Active Directory craziness

[BGW]

This may not be the most appropriate venue for this question, but I'm asking everywhere I can think of:

We've got a mix of iMac G5 and PowerMac G5 machines running on a Windows 2003 network. They were bound to the domain and everything was working splendidly as far as AD is concered. Earlier this week, we retired our old Primary Domain Controller; since then, we're unable to log into a Mac with an Active Directory. If we log in with a local account, we can browse the internet, see all network resources...we can even connect to shares on Windows PCs and authenticate using AD accounts. If we try to unbind, we get an "unable to access domain controller" error. Forcing the unbind works, but trying to re-bind generates the same error. I've tried it on 10.4.4, 10.4.5 and 10.4.7 with the same results. I've wiped clean and installed Tiger fresh on a machine, I've even moved to a couple different locations just to eliminate a switch or fiber connection as the culprit. None of this made a difference.

I've gone over the new PDC with a fine-toothed comb, and made some policy changes based on some stuff I read at macwindows.com, but all to no avail. Any ideas what might be the sticking point? Any and all help is greatly appreciated!

 

[MacDoug]

Hi BGW,
We recently integrated our Macs with a new PDC and AD environment, and I had one day of panic when I couldn't for the life of me bind the darn things to the PDC. The cause turned out to be that the two network adapters on the PDC were in the wrong priority order, i.e. the external one (which would not allow binds to the internal domain) was first. Macs trying to bind would get hung up on that until we changed the priority order. Sorry I can't recall where that was done, but a bit of monkeying in the Network Control Panel would find it.

Still, I don't think this is your problem because it sounds to me like you're having trouble binding before step 5 of the process - is it step 1 or 2, perhaps? In cases like this I would look at the Windows environment, not the Mac, especially since you've tried it from thre three OS X configs with the same results. Not finding the PDC to bind to makes me think to inspect two or three places:

• DNS records - does the PDC have a proper forward and reverse DNS entry? Can you ping it by IP and by FQDN from the Macs? If not, get those records in thar!
• Active Directory admin tools - does the PDC show up here in all ways it should? Are you sure it's been fully promoted to a DC? I don't know enough about AD to spout all the steps by memory, but it sounds like you're proficient enough to check on this yourself (and probably already have).
• DHCP - are you handing out info about the PDC, or gateway, or any other important servers via DHCP? Maybe something is missing in those settings, a key piece of info that the Mac uses to find the PDC and bind to it.

I honestly don't think Group Policy would be interfering at this point - this problem feels deeper and more fundamental than all those two "digitally signing" settings that I know you have to disable. I would get back to networking basics and make sure the Mac can legitimately see the server, and that the server is actually recognized and publicly identified as a PDC to all comers.

Good luck. I know how frustrating this can be from very recent experience...

-MacDoug

 

[BGW]

I finally discovered the culprit. On the PDC, I had to change LDAP Server signing policies to "None" to get it to work. A fairly obscure setting, I think, but all's finally well.

 

[Satcomer]

I finally discovered the culprit. On the PDC, I had to change LDAP Server signing policies to "None" to get it to work. A fairly obscure setting, I think, but all's finally well.

Spread that fix far and wide. I have personally numerous threads about almost the same problem. So please spread the knowledge. One more thing, if you get the time to do a knowledge email, go over to MacWindows.com and submit your story & fix.

 

[BGW]

Spread that fix far and wide. I have personally numerous threads about almost the same problem. So please spread the knowledge. One more thing, if you get the time to do a knowledge email, go over to MacWindows.com and submit your story & fix.

As soon as I have a few spare moments, I'm going to do just that. Thanks for the reminder!