Solved

Joining Mac OS X Version 10.6.4 to windows server 2008's Active Directory

Posted on 2010-08-21
6
3,262 Views
Last Modified: 2012-05-10
hi everybody,

Actually i am not an expert in either mac or windows but i really want to learn about computers. Right now I am doing a small project for that i bought windows server 2008 Standard edition, a desktop computer and mac book pro. I am using vmware fusion for the windows clients. Everything was working fine as i have created a domain and installed vista clients and joined them to domain with no problem. But now when i am trying to join mac to my domain it is giving me the following error message.

An invalid Domain and Forest combination was specified. You should enter a fully qualified DNS name for the domain and forest.

i have also attached my error and Directory Utility screen. I dont know what i am doing wrong may be i am doing some foolish mistake as I just started using mac since last week. I will really appreciate if somebody will solve my problem. Thanks in advance

Screen-shot-2010-08-21-at-11.12..png
0
Comment
Question by:naushadjadoon
  • 3
  • 2
6 Comments
 
LVL 6

Accepted Solution

by:
evanmcnally earned 500 total points
ID: 33492801
I support Active Directory professionally, and have a couple Macs at home -- never really tried to put them together before, but I walked through your steps and joined my domain with no problems (10.6.4 OSX).

Here are some things to check:

Assuming you have DNS and AD configured and working on your server -- does your domain resolve to the IP address of your server?  (on the Mac if you ping naushad.com does it reply with the correct address for your 2008 server?)  

Note as well that the 2008 server should point to its own IP address for DNS in its network settings.

Does the Mac have it's primary DNS server set to the address of your 2008/AD computer?  Not sure if it matters, but on my Mac I have the AD domain name entered as a secondary search domain in Network system preference.

Any problem connecting to a file share on the 2008 box from the mac?  (you should be able to do this regardless of whether it is joined to the domain).

I suspect you should be double checking your DNS on server and client, it sounds like that it the likely problem.
0
 
LVL 12

Expert Comment

by:geowrian
ID: 33492819
I agree it is likely a DNS issue. Beyond that, did you try specifying the forest as naushad.com instead of using the automatic setting?
0
 

Author Comment

by:naushadjadoon
ID: 33492943
thank you very much both of you it worked. There was a problem with my DNS but still i dont understand why it was not working before because the ip address of my DNS was there with my ISP's DNS ip address. I just changed the location of these addresses before ISP DNS ip address was at the top so what i did i just put that address at the bottom and i worked. As you are expert can you please tell me the reason if there is any. I have attached the picture of the current settings. You can see the top 2 ip addresses are my DNS servers ip address and third one is ISP's DNS ip address before it was vice versa. And also i logged in with my domain admin and still i cannot change the settings of mac. It is saying that it need admin user name and password and when i am putting my domain admin user name and password its not working. Are there limits in mac when it joins to domain because in windows you can change any settings you like if you are domain admin.

Thanks alot again.
Screen-shot-2010-08-22-at-12.58..png
0
 

Author Closing Comment

by:naushadjadoon
ID: 33492951
i am really thankful to evanmcnally
0
 
LVL 6

Expert Comment

by:evanmcnally
ID: 33492999
The order of the DNS servers matters greatly.  In general, Active Directory clients must have a domain DNS server as their primary DNS server.  DNS is fundamental for the AD client to locate a domain controller and global catalog server in order to logon to the domain.  Windows AD adds SRV/Resource records to DNS to allow AD to function, and it is these which both clients and servers use to find things they need.  If your ISP's servers are first, then the client just gets a lookup failure on your domain from the first ISP server and gives up without going down the list.  The purpose of multiple DNS servers configured on the client to in case the primary is down/unreachable, not so that the client will try them each in order.

Best practice is to not have your ISP's DNS servers configured on the client.  Instead, you want to configure the DNS service on your 2008 server to do forward lookups on behalf of the client.  So basically, the client always asks the 2008 server, and if the 2008 server does not already have knowledge of what the client is asking, then it asks the ISP servers on behalf of the client and returns the result to the client.  This is configured in DNS manager ont he 2008 server under properties of the server > forwarders.  optionally, you can use Root Hints instead of or in addition to forwarders -- but the which to use is getting off topic because either will work.

As far as admin rights on the mac derived from AD, I attached a screen shot of this setting.  If that is still not working, then the Mapping tab may help (maps Unix groups in OSX to Windows Groups in AD).  Not quite sure!
Voila-Capture12.jpg
Voila-Capture14.jpg
0
 

Author Comment

by:naushadjadoon
ID: 33493052
thanks alot i really appreciate that you shared your knowledge. Thanks again.
0

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now