentials

click ok

and I still get an authorization error..

Any thoughts?

 

[lclev]

As I said I have never joined any of my Macs to a domain. I do have a 2009 Macbook that I could try joining to my work network. If I mess it up I won't care as I use it mainly to run Windows through bootcamp.

I will post back tomorrow when I try it out. Also I will assume you are using user credentials that you have previously used to successfully join a windows computer to the domain? Just checking.

Lisa

 

[Brandon1234]

That would be great if you could try it. I am banging my head against the desk you could say to why it wont work. And yes the user credentials have been using work fine on a windows domain computer.


Thank you Lisa,

-Brandon

 

[lclev]

Did not get to try it today. I had a beast of a day but I will give a try tomorrow.

Lisa

 

[lclev]

Brandon,

I finally got time to try it and I had no trouble. I did use a link from apple to walk me through it, although the procedure was the same, I thought it was clearer - at least to me.

Here is what I did -

System Preferences -> Users & Groups -> unlocked the screen -> made sure my user name was selected -> clicked on Login Options -> click on the Join button next to Network Account Server -> entered the FQDN of my server which I entered similar to this: server2.DomainName.local - with DomainName.local representing the name of my domain. Once I clicked OK then a window popped up asking me to check the information listed and to put in my AD credentials for server2 to add the computer. Once I did that it was joined.

I checked my AD server and Lisa-macbook is listed as an AD computer. Make sure the AD credentials you are using are recognized by the server you are naming. Another though - the server that I used probably issued the IP address to my Macbook as it is one of the DHCP server - but should not really matter. Also I did look to see if the server's IP address was listed under the macbook's network DNS listings - which it was. Not sure if it helped but I did check.

https://support.apple.com/kb/PH21988?locale=en_US

Lisa

 

[Brandon1234]

entered the FQDN of my server which I entered similar to this: server2.DomainName.local - with DomainName.local representing the name of my domain.

when I enter my domain name server.domain.com I have the ability to enter in my domain credentials. However If I put server.domain.local I am not able to put in the credentials now...

in an earlier post you stated that you are also running windows 2008 R2.. so the server2.DomainName.local to that server or is that windows 2008 server or to an OS X server that you have also incorporated in to your network?

-Brandon

 

[Brandon1234]

Also, thank you Lisa for your time with this. I appreciate it.

 

[lclev]

I only have Windows 2008 R2 servers. No OS X servers. It common practice when setting up a network that is not going to host a registered domain that can be accessed by outside connections, to make it a .local domain. We have one building with no outside hosting. All we need is servers that provide security features, DHCP, DNS, and shared resources - printers and files storage. So if your domain is named for example - server.domain.com then that is what you put in where it asks for the name. We did not use a .com because our website is hosted off-site and is the same name as our local network so in order to avoid confusion we used .local.

Are you setting this up on a home server or a work server? However you set up AD on the Windows 2008 server you had to name the domain - which I am assuming you set up as a .com. Also you have to use a username and password that has permission to add the computer to the AD domain on the domain server whose name you input and you are attempting to join.

Lisa

 

[Brandon1234]

I am doing this project at home on a home server as well as I am doing the project at work as well. Double the learning and the username and password I have has 100 percent positive domain capabilities. I am starting to think that this is a domain configuration issue... Hmm.

-Brandon