Solved

iMac Domain Computer Issue

Posted on 2014-10-29
11
322 Views
Last Modified: 2014-10-31
Hi Experts!

I have an new iMac in the environment, i've given it a static IP on our network and then i've joined it to the domain using an administrator account. The problem i'm having is when I join the iMac to the domain it doesnt create a computer account for the iMac in Active Directory, I've tried dis-joining it and re-joining putting a new OU path for it place the Computer account in and that hasnt worked. I've also logged the call with Apple to investigate further. I had this issue on Mavericks and I still have it on Yosemite. I already 2 iMacs and Mac Book Pro in the environment which started on Mavericks and joined the domain fine with the computer account being created succesfully.

HELP!!!
0
Comment
Question by:Rizzle
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 34

Assisted Solution

by:Gary Patterson
Gary Patterson earned 100 total points
ID: 40411400
Not my area of expertise, but have you tried just manually creating the AD Computer account first, and then joining the iMac to the domain?
0
 
LVL 13

Author Comment

by:Rizzle
ID: 40411409
Hi Gary,

Tried that and AD stated the computer already exists? but when I do a search of the entire directory/domain the machine doesn't appear.
0
 
LVL 27

Expert Comment

by:serialband
ID: 40412056
Where are you looking in AD?  I think it places it into the default Computers OU or the OU the user account you use defaults to.
0
 
LVL 10

Assisted Solution

by:schaps
schaps earned 400 total points
ID: 40412279
"Tried that and AD stated the computer already exists? but when I do a search of the entire directory/domain the machine doesn't appear." When are you doing this search? After creating the computer record but before attempting to bind the machine to AD? If you pre-create the computer account and then bind the Mac, it should give the "already exists" error, but it still allows you to join it with the current computer (It's just a safety feature to avoid overwriting computer accounts). Or does the bind process make it disappear from search?

Put it this way, if you create the computer record manually, you should be able to search for it and find it before attempting to bind the Mac. Then approve the "already exists" join, and you should still be able to find it in a search. If not, I am not sure it's a Mac issue.
A few important questions to answer:

Are you using a .local domain?

Is IPv6 disabled? If not, while logged in as local admin on Mac, open Terminal, type "sudo networksetup -setv6off Ethernet" and enter the admin password when prompted.

Are you using a eead-only DC?

Is the Mac's Unique AD-Name less than 16-Characters?

Also, DNS can play a part. How to check that:  http://support.apple.com/kb/HT3394
0
 
LVL 13

Author Comment

by:Rizzle
ID: 40412745
I've searched the entire directory in AD. Also i dis-joined it from the domain, then prestaged the computer account, then joined the iMac to the domain using a different domain admin account and the message did come up stating the computer already exists and I then pressed ok. BUT when you check the computer account in AD there is no information for it like the Operating System the computer has.

I very highly doubt this is an issue in our domain as we have joined 2 iMacs and 1 Mac Book pro the domain in the same way and the computer account is created when the machines are joined to the domain.

No we dont use .local

We don't use IPV6 so this is irrelevant

No we aren't using an RoDC

Yes the iMac's Hostname is less than 16 characters

DNS is fine.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 13

Author Comment

by:Rizzle
ID: 40412752
Also i can login to the iMac fine and i've asked 3 other users on our domain to login and it logs in fine?!?

just concerned in terms of the secure channel between this iMac and the domain because the computer account still doesnt have any info on the iMac which isn't looking healthy.
0
 
LVL 34

Expert Comment

by:Gary Patterson
ID: 40413124
Any chance that this system has a duplicate SID with another system in the domain?  Was it cloned from another system that was already joined to the domain?  If so, then computer name isn't what is tripping that "duplicate" error.

I'd try to unbind from AD, delete the computer account, allow time for AD replication, then attempt to re-bind.  You should get a clean SID generated that way.

This article explains how to unbind/rebind from AD.

http://www.peachpit.com/articles/article.aspx?p=1431816&seqNum=2

If you keep getting Duplicate errors, you probably want to figure out how to display the objectSID assigned to this system and then search AD by that objectSID to see what system is conflicting.  Maybe you can unbind/delete account/rebind that system to get a new SID - or maybe it is something no longer in use and you can just delete it.

You can use PowerShell to search AD for a specific SID:

> [ADSI]"LDAP://<SID=S-1-5-21-500000003-1000000000-1000000003-1001>"

Wish I could be more help - just not familiar enough with AD integration on OSX to provide much specific info.
0
 
LVL 10

Accepted Solution

by:
schaps earned 400 total points
ID: 40413183
Thanks for the detailed answers. That all sounds right, but I mentioned IPv6 because of some reports that having it on when not needed interferes with AD binding. So, for the fun of it, try deleting the account in AD, run the command to disable IPv6, and try rebinding.

It also might be helpful to run the following commands on the client in question and another similar Mac showing the correct computer account info:  "dsconfigad -show" and "id [any AD username]"
and compare the results. Any differences (other than ones which should be different) may help determine what's going wrong.

If still no joy, try deleting the account again in AD and manually binding the client:

sudo dsconfigad -a computername -u [ADadminname] -ou "CN=Computers,DC=domain,DC=org" -domain domain.org
(Note: You may need dsconfigad options for your setup. See the dsconfig man page for all the options available - "man dsconfigad" in Terminal)
You should receive a Password: prompt. First put in the password for the local admin account you’re using.
Next, you’ll get a Network Password: prompt. Put in the password for your AD account that has binding rights.
You should then see: "Computer was successfully added to Active Directory"
Test as per usual--

By the way, this all assumes you're comfortable with command line on the Mac, and you could definitely be doing this remotely via SSH instead of needing to be in front of the computer. Apple Remote Desktop is also an excellent (and cheap) tool for managing a fleet of Macs remotely.
0
 
LVL 13

Author Comment

by:Rizzle
ID: 40413275
I removed the iMac, deleted the prestaged computer account in AD, then waited 20 mins, renamed the iMac to a different hostname, then re-binded it to the domain and still no computer account.

Not really comfortable with command line on the iMacs to be honest!! Definitely not having fun either!
0
 
LVL 10

Expert Comment

by:schaps
ID: 40413331
No better time than the present to expand your skill set!
Nothing I posted could mess anything up, but at minimum, run "dsconfigad -show" in the Terminal (or via SSH) on the Mac in question and one which has the correct AD account to compare. It is only a "show me the AD configuration" command, no worries, no danger.
0
 
LVL 13

Author Comment

by:Rizzle
ID: 40416101
Tried it again today delete other computer account I created manually, then created a new one, renamed the iMac's hostname and then Dis-joined the iMac, waited 10 mins, re-joined with the new hostname, still didnt get any information pulling through on AD. I then disabled the account and then couldnt login to the iMac which means it is definitely communicating with the iMac. i will be happy with this for now.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now