Binding Macs to AD
So I now have an OD master and replica server bound to Active Directory. We had some issues with DNS scavenging and binding the Macs. It appears scavenging has taken place and removed the records for the Mac servers. There are still bound as I can login with AD credentials. Cannot access either server via ARD. Is it as simple as just recreating the DNS records for the Mac servers?
What do your system and AD logs say when you try and login?
That'll give you a clue.
Similar Messages
-
Please help! I'm having trouble binding Mac OS X 10.4.4 to AD on MS 2003 Server.
The error I'm getting in Directory Access after I click 'Bind' is "Invalid Domain" message. But the domain is correct.
Example settings:
domain: cdt.doller.org
mac name: mmac01
Any ideas? Many thanks for your time.the dns settings in network configuration were not correct.
-
I thought if Nexus5K vfc interface needs to use "bind mac-address" if CNAs are not directly connected(through fip snooping).
If so, why in my testing, I can see multiple WWN login through same vfc interface?
N5K36# sh flogi d
INTERFACE VSAN FCID PORT NAME NODE NAME
fc2/1 301 0x2b0000 50:01:43:80:02:5d:19:79 50:01:43:80:02:5d:19:70
fc2/2 1 0x2e0001 20:13:00:1e:0b:83:7e:4c 10:00:00:1e:0b:83:7e:4c
fc2/3 201 0xe50003 20:53:00:02:ac:00:15:9d 2f:f7:00:02:ac:00:15:9d
vfc2005 201 0xe50100 50:06:0b:00:00:c3:1a:22 50:06:0b:00:00:c3:1a:23
vfc2005 201 0xe50200 50:06:0b:00:00:c3:1a:26 50:06:0b:00:00:c3:1a:27
vfc2005 201 0xe50300 50:06:0b:00:00:c3:1a:1e 50:06:0b:00:00:c3:1a:1f
interface vfc2005
bind interface Ethernet1/5
no shutdownIts possible these could be virtual pwwns coming from the server connected to e1/5? What is connected to e1/5 ?
Vinayak -
Binding MAC 9.X workstations to Windows 2003 Active Directory
Hello all,
Has anyone achieved sucess with adding/binding Mac 9.X workstations to Microsoft 2003 Active Directory? We have 25 iMAC 9.2.2 workstations (we cannot upgrade to MAC OS 10.X because of hardware limitations) on a Windows 2003 SP2 network. I know that it can work with MAC OS 10.X but looking for a OS 9.X solution.
I want to be able to apply security, printer scripts for the MAC computers using the 2003 Active Directory.
Thanks
17" Powerbook G4 Mac OS X (10.4.4) 2 gb ramYou don't need to do anything in AD other than create the user you want to log onto your Mac.
http://www.makemacwork.com/bind-to-active-directory.htm -
Binding Mac to a Windows 2000 server (Active Directory)
I have been trying to connect various mac machines on my campus to the active directory on a windows 2000 server.and i've been getting various errors.in one lab i have some IMac10,1- mac osx ver 10.6.2 and in the other labs i have lower versions on the Mac pro.I have seen on other forums where others where able to bind the mac machine to windows 2003 server,but no one mentioned windows 2000 server. Please tell me if its possible to add these machines to a windows 2000 server platform.
Hi,
what is the matter? it is a difficult problem or it is impossible to do that?
Please, if someone have any idea about this ,tell me?
with advanced thanks. -
Binding Mac to a OD for hardened email access
Hi All,
Is there any way to bind any Mac to be able to access email ONLY on that Mac.This is outside the client server architecture, That is, the Mac will on be the internet and when it contacts the server, unless it is the designated machine, the mails should not download. Is this a possibility within the native features, not involving third party associates like tokens,certificates..etc?Ok, so I set up my old xserve as my OD Master and the new mail server as a Replica. ..bound just fine. The master has SSL turned on with "default" certificate. I tryed to log into the mailserver to get mail with macmail and it gives me "mail is not enabled for this user". Netinfo is set to local only. What am I doing wrong?
-
Binding Mac OS X to Active Directory Domain
Question 1:
I've just binding a Mac (Windows File Service) to a W2K3 Domain controller. After that I will configure the Mac share point using W2K3 Domain's account. From Mac Workgroup Manager I can't find the Active Directory account, the opposite from W2K3 Explorer I can't adding Active Directory users or groups to Mac sharing object. Do I missed some steps for Active Directory Binding?
Question 2:
Why I can't unbind my Mac (Windows File Service) from W2K3 Active Directory clearly? I should using Force Unbind, after that I cannot rebinding againt to that Active Directory. Is there any missing of my Mac component or driver?thought I might add...
i keep getting folders in Trash aswell named recovered, there are a couple of them. I think this may be if the machine is dropping off the network. (but not sure)
different models Mac OS X (10.4.8) -
Does anyone have a terminal script that can bind Macs to AD?
Looking to use terminal to bind our Macs to AD. Is there anyone who has done this process before?
Thanks for the help!Personally, we use Casper Suite and that works well especially since it's a 'set and forget' sort of thing. But I did find this. I've used some of these commands and this looks thorough.
PLEASE BE SURE TO TEST IN YOUR TEST AD ENVIRONMENT!!
#!/bin/sh
############################ AD_Bind_ARD ###########################
# Patrick Gallagher | [email protected]
# http://macadmincorner.com/bind-to-ad-using-apple-remote-desktop/
# This is a script that will bind a Mac to AD from ARD.
# Modified from Mike Bombich's ad-bind-login-tiger.sh script
# which can be found at http://www.bombich.com/mactips/scripts.html
# Needs to be modified for your enviornment
computerid=`/usr/sbin/scutil --get LocalHostName`
# Standard parameters
domain="domain.school.edu" # fully qualified DNS name of Active Directory Domain
udn="username" # username of a privileged network user
password="password" # password of a privileged network user
ou="CN=Computers,DC=domain,DC=school,DC=edu" # Distinguished name of container for the computer
# Advanced options
alldomains="enable" # 'enable' or 'disable' automatic multi-domain authentication
localhome="enable" # 'enable' or 'disable' force home directory to local drive
protocol="smb" # 'afp' or 'smb' change how home is mounted from server
mobile="enable" # 'enable' or 'disable' mobile account support for offline logon
mobileconfirm="disable" # 'enable' or 'disable' warn the user that a mobile acct will be created
useuncpath="disable" # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
user_shell="/bin/bash" # e.g., /bin/bash or "none"
preferred="-nopreferred" # Use the specified server for all Directory lookups and authentication
# (e.g. "-nopreferred" or "-preferred ad.server.edu")
admingroups="YOURDOMAIN\domain admins" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\mac admins")
# Login hook setting -- specify the path to a login hook that you want to run instead of this script
### End of configuration
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
sleep 5
# Bind to AD
dsconfigad -f -a $computerid -domain $domain -u $udn -p "$password" -ou "$ou"
# Configure advanced AD plugin options
if [ "$admingroups" = "" ]; then
dsconfigad -nogroups
else
dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol \
-mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath \
-shell $user_shell $preferred
# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall DirectoryService
# Add the AD node to the search path
if [ "$alldomains" = "enable" ]; then
csp="/Active Directory/All Domains"
else
csp="/Active Directory/$domain"
fi
#dscl /Search -create / SearchPolicy CSPSearchPath
#dscl /Search -append / CSPSearchPath "/Active Directory/All Domains"
#dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
#dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/All Domains"
# This works in a pinch if the above code does not
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
defaults write /Library/Preferences/DirectoryService/ContactsNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
defaults write /Library/Preferences/DirectoryService/ContactsNodeConfig "Search Policy" -int 3
plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist -
Error binding mac os x 10.7 to server 2008 standard
Hi guys,
I have an issue......i have to join a MBK pro to a server and below are the details:
I have Mac OS X 10.7.4 latest updates installed on the mbk pro and i have a windows server 2008 standard service pack 2.
when i tried to join the domain it returns an authentication error i tried every possibilities but in vain......anyone out there tried it before?????You could try booting from an external USB hard drive and using a data recovery utility like Data Rescue X. Your mileage will vary depending on the circumstances. I would only try recovering data files and not recover the whole system. No sense fooling with an OS when it is trivial to reinstall and know it is working. Make an image of a freshly configured OS to aid in recovery like this.
Retrieve your documents & preferences if you are lucky. The data may still be there, but file names and other meta data may not be recoverable. If file names are not recoverable, then you will have tons of files to sort through trying to make sense of what is what. They are sorted by type, but you will be surprised at the number of such files used by the system and in temp/cache files. I recently had a case where someone deleted a bunch of files and then emptied the Trash. I got the files back, but with no file names. I was unable to find a way to retrieve the file names and even asked a forensic recovery expert for any reasonably priced software to do it.
If this is your only Apple computer and you need to make a bootable external drive, then make sure to install OSX on the external drive and not on the internal drive you are trying to recover. -
Static binds, MAC vs Client ID?
On the SG300 & 500 I always seem to have issue with devices that have reserved IPs. It seems if I enter its MAC in the reservations table for some devices it won't receive the assigned IP until I remove the MAC and use a Client ID instead but on other devices if Use a client id in the table it won't recieve the proper IP until I remove the clent id and enter its MAC. When using dumber devices that only allow a MAC in their reservation tables it always used to work but on these switches it seems to be a crap shoot. Why?
Hey Vini, please see-
https://supportforums.cisco.com/thread/2217882
https://supportforums.cisco.com/thread/2253559
-Tom
Please mark answered for helpful posts
http://blogs.cisco.com/smallbusiness/ -
Hello!
I am having problem in configuring wlc 5508, in a security option i applied mac-filtering and it works fine.
Now I need to configure ip-mac address binding, i tried both with gui and cli method but it is not working. While configuring mac-filtering on gui there is a option to define ip address, after defining xx.xx.xx.xx ip address for device xx it is not peaking particular ip from the pool.
mac-filtering is still working with out issue.
Also tried with cli.....
Looking through the configuration guide i tried every possible ways but couldn't get any resolution.
mac-binding, mac-filtering is enable,
What will be the possible causes of this?
does it support mac-ip binding in its local database?
I would be thankful in your any suggestions and advises!
NikhilThanks for reply David,
Currently user are authenticate from mac address and we want IP-MAC base authentication in cisco 5508 controller.
we are facing some problem that in stead of ip-mac pair only mac address is authenticate.
can u guide me that how can i authenticate IP-MAC pair in cisco 5508 controller?
or Is this possible on Cisco 5508 controller as it is showing ip address field in GUI option?
i am waiting your reply. -
MAC Filter Binded to a Particular Username
Hi,
I have a specific requirement to bind MAC address of a particular user to the username (Using EAP-FAST with ACS 4.2). The user should be authenticated only if he is using the particular client adapter (MAC address) with correct username.
I have one 2125 WLC with 1130 APs.
Thanks.This discussion area is for apple routers actually.. and although it gives lots of problems it doesn't tend to not appear at all..
You are posting in the wrong area.. since this is a laptop error or more likely a purely Yosemite issue..
So lets see what we can do.. Not all wireless is created equal.
Beetel (ADSL2 + Router)
Please set the wireless in this router to a different name, short, no spaces and pure alphanumeric.... set to a fixed wireless channel eg.. 8 or 9 for 2.4ghz and turn off all wireless security. Especially you must not hide the wireless.. this is just a test to run for a couple of minutes.. then you can change the name and security back again.. it is to prove compatibility. This reduces the wireless to its lowest common denominator and if it cannot connect on these settings it never will.
Reboot the Mac and scan for wireless again.. no luck I would say the Mac wireless is simply unable to connect to the particular wireless chip type in the Beetel.. The solution is to plug an Apple router into the beetel and use it in bridge mode.. and create a wireless network.. then the Mac will have less (cannot say No issues). -
Binding to Active Directory - strongauthrequired
I am trying to bind a 10.4.3 machine to a Windows 2000 Active Directory, but experiencing problems.
The Active Directory plugin hits step 5 then displays "Unable to access domain controller: This computer is unable to access the domain controller for an unknown reason".
A look at the contents of ./Library/Preferences/edu.mit.Kerberos shows that the machine has got the correct Domain Controllers for the domain (all be them rather odd choices, on sites that are some distance away).
I've captured the traffic using TCPDump and analysed on a WinXP box using Ethereal, and it seems that the Bind request is being answered by:
'Bind Result, StrongAuthRequired'
with further info in the packet:
'The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v893'
I've analysed the traffic of an XP machine binding as well, and it seems that at exactly the same point it receives a 'bind success' packet. The only obvious difference I can see is that the OS X box shows the SASL mechanism as GSSAPI, and the XP machine shows it as GSS-SPNEGO.
They are both using port 389 (which certainly doesn't imply the use of SSL).
I've investigated the frequently mentioned 'Digitally sign client communication' Domain Security Policy settings, and haev replicating them in my test network (which has been tested with default settings and the machine binds successfully), and that still results in a successful bind so I'm not convinced they are related.
If anyone else has any other suggests they'd be greatly appreciated!
iBook Mac OS X (10.4.3)We've now got to the bottom of this problem, it's due to a particular policy which demands all clients sign their LDAP communications.
This setting doesn't appear in the Windows Domain Policy unless you're using a 2003 MMC snap-in, which certainly added to the time it took me to diagnose the problem (Apple's phone support simply said "we don't support the AD module").
Incase anyone else has the same issue, the registry key in question is:
HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
When the key exists and is set to '2' (I'm unsure what '1' would do at present) OS X clients will received the following sequence of packets when binding:
Mac: Bind Request
Domain: SASLBindinprogress
Mac: ACK
Domain: SASLBindinprogress
Mac: ACK
Domain: Bind Result = Fail; StrongAuthRequired
I'd be interested to hear the official line on this, as it appears that we are now in a situation where we need to reduce our domain security level if we want Macs to be able to bind.
iBook Mac OS X (10.4.3) -
Hi
How do i bind mac to a windows domain?
I would appreciate it, if you provide me the steps.Hi, see if this site can help, very good step by steps if they have what you're looking for...
http://www.ifelix.co.uk/tech/ -
AP 2700 - 2 MAC addresses - problem with joining to the WLC
Hi,
I had a problem with joining my new AP 2700 to the controller. I've found workaround but I would like to ask you if you know if this behavior is a some kind of bug or maybe feature :)
I have DHCP server which assigns IP address base on the binding MAC address with the IP address. Without binding, IP won't be assigned so I added MAC address from the AP sticker (MAC and SN number is on the sticker at the back of each AP) to the DHCP, connected AP to the switch port which was configured exactly the same way like other ports on this switch where older AP are working fine and.... nothing. IP address was not assigned. There was no DHCP request in the DHCP server logs.
During the investigation I've found that AP present 2 MAC addresses on the switch interface:
switch#sh mac address-table interface fa1/1
Mac Address Table
Vlan Mac Address Type Ports
11 58f3.54c1.2cb3 DYNAMIC Fa1/1
11 58f3.54c1.2cb4 DYNAMIC Fa1/1
The first one (58f3.54c1.2cb3) is a "sticker" MAC address but the second one (58f3.54c1.2cb4) is something new. Looking in to the DHCP logs I've found log that this second MAC address (58f3.54c1.2cb4) tried to get IP address but it was not possible because this MAC was not binding with any IP address so DHCP server refuse. I added this second MAC (58f3.54c1.2cb4) to the DHCP server, AP get IP address, join to the WLC, download software, reboot and ... this MAC address disappear.
switch#sh mac address-table interface fa1/1
Mac Address Table
Vlan Mac Address Type Ports
11 58f3.54c1.2cb3 DYNAMIC Fa1/1
Software I had on the AP before joining to the WLC was:
Version :
Cisco IOS Software, C2700 Software (AP3G2-RCVK9W8-M), Version 15.2(4)JB5, RELEASE SOFTWARE (fc1)
now I have (after downloaded from the WLC)
Version :
Cisco IOS Software, C2700 Software (AP3G2-K9W8-M), Version 15.2(4)JB6, RELEASE SOFTWARE (fc1)
Do anyone know what happen?(WLC1) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.6.130.0
Bootloader Version............................... 1.0.20
Field Recovery Image Version..................... 7.6.95.16
Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
Build Type....................................... DATA + WPS
System Name...................................... WLC1
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. Disabled
IP Address....................................... 10.10.10.10
Last Reset....................................... Software reset
System Up Time................................... 25 days 2 hrs 53 mins 5 secs
System Timezone Location.........................
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +44 C
External Temperature............................. +22 C
Fan Status....................................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Disabled
Number of WLANs.................................. 6
Number of Active Clients......................... 25
Burned-in MAC Address............................ XX:XX:XX:XX:XX:XX
Power Supply 1................................... Present, OK
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 25
(WLC1) >show time
Time............................................. Thu Apr 9 13:51:00 2015
Timezone delta................................... 0:0
Timezone location................................
NTP Servers
NTP Polling Interval......................... 3600
Index NTP Key Index NTP Server NTP Msg Auth Status
1 0 10.10.10.11 AUTH DISABLED
It's look like AP doesn't allow for console login or commands it just only show activity. After rebooting the WLC I get information:
Cisco IOS Software, C2700 Software (AP3G2-RCVK9W8-M), Version 15.2(4)JB5, RELEASE SOFTWARE (fc1)
Maybe you are looking for
-
my daughter purchased an app. and it dowloaded in another language, how do we change it to english?
-
I guess the best way to resolve this issue is to reset Safari completely? I tried doing this by using the Safari Reset option, but no help. I've tried many other options with no positive results. Suggestions?
-
Adobe acrobat pro is not supported on this architecture
adobe acrobat pro is not supported on this architecture i have cs4 me
-
All, Anyone have the Discoverer portlets working in 9iASv2? Running 2 Linux servers and Infrastructure / Middle Tier installs went smoothly and completed without errors. Haven't been able to get them registered as of yet. Keep getting 'JAZN security'
-
Is this possible? I'd like to sort my addresses by name. I see no option for sorting of any kind. Strange! I'm also trying I'm trying to "Look for Duplicates" across selected groups in the Address Book. Possible?