Problems binding Mac OS X Sierra/High Sierra to AD.

I’ve recently setup a new Windows Server 2016 AD Domain for a client. It is a single DC domain. They have several Macs in their environment and I’m struggling to get the Mac’s to stay bound to AD.

We can get them bound to AD initially, seemingly without a hitch and we can log in and out as various users. Our problems start when the Macs are restarted. When we get to the login screen there is a red dot next to the username box stating that ‘Network accounts are unavailable’. When binding the Macs initially, I ticked on the option to setup as a mobile user and this allows us to login as the users that were logged in before the first restart, but no other users can login after this point and it doesn’t accept the Network Admin account’s credentials to do administrative tasks despite setting the domain admins group as being able to administer the mac.

The domain has been setup as companyname.co.uk. Mac’s are getting their network config through DHCP with the sole DNS being that of the Domain Controller and the search domain being companyname.co.uk. I have tried creating a computer account in AD before binding and letting the binding process create the computer account both ways without success.

I have checked the DNS settings which appeared OK using the following commands:

dig -t SRV _gc_tcp.server.companyname.co.uk

dig -t SRV _ldap_tcp.server.companyname.co.uk

dig -t SRV _kerberos_tcp. server.companyname.co.uk

dig -t SRV _kpassword_tcp. server.companyname.co.uk

The time on both the DC and Macs while not using the same time source are correct.

I read somewhere of someone having a similar issue, where switching off File Vault solved it, but this has not been enabled on any of the Macs I have tried so far.

After logging in as local admin user and going back into the user account settings, the bind still seems to be active but the ‘allow network users to login’ option is missing and if I open network account server details there is a message stating ‘the server is not in your authentication search policy’.

Any help would be gratefully appreciated.
Lee BishopManaging DirectorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

footechCommented:
Are these Macs connected via ethernet?  If so, I have experienced the behavior where it needs to be connected during startup for it to be recognized at the logon screen (vs. already being at the logon screen and then plugging in a cable).

If not, it's possible the wireless isn't connected at the time of logon.  I read about using a configuration profile to such that the wireless is connected before logon, but wasn't successful at the time I tried it years ago (and it wasn't a high priority).
0
Lee BishopManaging DirectorAuthor Commented:
Yeah in all instances the macs have been connected using ethernet. The connections have been active as I have been logging into the Macs remotely to try and fix it.

I spoke to Apple support earlier and they suggested it might be something to do with a lack of encryption on Kerberos, which is a possibility but don't want to start messing with this on the DC until I'm onsite.
0
footechCommented:
Sorry, I haven't encountered the issue you're facing.  I think I've only had a Mac that was joined to AD need to be rejoined once or twice.  Seems like it takes 30 seconds or more for the red dot to go away (used to be much faster on older OS X versions).
Only other suggestion I can think to try is a different utility to join to AD instead of Mac's native functionality.
https://www.centrify.com/express/
We use this for Linux machines and it works well, but I haven't tried it out for Mac.

I think the ‘allow network users to login’ checkbox doesn't show up when you're logged on with a local user.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

serialbandCommented:
Centrify should work fine for the Macs.  The built in Domain join on a Mac has always had issues and you will need to rejoin the domain at some point.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lee BishopManaging DirectorAuthor Commented:
We have used NoMad for now which works really well, except doesn't actually put the computer account into AD but that is no real problem. I will leave it open for a short while to see if we can find some reason why they are not staying bound.

Thanks for all your help so far.
0
Lee BishopManaging DirectorAuthor Commented:
Even with the Kerberos encryption switched on, I'm still having no luck. Surely someone else out there must be having similar problems.

I'm in the process of trialing NoMAD. It seems to work really well except it doesn't add the computer account to AD which is not a massive problem.
0
serialbandCommented:
If it's not adding the account, then it's not working.  Time to switch.
0
Lee BishopManaging DirectorAuthor Commented:
Does Centrify add the computer account into AD?
0
serialbandCommented:
It should.  I've only used the full Centrify, so I can't fully speak to Express.

Apple's built-in domain join disconnects after a time, and needs to be rejoined.
PowerbrokerOpen will also disconnect after a time and needs to be rejoined.
Both Apple and PowerBrokerOpen appear to remain connected, but you will experience symptoms that can only be fixed by rejoining the domain.
0
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: serialband (https:#a42472921)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.