We just recently rolled out Active Directory with kerberos to our PC
users (98% of our systems, NT through XP OSes) and all is finally
well there. Now I get my turn to join the few Macs we have to A.D.
and I keep getting this error every time I try and bind my machine to
our Win2003 Active Directory domain server. This did not happen when
we originally ran A.D. tests against my system in our test lab
(surprise surprise). Everything worked perfectly there.
[...]
I had the same problem back in november. Paul Nelson, of Thursby
Software, posted this solution which worked perfectly. Just a note: In
step 3, be sure to activate advanced features (found in view-menu), or
you won't see the security tab.
--erik
*********
Here is a good practice for setting up permissions to join a domain:
1) Create a security group ( I named mine "join")
2) Create an OU that new computers will be placed into (I named mine
"NewComputers"
3) Using the Active Directory Users and Computers MMC, right click on
the OU
where you will be adding new computers, and select "properties", then
click
on the security tab in the dialog that appears.
4) Click the Add button, and enter the name of your new security group
(Mine
was named "join"), then click OK
5) Don't change any checkboxes in the permissions list!
6) Click advanced, then locate your security group ("join") in the list.
Click on it, then click Edit...
7) Check the checkboxes for "Create Computer Objects" and "Delete
Computer
Objects", but don't change any other checkboxes, then click OK.
NOTE: If you repeat this step, you will probably NOT see the checkboxes
checked, and you will think that your settings were not saved. This is
because you are a Mac user and it would make sense for you to see the
checkboxes checked. (The force is too strong for you - don't try to
resist
:-) Instead, click the advanced button, then click the effective
permissions tab, then click Select... and enter the name of your
security
group and click OK. Now you will see the exact permissions that your
group
has, and the "Create Computer Objects" and "Delete Computer Objects"
should
be checked.
8) Now add the desired users to your security group ("join").
9) Now test to make sure your stuff is secure using the following steps
10) Make sure that you CANT join the domain using a regular user
account. I
do this by skipping step 8 (adding a user to the security group) and
trying
to join (should fail), then I add the user to my security group and try
again (should work).
11) Make sure you CANT join the domain, creating the computer account
in the
default location (CN=Computers...) using a user you added to the "join"
group
12) Make sure you CAN join the domain, creating the computer account in
the
OU you configured ("NewComputers") in steps 2-7.
13) Make sure you CAN un-join the computer from the domain too.
Remember that you need to supply the distinguished name for the OU that
will
contain the new computer account. Remember that the default one is
"CN=Computers", but one you create will be "OU=NewComputers". It is a
common mistake to switch CN and OU when working with LDAP based stuff.
Also remember that it takes time for a new computer account to
replicate to
all the domain controllers and global catalog servers in your
domain/forest.
ADmitMac will try very hard to talk to the same domain controller that
is in
your site, and will use it for Kerberos and LDAP operations. Apple
allows
you to specify a DC. This can magically make some problems go away when
joining, but will prevent your Mac from working if the DC goes down for
maintenance because the Apple plug-in won't switch to another available
DC.
You might consider setting the specific DC when joining the domain, and
then
changing it back after the join has succeeded.
Rebooting the Mac can cause it to switch to a different DC for your site
(assuming you have more than one), and that DC might not know about the
computer account yet. You can force replication using the "repadmin"
command on one of your domain controllers. "repadmin" has lots of
options,
and you should be careful using it if your network has sites at the
other
end of WAN links because replication will use network resources.
