Form MacWindows:
I recently had an issue whereby all OS X 10.4 clients/servers I tried to bind to a customer's Active directory would fail with "unknown error" at Step 5. The ADPlugin log would show the binding failing while trying to set the computer password. I found your very useful pages through googling the issue, and thought I would let you know what eventually fixed my issue.
I believe I had two issues causing this binding problem, both DNS related.
The first was that some SRV records for one of their domain controllers were missing from DNS (in particular _ldap and _kpasswd). Running "nltest /dsregdns" on the missing server should sort this, but they should also be added in automatically when the Netlogon service starts on the server, so if they are missing there could be some wider domain controller issue to investigate.
The second problem (once the SRV records were sorted), and the one that was causing the step 5 failure, was that the domain controllers were multi-homed: they each had more than one IP address, and these addresses were all registered in DNS. For some reason, the AD bind process would retrieve the correct IP from DNS for each step until step 5 when it would try and talk to the servers second IP for the kpasswd (464 UDP) part of the bind. This would fail.
To fix this, if possible remove the second IP address from the server. If you can't do this, remove the server A record in DNS that points to the second IP address (you might have to go in to the TCP/IP properties on the server and tell it "not to register this connection in DNS" if you leave more than one IP address on the server, else it will re-register it in DNS). This fixed the issue for me
No comments:
Post a Comment