IPG EMEA Deployment Knowledge Base

Where are JSS database backups located?

2012-02-28T11:09:00.002Z

sudo /private/var/backups/jss/

How to build a Casper netboot set using Apple's System Image Utility

2012-02-27T00:18:00.001Z

Information directly from the Jamf site:

https://jamfnation.jamfsoftware.com/article.html?id=64

The instructions tell you how to create a netboot set that will automatically launch the Casper Imaging Utility. However if you want to use your netboot set in different environments then you should not auto-launch Casper Imaging. Rather, just put the icon in the Dock and enter the JSS info when prompted. It's one more step but worth it if you need to share your netboot set with other sites.

High CPU usage caused by: krb5kdc: didn't find any realms when starting

2012-02-16T20:26:00.002Z

We have seen several instances where a computer is unable to launch applications and suffers other performance problems when edu.mit.kerberos.krb5kdc repeatedly exits and respawns. Look in the Console log for these errors:

To fix this, open Terminal and type:

sudo /usr/libexec/configurLocalKDC

It has also been suggested that you delete all files in the following location:

sudo /var/db/krb5kdc/

Although some people may not have any files in that location.

dyld: shared cached file was build against a different libSystem.dylib, ignoring cache

2012-02-16T20:13:00.000Z

On a Mac 10.6.8 server we were experiencing poor performance and erratic behavior from Server Administrator. Looking at the Console Logs we found that it was filled with the following error:

dyld: shared cached file was build against a different libSystem.dylib, ignoring cache

Apparently this is a fairly common error in 10.6.x and can affect a wide variety of applications. The fix is pretty straightforward. Open Terminal and type the following:

sudo update_dyld_shared_cache -force

Windows 2008 R2: Members of the local "Administrator" group do not have admin rights to shares

2012-02-06T20:50:00.000Z

We have received many reports of a problem with Windows 2008 R2 servers where shares containing the local "Administrator" group were not accessible by members of that group.

For example: we have a GPO that makes our "Domain Admin" group a member of the local Administrator group of all our servers. However, when a Domain Admin would log onto a server he would not have access to server shares.

We resolved the problem by disabling User Account Control (UAC) on the server. This Microsoft KB article describes how to turn UAC off in Server 2008 R2.

For a full overview of UAC and how to turn it off/on on other servers see this KB.

Note: these changes require a restart.

Single-Sign-On (SSO) not working for Snow Leopard clients connecting to a Windows server running ExtremeZIP

2012-02-06T20:35:00.000Z

We received a report from an office that three of their Windows 2003 servers running ExtremeZIP were not allowing SSO connections from AD bound Snow Leopard Macs.

After a good deep-dive into the problem, including packet traces and help from Group Logic, we resolved the problem. Here are the steps we took:

Make sure the Mac clients are using the FQDN to connect to the ExtremeZIP AFP volume on the server. Short names should not be used (in Lion you must use the FQDN or you get an error).

Check that the time on the server, clients and DC match. One of the servers' clock was out by six minutes (max Kerberos time skew is five minutes). When the time was set correctly Lion clients were able to log in.

Check that the Server Principle Name (SPN) of the servers is correct; if they are not then authentication can fail. Read more about SPNs here.

To check the SPN on a Windows 2003 server you must first download and install Windows Server Support Tools. You can get them here.

After you have installed the tools go to Programs/Windows Server Support Tools and launch the app- it will open a command line.

Both the long and the short SPN for the AFP protocol need to exists for your servers:
afpserver/servername.company.com
afpserver/servername

To display the SPNs from the Support Tools command line type "setspn servername"

You should see both the FQDN and the short name. If one is missing do the following:

- To add the long name: setspn -a afpserver/servername.company.com servername
- To add the short name: setspn -a afpserver/servername servername

We also found that although the Snow Leopard clients were authenticating users correctly, they were not generating a Kerberos ticket at login (you can verify this by going to the Ticket Viewer.app located in System/Library/Core Services). After manually generating a Kerberos ticket, SSO worked.

To force a Snow Leopard client to generate a Kerberos ticket at login follow the instructions in this Apple KB article.

After carrying out each of these steps, the Snow Leopard clients were able to get SSO to the ExtremeZIP enabled servers.

Although it wasn't necessary in this case, make sure you update ExtremeZIP to the latest version

How to check if an Apple server is Kerberized against AD: verify Service Principals

2012-02-06T16:13:00.000Z

If Mac clients are having trouble accessing a bound OS X server, check that the server is Kerberized against AD. First, run the following command:

sudo klist -kt

You should see a number of service principals with the Kerberos realm of your.domain.com

Second, you need to ensure that the correct service principal is in use by the AFP service. You can use the following command to do this:

sudo serveradmin settings afp:kerberosPrincipal

This should show something like "afpserver/@YOUR.DOMAIN.COM". If it shows a value in the LKDC realm it is incorrect and will need to be fixed before you can connect using Kerberos.

Here's a command you can use to fix it:

sudo serveradmin settings afp:kerberosPrincipal = "afpserver/@YOUR.DOMAIN.COM"

Using Snow Leopard server for Lion software updates

2012-02-02T17:31:00.000Z

Here is a step-by-step guide for setting up a Snow Leopard SUS server so that it will distribute Lion updates.

I do not know who originally wrote this article. If anyone can find the author please let me know and I will credit him/her.

First things first. Fire up Server Admin and stop the Software Update service. Next fire up a Terminal window and head to /etc/swupd.

cd /etc/swupd

Now let's make backups of the .plist and .conf files for swupd.

cp swupd.plist swupd.plist.bak; cp swupd.conf swupd.conf.bak

Great. Now we are going to add a catalog to the catalog array in the swupd.plist. When we are done it will look like this:

otherCatalogs


       index-leopard.merged-1.sucatalog

       index-leopard-snowleopard.merged-1.sucatalog

       index-lion-snowleopard-leopard.merged-1.sucatalog



You can do this with a text editor, but PlistBuddy makes it easier.

sudo /usr/libexec/PlistBuddy -c 'add :otherCatalogs:2 string index-lion-snowleopard-leopard.merged-1.sucatalog' /etc/swupd/swupd.plist

Will do it in one shot. Adding this catalog is what will tell our SUS Server to go and get the Lion updates.

The next bit we need to do is to tell the server that it can provide this catalog to Lion clients. Open up swupd.conf with the editor of your choice.

vi swupd.conf

Go to the bottom of the file, or just search for Rewrite. Look for the Darwin/11 agent string and change the rewrite rule to look like this.

RewriteCond %{HTTP_USER_AGENT} Darwin/11
RewriteRule ^/index.sucatalog$ /index-lion-snowleopard-leopard.merged-1.sucatalog

Basically we are adding the word "lion" into the sucatalog name.

Now close out of the terminal and start up the Software Update Service with Server Admin again. If you watch the logs, or the updates tab, you will see the Lion updates and on-demand software appear and begin downloading. After a while they will be local and you can start updating those Lion clients!

How to enable Directory Services debugging and packet capture at log on

2012-01-31T17:49:00.000Z

When diagnosing login problems it can be very helpful to generate a packet capture during log-in. Unfortunately tools like Wireshark or PacketPeeper do not run at start-up.

Following are the commands to enable DS debugging and a packet capture during log-in. You will need another computer connected via SSH to the one on which you want the packets captured.

1. Run the following command to set the debug level to seven (all one line):

sudo defaults write /Library/Preferences/DirectoryService/DirectoryServiceDebug "Debug Logging Priority Level" -integer 7

NOTE: Only run this command if you are running 10.5 or later

2. Enable Directory Service Debugging by running the following command:

        sudo /usr/bin/killall -USR1 DirectoryService

3. SSH to the client and start a packet capture:

        sudo /usr/sbin/tcpdump -vvv -n -s 0 -w /Library/Logs/`date +%Y%m%d-%H%M%S`.pcap

4. Reproduce the issue by attempting to login.

5. Stop the packet capture using Control+C.

6. Disable Directory Service Debugging by running the following command again:

        sudo /usr/bin/killall -USR1 DirectoryService

The capture will be in the /Library/Logs with a ".pcap" extension.

10.7 clients unable to connect to legacy NAS and AFP devices

2011-12-27T15:01:00.001Z

In Lion Apple disabled older, less secure protocols like DHCAST128. This has caused problems with older NAS devices running AFP and some Novell servers.

Most manufactures have released updates to resolve this problem but there is also a way to re-enable the protocol from the command line.

Here are the instructions from Apple's KB:

Lion maintains a list of authentication methods that are not allowed. These are the older, less secure authentication methods. You may need to enable one or more of these methods to support legacy devices or protocols.

Open Terminal.
Execute the following commands:

sudo chmod o+w /Library/Preferences
sudo defaults write /Library/Preferences/com.apple.AppleShareClient afp_host_prefs_version -int 1

Make an AFP connection to another system so that the AFP Client preference file will be filled in with the default set of values. Note: You must connect as a registered user, not as a guest.
Execute the following command to see a list of the disabled User Authentication Methods (UAMs)

defaults read /Library/Preferences/com.apple.AppleShareClient afp_disabled_uams

By default the disabled UAMs are "Cleartxt Passwrd", "MS2.0", "2-Way Randnum exchange", and "DHCAST128". Note: if you don't see a list, restart your computer and repeat step 3.

To enable one of these UAMs, remove it from the list of disabled UAMs. For example, this command enables DHCAST128 by removing it from the list of disabled authentication methods:

sudo defaults write /Library/Preferences/com.apple.AppleShareClient afp_disabled_uams -array "Cleartxt Passwrd" "MS2.0" "2-Way Randnum exchange"
After the desired changes have been made, restore the permissions on the Preferences folder with this command:

sudo chmod o-w /Library/Preferences
Additional Information
If you want to undo the changes described above, you can either delete the /Library/Preferences/com.apple.AppleShareClient file or use the following command to re-disable the default set of older UAMs:

sudo defaults write /Library/Preferences/com.apple.AppleShareClient afp_disabled_uams -array "Cleartxt Passwrd" "MS2.0" "2-Way Randnum exchange" "DHCAST128"

The full article can be found here: http://support.apple.com/kb/HT4700

Lion clients unable to connect to Snow Leopard server

2011-12-23T13:59:00.000Z

If you are attempting to connect from a bound Lion client to a bound Snow Leopard server you must use the FQDN for the server.

For example: myserver.test.network.com

If you do not you may receive an error that says "The version of the server you are trying to connect to is not supproted. Please contact your system administrator to resolve the problem."

Also check what authentication method you are using.

Open Server Manager
Highlight "AFP"
Click on the "Access" tab
Change "Authentication" to "Any Method"

Attempt to connect from at Lion client using the FQDN of the server.

Note: changing the authentication to Any Method can possibly break single-sign-on for Snow Leopard client. If this happens change the authentication to "Kerberos". Lion clients should still be able to access the server.

Shaking login with console error: Could not get a user record for [username] from Directory Services

2011-12-18T14:33:00.001Z

Symptom

After binding a Mac AD account log-ins fail (shaking login). Console logs report the following:

SecurityAgent[735] Could not get user record for 'username' from Directory ServicesSecurityAgent[735] User infor context values set for usernameSecurityAgent[735] unknown-user (username) login attempt PASSED for auditingSecurityAgent[735] Could not get the user record for 'username' from Directory Services

kinit [username] will generate a Kerberos ticket

id [username] will produce a list of LDAP info for the AD account

login [username] fails

Solution

If you see the Console log errors as described above it generally means that the computer is not able to create a mobile account at log-in. Try creating a mobile account from Terminal first:

sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/
createmobileaccount -n username
sudo createhomedir -c -u username

Log out and back in with the user's AD credentials.

Shaking login: duplicate accounts

2011-11-27T00:47:00.000Z

We had a user who couldn't log into any bound Mac but was able to log into Windows machines. After much swearing and consternation we found that there was already a user with the same login and pre-Windows 2000 name as our user in a different domain of our forest.

Macs search forest-wide for authentication information and the PCs only look in the current domain. Thus all user accounts must be unique everywhere within a forest or the duplicate user will be unable to log in. By changing the login and pre-Windows 2000 names of the user in our domain he was able log in.

Mac savvy readers might point out that there is a tick box in Directory Services that says "Allow authentication from any domain in the forest". One might think that un-ticking that would force the Macs to only look to the domain it is a member in for authentication information but this is incorrect. In practice we have found that this tick-box does nothing at all and Apple admits that it is of little use.

Keep in mind that when you bind a Mac and then look in the Search Policy it displays "Active Directory/All Domains". Therefore it will look in all available AD domains in the forest for authentication information.

iOS5: The iPhone ... Could not be synced because the sync session failed to start

2011-10-21T11:59:00.000+01:00

iOS5 continues to be a problem. One of the main complaints is an error encountered when attempting to sync an iPhone or iPod to iTunes:

"The iPhone [device name] Could not be synced because the sync session failed to start"

Several work-arounds have been suggested including simply restarting the iOS device. One procedure that seems to work well is to remove the device backups from iTunes. Before you do this, make sure you backup your backups folder: ~/Library/Application Support/MobileSync/Backup/

Connect your device and open iTunes
Go to Preferences/Devices
Delete all backups
Click "OK"
Restart iTunes and attempt another sync

Sometimes you may see duplicate backups listed. I found that by deleting all but one backup also allows the device to sync.

Apple's iOS troubleshooting page has some good tips: http://support.apple.com/kb/ts2529

"You are unable to log in to the user account [account name] at this time.

2011-10-20T19:37:00.000+01:00

Problem: an AD bound Mac shakes off login attempts and returns a message that says:

"You are unable to log in to the user account [account name] at this time. Logging in to the account failed because an error occurred."

There are two things to to try:

First, update the Automounter master map as outlined in this Apple KB article:

http://support.apple.com/kb/TS3346

Secondly, if the user has a home folder path specified in their AD profile (Profile tab), remove it.

How OS X uses login names to generate Kerberos tickets

2011-09-30T20:19:00.000+01:00

AD users have two valid names that can be used for authentication: the login name and the "pre-Windows 2000", or "short" name.

OSX recognizes both of these as valid, however in order to have a Kerberos ticket granted the user must login with the short (pre-Windows 2000) name. Login attempts using the long name or domain\username will not be granted a Kerberos ticket.

Shaking Log-on in OS X: The Ongoing Saga

2011-09-30T20:10:00.002+01:00

Yet more things to check if a bound Mac refuses to allow authentication by an AD user:

Open the user's AD profile in Active Directory Users and Computers (ADUC) and click on the "Accounts" tab. Check that both the log-on name and pre-Windows 2000 name are the same, that both are unique on your network and that the user is entering the name exactly as it appears in the profile.

Changing the Machine Password Interval on a Mac and Windows

2011-09-18T15:36:00.000+01:00

Sometimes when a user can not log into their computer (shaking login) the problem is with the machine password and not the user account password. By default Windows machines reset their machine password every 30 days but Macs do so every 14. If a computer is on the network but can not connect to a DC at its password change interval it can subsequently prevent the user from logging in and/or changing their password from the computer.

To change the machine password interval on a Mac you must first unbind the computer and then follow these steps:

http://support.apple.com/kb/HT3422

Setting the passinterval to "0" is the recommended fix.

Keep in mind that having a computer never reset its password poses a potential security risk because the security channel between the computer and the DC will never be reset. This means that if someone discovers the machine password they could perform pass-through authentication directly to a DC.

Here is a good article describing the entire machine password change proces:

http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx

And here is Microsoft's KB on the process for PCs:

http://support.microsoft.com/kb/154501

Snow Leopard: Allowing standard users to add printers

2011-09-06T19:20:00.004+01:00

In Snow Leopard standard users are not allowed to modify the print queues. Apple has a work-around in this KB article: http://support.apple.com/kb/HT3511

Run this command:

dseditgroup -o edit -n /Local/Default -u admin -p -a student -t user lpadmin

Where "admin" is the short name for the local admin account and "student" is the name of the user

How to configure a hidden account that has ARD access and also must request control from the user

2011-09-05T19:55:00.005+01:00

I was asked to create a hidden account that had remote control access through ARD but that also had to request permission from the user before being allowed access to the computer

Running the following in ARD/Unix using the root account will create a hidden standard account called "hidden", set the password to "Hidden123", turn on "request permissions to observe/control" and add the account to the Remote Management "allowed users" list:

dscl . -create /Users/hidden
dscl . -create /Users/hidden UserShell /bin/bash
dscl . -create /Users/hidden RealName "hidden"
dscl . -create /Users/hidden UniqueID 499
dscl . -create /Users/hidden PrimaryGroupID 1000
dscl . -create /Users/hidden NFSHomeDirectory /Local/Users/hidden
dscl . -passwd /Users/hidden Hidden123
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users hidden -privs -none -clientopts -setreqperm -reqperm yes

A "UniqueID" lower than 500 will create a hidden account.

To remove the account (run as root through ARD):

dscl . -delete /Users/hidden

This works for Leopard and Snow Leopard

Cannot exit Snow Leopard Screen Saver with AD credentials

2011-08-18T11:47:00.000+01:00

On bound Macs there is a problem where a computer that has been left on, with the screen saver active, for more than 10 hours has its Kerberos ticket expire. If this happens a user is unable to unlock the screen saver using their AD credentials.

Here is the KB article from Apple on how to fix this problem:

http://support.apple.com/kb/TS3287

How to display the DHCP server in OS X

2011-07-28T00:02:00.000+01:00

It has always frustrated me that I could never find a way to display the DHCP server on a Mac- something like ipconfig /all on a PC. I finally discovered a way:

ipconfig getpacket en0 (en1 if you are on wi-fi)

Look for the line that says "server identifier" and that is the IP of your DHCP server

scutil to change host names

2011-07-23T20:14:00.005+01:00

Apparently "changeip" isn't the recommended way to change DNS names in Snow Leopard so we must use "scutil" instead.

Take a look at the man page but mostly we will problem use it to change computer and host names:

sudo scutil --set ComputerName [new name]
sudo scutil --set HostName [new name]

 --set pref [newval]
       Updates the specified preference with the new value.

       If the new value is not specified on the command

       line then it will be read from standard input.

         Supported preferences include:

         ComputerName LocalHostName HostName

         The --set option requires super-user access.

     --dns
         Reports the current DNS configuration.

Mac Disk Showing 0Kb. Disk totally full for no reason.

2011-07-15T10:27:00.000+01:00

Several users were reporting a problem where their disks were showing 0 space free. It turned out that Photoshop 5 was creating (and not deleting) massive log files. Deleting the log files reclaimed the missing space.

The log files are in:

/var/log/asl

Windows 2008 server and ExtremeZIP: AFP Shares appearing as read-only to Mac users

2011-07-07T18:31:00.002+01:00

After moving data from a Windows 2003 server to a Windows 2008 server via robocopy Mac users were unable to write to some folders. The files and folders appeared to copy correctly, along with the permissions and Windows users could access the folders without a problem.

The Windows 2008 server is running ExtremeZIP and the problem only occurs if the clients connected via AFP- SMB connections were fine. The problem affected both AD bound and unbound Macs.

FIX: it turned out that file permissions didn't fully copy (or perhaps robocopy doesn't have the flags that Windows 2008 Server requires). Folders that the Mac users could only see as read-only were missing a tick in "Delete subfolders and files and folders" in the Advanced folder settings.

Go to the security properties of the folder and click on the "Advanced" tab

Highlight the user/group that you want to check permissions on and click "Change Permissions"

Highlight the user/group again and click "Edit"

Make sure there is a tick in "Delete subfolders and files"

Make sure you propagate the permissions to all child objects.

Incorrect date/time in Outlook forward and reply messages

2011-07-07T11:54:00.000+01:00

If your mail server is in a different time zone from your mail client, e-mail Replies and Forwards in Outlook display the time zone of the mail server, not the client.

To fix this open Outlook go to Preferences/Composing and under "Attribution of original message" set the "Custom attribution format" as it appears below:

Apple Server Admin Not Starting

2011-06-17T16:49:00.000+01:00

Problem: OS X Server Admin will either not launch or after it has launched it will not allow connections.

Fix from Apple:

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.servermgrd.plist

cd /var/severmgrd

Note: verify that you are in the right path, because the next command will delete everything in the current folder.

rm -rf *

sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.servermgrd.plist

Server Manager should now launch and allow logins.

Tomcat problems on a JSS

2011-06-17T16:44:00.000+01:00

It is important that Apple's Tomcat does not conflict with Jamf's on your JSS. If both instances of Tomcat are trying to run at the same time you can experience an inability to access the JSS along with over all poor server performance.

To disable Apple's Tomcat follow these steps:

On your JSS, launch Server Admin
Click on "Web"
Click on the "Settings" icon
Click on the "General" tab
Remove the tick from "Enable Tomcat"

Bound Mac Clients Can't Exit Screensaver Using AD Credentials

2011-06-16T19:22:00.003+01:00

Bound Macs that have the screen saver set to lock after a certain amount of time and require AD credentials to unlock sometimes are unable to unlock the screen saver.

Fix

Open Terminal
Type: cd /etc
Type: pico authorization
Find the "system.login.screensaver” and look for this text in a string:

"The owner or any administrator can unlock the screensaver"

and change it to:

"(Use SecurityAgent.) The The owner or any administrator can unlock the screensaver."

For full details refer to Apple KB: http://support.apple.com/kb/TS3287

How to disable auto mounting network shares in OS X

2011-06-06T16:01:00.001+01:00

To disable auto-mounting of network shares in OS 10.5 and 10.6 do the following:

Go to /Users/username/Library/Favorites
Remove the server names or IP addresses

OS X Server: users can not connect to SMB or AFP shares

2011-05-10T21:21:00.002+01:00

We have been troubleshooting several reports from offices with bound OS X servers where Mac and PC clients are unable to connect to shares using AFP or SMB. Additionally these offices have reported that Macs will randomly drop their AFP connections to the OS X server.

When the connection problem occurs often times the server shares will display generic ACL GUIDs: a series of numbers and letters instead of the group name. In cases such as these restarting Directory Services generally resolves the problem- at least temporarily:

sudo /usr/bin/killall DirectoryService

Other times the GUIDs display normally but the connection problems still persist. In these cases two things are suggested:

Nest AD users into local groups and then use the local groups to populate the ACLs
Flush the group membership cache by running this command:

sudo dsmemberutil flushcache

Generally these problems occur most often on Leopard servers- Snow Leopard servers have improved group membership caching.

Mac administrator account changing to a standard account

2011-05-06T13:36:00.000+01:00

We have had several reports of Macs that have their admin account changed to a standard account.

The fix is to login to the machine as root, go to "Accounts", select the admin account and put a tick in "allow user to administer this computer".

If the root account is disabled or you do not know the password you will have to boot the machine from the OS DVD and enable the account/reset the root password.

Full instructions can be found here:

http://support.apple.com/kb/TS1278

Shaking Login: corrupt Kerberos file

2011-04-11T14:30:00.002+01:00

Apple has informed us that sometimes anti-virus software can corrupt the kerberos files found in:

/var/db/dslocal/nodes/Default/config/

They suggest that a trouble shooting step for a shaking login should be to remove all the Kerberos files in the above directory.

sudo /var/db/dslocal/nodes/Default/config/
rm Kerberos*

then restart.

Outlook 2011 Profiles Disappearing

2011-04-05T12:44:00.000+01:00

There have been some reports that when a user launches Outlook their profile is no longer there. It seems to have something to do with the database daemon thinking the user's database has vanished.

Here is one reported work-around:

Keep Outlook open
Go to Terminal
Type, ps aux | grep Microsoft
Look for the MS Office 2011 processes
Note the number after the user name- this is the Process ID (PID)
In Terminal type, sudo kill –9 [PID number]
Do this for each of the Microsoft processes
Re-launch Outlook

How To Refresh MCX Preferences on a Mac

2011-03-31T09:00:00.001+01:00

From Terminal type: sudo mcxrefresh –n [user short name]

eg: sudo mcxrefresh –n tsmith

For further info see the man page, "man mcxrefresh

You can also delete the /Library/Managed Preferences folder

Here is a list of MCX refresh commands for each OS:

http://krypted.com/mass-deployment/refreshing-managed-client-cache/

Mac clients can not do LDAP (GAL) lookups

2011-03-29T22:21:00.001+01:00

An office reported that Mac clients were unable to do LDAP (GAL) lookups from Entourage or Outlook 2011.

All the clients were using the local DC for LDAP; if this was changed to another DC the clients could do lookups just fine.

It was found that the local DC was not a global catalog server. When this was fixed, lookups worked.

Here is the TechNet article on determining whether or not a DC is a GC it:

http://technet.microsoft.com/en-us/library/cc786686%28WS.10%29.aspx

com.apple.launchd[1] (org.samba.winbindd3733) Exited with exit code: 1

2011-03-29T22:04:00.006+01:00

A 10.5.8 server dropped all SMB connections and the Console log was filled with these errors:

Mar 29 12:36:37 ... com.apple.launchd[1] (org.samba.winbindd[98460]): Exited with exit code: 1
Mar 29 12:36:37 ... com.apple.launchd[1] (org.samba.winbindd): Throttling respawn: Will start in 10 seconds
Mar 29 12:36:47 ... com.apple.launchd[1] (org.samba.winbindd[98461]): Exited with exit code: 1
Mar 29 12:36:47 ... com.apple.launchd[1] (org.samba.winbindd): Throttling respawn: Will start in 10 seconds

Work-around (but not a full fix as it doesn't address the root cause)

Open Terminal and log in as sudo -s and type:

launchctl unload /System/Library/LaunchDaemons/org.samba.winbindd.plist

Then edit /System/Library/LaunchDaemons/org.samba.winbindd.plist
and the following:

This keeps the winbindd daemon from launching at startup, which it isn't doing anyway, to re-enable it change "true" to "false".

How to check a user's password from the command line using DSCL

2011-03-29T19:46:00.000+01:00

Here is the command for checking a user's password via DSCL:

dscl /Active\ Directory/domainname authonly username

(where "domainname" is the name of the AD domain and "username" is the short name of an Active Directory user)

No output indicates that the user's password was verified.

DHCP Error while importing scope "Option 6"

2011-03-29T14:33:00.002+01:00

While importing a DHCP scope from a Windows 2003 to 2008 server I encountered an error:

"Error while importing option "6"."

This is a reference to the scope options in DHCP. Option 6 is the DNS server, option 15 is DNS Domain Name, etc.

To remedy this particular error delete the offending options form the DHCP's "Server Options" and then attempt the import again.

Export (2003/2008): netsch dhcp server export c:\[filename.txt] all
Import: netsch dhcp server import c:\[filename.txt] all

More details on the error can be found here:

http://mykbit.blogspot.com/2010/03/error-while-importing-option-6-while.html http://mykbit.blogspot.com/2010/03/error-while-importing-option-6-while.html

How to force a 10.6 client to generate a Kerberos ticket at login

2011-03-17T23:10:00.001Z

Refer to this Apple KB article:

http://support.apple.com/kb/HT4100

You need to add the string:

builtin:krb5store,privileged

Under the key:

system.login.console

In the /etc/authorization file

Generating a kerberos ticket from the command line in OS X

2011-03-17T21:53:00.000Z

kinit [user name]

You will be prompted for the user's password

Missing admin accounts on Mac: FIX

2011-02-26T14:54:00.001Z

Shut down the computer if it is on.
Press the power button to start the computer.
Immediately press and hold the Command (Apple) key and the "s" key for single-user mode.
Type "mount -uw /" and press return.
Type "passwd" and press return.
Enter new password (this will be for the root user account) and press return.
Type "reboot" and press return.
Enter Account settings and when prompted for administrator account and password, use the user name root and the password you just setup
Check box for you standard account to administrate box
If all goes well you are admin again.

Then log in as Root:

dscl . -create /Groups/admin
dscl . -create /Groups/admin RealName Administrators
dscl . -create /Groups/admin PrimaryGroupID 80
dscl . -create /Groups/admin Password [password]
dscl . -create /Groups/admin GroupMembership root

Original post: http://macosx.com/forums/howto-faqs/299801-howto-fix-user-lost-administrator-privileges.html

Convert plist to xml

2011-02-23T23:08:00.000Z

plutil -convert xml1 your_file.plist

To convert an XML .plist file to binary for use:

plutil -convert binary1 your_file.plist

Remove an ODM from the command line

2011-02-09T17:40:00.000Z

To remove an Open Directory Master first delete the LDAP entries in Directory Services and then open the Terminal and type:

sudo slapconfig -destroyldapserver

It will take a while to complete. After it has finished you should be able to remove the Opendirectory and DNS services from Server Manager (restart will be required).

Bound Leopard Server not allowing SMB or AFP connections

2010-12-18T14:58:00.002Z

Problem: A 10.5.8 server was not allowing SMB or AFP connections. The server was bound to AD but "id" commands were failing- sometimes.

Looking at the logs I saw that they were filled with launchd errors:

com.apple.launchd[1] (org.openldap.slapd): Throttling respawn: Will start in 10

These were causing very, very poor performance and pretty much preventing Directory Service from operating; that in turn prevented any logins.

The first thing I attempted was to unbind the server but as it couldn't connect to the domain I did a Force Unbind, deleted the edu.mit.kerberos file and the Directory Services folder and restarted. I then re-bound the server and immediately unbound: this ensured that the server's AD account would be removed.

From the unbound server I took these actions:

Changed the Windows role to Standalone server
Stopped the SMB services
Opened Terminal and ran "sudo –s /usr/libexec/slapd –Tt"

This returned:

could not stat config file "/etc/openldap/slapd.conf": No such file or directory (2)
slaptest: bad configuration file!

I then viewed the contents of the directory: cd /etc/openldap/ls

There was no slapd.conf file present but there was a slapd.conf.default file so I renamed it: "cp slapd.conf.default slapd.conf"

I then re-ran the slapd command: "/usr/libexec/slapd –Tt" and it returned:

bdb_db_open: Warning - No DB_CONFIG file found in directory /private/var/db/openldap/openldap-data: (2)
Expect poor performance for suffix dc=my-domain,dc=com.
config file testing succeeded

Since LDAPv3 is turned off in Directory Services this shouldn't be a problem

Reboot
Launch Server Manager
Change the Windows role to Domain Member
Start the SMB service

AFP and SMB log-ins now worked.

These steps and more info can be found here: http://discussions.apple.com/message.jspa?messageID=10613310

Can not log in to bound Mac using an AD account

2010-12-09T12:45:00.001Z

Symptom
A Mac that has been bound to the AD will not allow log-in from a particular AD user. Other AD accounts are able to log-into the bound Mac and the user can log-into other computers.

This is generally a symptom of a corrupt account on the computer. You have several options to remedy the situation.

Solutions

Scenario One: You are migrating a local account to a domain account. You have bound the computer and are attempting to log in for the first time using the user's AD account and you get a shaking log in or an error "you are unable to log into the user's account". Follow these steps to create a new local account, migrate the user’s data to that account then create an AD account and migrate the data to the AD account.

Log in as root
Unbind the computer and delete the entire /Library/Preferences/Directory Service folder and the edu.mit.kerberos file
Restart the computer
Log in as root
Go to System Preferences/Accounts
Create a new local account for the user

Do not use the same name as the user’s AD account
Do not use the same name as the existing account

Go to Users and locate the user’s old home folder
Select all the folders in the old home folder and drag them into the new home folder for the account you just created. When it prompts you select Replace All
Go back to the Desktop hit Shift-Apple-U to open the Utilities folder
Launch Terminal
Type cd /Users
Type chown –R [user name]:staff /Users/[user name]. For example: chown –R tsmith:staff /Users/mlewis

Remember, you are doing the above command on the newly created home folder- the one you copied all the data into
Use the newly created account name for “user name”

Re-bind the computer
Log out and then back in with the user’s AD account

This will create a new blank profile

Log out and back in as root
Go to Users and locate the local home folder you created in a previous step (the one you moved all the data into and did a “chown” on)
Select all the folders in the folder and drag them into the newly create home folder (it will have the user’s AD name) When it prompts you select Replace All
Go back to the Desktop hit Shift-Apple-U to open the Utilities folder
Launch Terminal
Type cd /Users
Type chown –R [user name]:staff /Users/[user name]. For example: chown –R tom.smith:staff /Users/tom.smith
Log out and back in using the user’s AD account credentials
Their desktop icons should appear
Go to Users/[user name]/Library/Keychains and rename the login.keychain to login.keychain.old

Scenario Two: Sometimes having a UNC path to a home folder in AD prevents a user from logging in. In this case the user can not log into any Mac but loggin into a PC works.

Open the user's AD account and go to the Profile tab. If there is a UNC path to a home folder, remove it. Wait for replication and attempt to log in again.

Scenario Three: You have bound the computer and are attempting to log in for the first time using the user's AD account and you get a shaking log in or an error "you are unable to log into the user's account".

Other users can log in using their AD accounts. Checking System Preferences/Users DOES NOT show an account for the user that is unable to log in.

It is possible that the AD profile was partially created but that the process failed somewhere along the way. You first need to check if the profile exists on the computer even though it is not in "Users".

Open a Terminal window
Type "dscl localhost"
Type "cd /Local/Default/Users
Type "ls"
If the problem user's account is displayed you must remove it

To remove the account you must first download and install Apple Server Admin Tools onto the client computer. 10.6.4 admin tools can be found here:
http://support.apple.com/kb/DL1071

After you have installed Admin Tools follow these steps to remove the problem account:

Go to Applications/Server
Launch Workgroup Manager (WGM)
At the connection screen enter an address of "localhost" and the UID and password of the local machine administrator
In WGM click on the "Accounts" icon
Make sure you are authenticated to /Local/Default
Click on the single-user icon above the search menu

Find the problem account in the list and click on the "Delete" icon
Exit WGM and attempt to log into the machine again with the user's AD account

Check GPOs applied in Win7

2010-12-06T14:13:00.000Z

This will export the results of the "gpresult" command to an html file:

Gpresult /H c:\temp\[machine name].html

I.g. Gprusult /H c:\temp\FRAMBW-DXP1234

ARD "Screen Sharing Available" problem

2010-11-02T18:13:00.001Z

Many reports have come where ARD connections to remote computers display "Screen Sharing Available" next to the computer name and that although remote control and observation is possible, package install and file copies fail.

The first thing to check is to see if the firewall on the ARD console and host computers are turned off. By default the firewall blocks all ARD connections.

Secondly, check to see if the folder /var/db/RemoteManagement exists on the client machine. For some reason, this folder doesn't get created and it prevents proper ARD connections.

Also check A and PRT records to make sure there are no duplicate names or IPs for the client.

You can also try uninstalling and reinstalling ARD.

Uninstall instructions:

Open Terminal (located in /Applications/Utilities).
Delete the client pieces from /System/Library/ using the following commands in the Terminal application:
$ sudo rm -rf /System/Library/CoreServices/Menu\ Extras/RemoteDesktop.menu
$ sudo rm -rf /System/Library/CoreServices/RemoteManagement/
$ sudo rm -rf /System/Library/PreferencePanes/ARDPref.prefPane
$ sudo rm -rf /System/Library/StartupItems/RemoteDesktopAgent/

Delete the client preferences from /Library/Preferences/ using the following command in the Terminal application:
$ sudo rm /Library/Preferences/com.apple.ARDAgent.plist
$ sudo rm /Library/Preferences/com.apple.RemoteManagement.plist

Delete the client installation receipts from /Library/Receipts/ using the following command in the Terminal application:
$ sudo rm -r /Library/Receipts/RemoteDesktopClient*
$ sudo rm -rf /var/db/RemoteManagement/

To reinstall download the latest ARD client from Apple.

Snow Leopard Error -50 when copying to an SMB share

2010-10-28T12:00:00.002+01:00

Symptom

Snow Leopard client copying file to SMB will get a –50 unkown error and the copying will halt. This only happens to Snow Leopard and only to SMB. Copying the same files to AFP works fine. It is also only on certain files. We can take this file to another Snow Leopard machine and reproduce it every time.

Cause

We found out that it has to do with files with resource fork. I think Snow Leopard and Leopard no longer embed resource fork into files anymore. But I am guessing these files were touched or created by older Apple OS. This explains why out of thousands of files, we only see some files with this problem. This is due to the fact that the Snow Leopard Client now defaults to using NTFS Streams rather than AppleDouble files (dot underscore files) to store the resource fork.

Solution

Turn off NTFS Streams support in Snow Leopard. You can do this on the client by running this command.

echo "[default]" | sudo tee -a /etc/nsmb.conf

echo "streams=no" | sudo tee -a /etc/nsmb.conf

Of course this would be a pain if you have to touch every clients. An easier way is to touch the share by creating a file at the root of the share called ".com.apple.smb.streams.off". As this is a hidden file, it is probably best to do this from the command line.

cd /Volumes/sharename/

touch .com.apple.smb.streams.off

No reboot is needed. Client just need to dismount and mount the share again.

Windows and Mac users unable to access server shares and printers

2010-10-19T17:28:00.000+01:00

We received a report from several offices that users were unable to access server shares or print until their passwords were reset in AD.

Users were able to log into their computers and send/receive mail.

The users were receiving a "user name could not be found" error when attempting to connect to servers and the printers were showing "Unable to Connect".

The problem was that the User Principal Name (UPN) was holding old cached values. Logging into the computer using the full UPN (first.last@domain.com), restarting and logging back in with the normal AD name (first.last) resolved the issue.

This problem seemed to only affect users who had had their UPN updated recently.

Mac Binding Fails- Advice from Apple

2010-10-07T07:30:00.000+01:00

Apple's KB regarding binding problems and possible work-arounds involving clearing out Kerberos config files and DNS config check:

http://support.apple.com/kb/TS2691

Snow Leopard (10.6) can not connect to server using SMB: RESOLVED

2010-10-06T10:02:00.000+01:00

Problem: AD bound 10.6.x Macs were experiencing problems connecting to SMB shares on Windows servers. Users could not connect to the shares, or it would take several minutes to open/browse folders.

Cause: It was found that the issue happens when there is a folder or file on the share for which the security list includes an “Unknown SID”. When listing the content of the share, the OS X Directory Service plugin attempts to resolve all SIDs to AD objects. In this case, the plugin encounters a “Unknown SID” and expends 60 seconds attempting to resolve the SID. Once 60-second timeout is reached, the plugin skips the entry and will list the share contents. Now, if there are multiple files or folders of “Unknown SIDs”, the time for listing the content will multiply base on how many of these “Unknown SIDs” on there thus explaining the different delay time users are experiencing.

Resolution:

Test indicates that once these “Unknown SIDs” are removed from the affected file/folder, the speed of SMB will return to normal. The mount and content listing of the share will take seconds instead of minutes.

Apple will take the finding back to their product engineering to determine how they might be able to mitigate the timeout issue from OS X.

The problem of resolving this issue for server administrators is that it is not practical to identify these “Unknown SIDs” and remove them manually. After some research, it seems that Microsoft has a tool to do this.

SUBINACL - Display or modify Access Control Entries (ACEs) for file and folder Permissions, Ownership and Domain.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

Download the MSI and install it to your file server. You can then run it using the following syntax. It will removed all the “Unknown SIDs” from the files and folders you specify.

subinacl /subdirectories X:\* /cleandeletedsidsfrom=IPGNA

This will clean out all “Unknown SIDs” from the path you specify and all the directories below that. You can also use a /TESTMODE switch to test it out. It will run the command and show you the result without actually modifying anything. It is recommended that you run it under testmode once.

Using ADModify to change login and pre-2000 name

2010-09-08T15:40:00.000+01:00

Launch ADModify using "run-as" and login using a DA account on the domain where the users you are modifying are.

For login name: Under the Accounts tab enter the attribute: %'givenName'%.%'sn'%

For pre-2000 name:

Click on "Custom" tab
Put a tick in "make a customized attribute modification
Attribute name: sAMAccountName
Value: %'givenName'%.%'sn'%

Target booting an Xserver to install from another computer

2010-08-30T19:56:00.000+01:00

We found ourselves in a situation where we were unable to install from the optical drive on an Xserver. We used the following steps to resolve the problem:

Attach a FW cable between the Xserver and another Mac (we used a Mac Book Pro)
Insert the Server Install DVD into the remote computer
Turn off both devices
Restart the remote computer in Target Disk Mode (holding down the "T" key)
Restart the Xserver holding down the Option (alt) key and select the remote install drive as the startup disk
Continue with the install normally

It is VITAL that you do not target boot the Xserve onto the client: put the client into Target Disk Mode first!

After a re-IP of an Xserver, XP clients could not log in using SMB

2010-08-30T19:50:00.000+01:00

An office moved locations and in so doing upgraded their DC to Windows Server 2008 and also change the IP of their Tiger (10.4.11) Xserve.

After completing the process, XP users were unable to log into the Xserve using SMB. AFP connections were unaffected.

After many long nights of troubleshooting and searching through server and WireShark logs we were still no closer to a solution. A Leopard server was built at the location to test and it initially had the exact same problem.

To get the test Leopard server to work we had to follow the steps outlined below and replace the smb.conf file with the smb.conf.template file. After doing these steps, SMB connections to the Leopard server were successful.

During the entire process we were working with Apple and they built Tiger, Leopard and Snow Leopard servers in their environment to see if they could reproduce the problem- the could not.

Apple felt that contrary to our initial assumptions, changing to a 2008 DC did not cause the problem. Rather the re-IP of the Tiger server broke SMB authentication. They could not pinpoint the problem exactly but suggested we follow these steps to resolve the problem:

1. Change the role of Windows to Standalone server. Stop the Windows service.

2. Unbind from Active Directory.

3. Run the changeip script and change the IP address in System Preferences/Network. Restart the server.

4. Run the command "sudo changeip -checkhostname". If everything is correct, bind the server to Active Directory.

5. Change the role of Windows to Domain Member and start the Windows service.

6. Verify the SMB shares are configured correctly (I created a new share).

7. Have XP clients connect to the 10.4 server.

Unfortunately, the problematic Tiger server wouldn't allow us to complete the tasks- failing on step 5- changing the role back to a Domain Member.

At that point it was decided to re-build the server as a 10.5.8 Leopard server. 14 hours later, we finished the job! There were problems with the mirrored set in the Xserver which forced us to break the RAID and install on a single physical drive.

We were finally successful at re-building the server and when we were done XP clients could connect using SMB and get single-sign-on.

One nice thing: because we only rebuild the Xserver and not the fiber channel RAIDS attached to it, all the AD file and folder permissions were retained. This saved us a huge amount of time by not having to re-perm all the shares!

Resetting a Mac password with or without a boot disk

2010-08-16T08:38:00.000+01:00

Boot into single user mode: hold down Command (alt) -S on startup

Follow these steps:

http://osxdaily.com/2010/08/10/forgot-mac-password-how-to-reset-mac-password/

Restarting Directory Servcices from the Command Line: OS X

2010-07-22T19:13:00.001+01:00

killall -HUP DirectoryService

DHCP will not authorize after a re-IP of the server

2010-07-16T15:20:00.000+01:00

You must first unauthorize a DHCP server scope prior to re-IPing the server. If you do not then you will be unable to re-authorize the scope after the re-IP.

If you have already re-IPed the server without first authorizing the scope open DHCP from Admin Tools, right-click on "DHCP" and go to "Manage Authorized Servers." Find the old DHCP server name/IP and click on "Unauthorize."

Once you have removed the old DHCP server you can authorize the re-IPed server.

Mac Fonts

2010-06-24T13:34:00.000+01:00

It is a good idea to remove all the fonts from ~/Library/Fonts and /Library/Fonts but leave /System/Library/Fonts alone.

Create a "My Fonts" folder, dump your fonts in there and activate when necessary.

Here are two good overviews of how the OSes handle fonts:

Leopard: http://www.prepressure.com/fonts/basics/leopard_fonts

Snow Leopard: http://www.prepressure.com/fonts/basics/snow-leopard-fonts

Mac users can not log into a bound machine continued. Network home folder problem

2010-06-09T21:38:00.000+01:00

Bound 10.6 machines require that all users attempting to log in with AD credentials have either a correct path to an accessible home folder or have “force local home folder” ticked in Directory Utility.

Here are some things to try:

Look at the user’s account and see if they have home folders listed. If they do, make sure they are valid and remove them if they are not. You might simply want to remove them full stop- this has resolved problems like this in the past. Something else to keep in mind: Snow Leopard has horrible problems connecting to SMB shares so if a user has a SMB home folder defined in their AD account it could simply failing to connect and halting the login process.

Use the work-around found in this TS article from Apple: http://support.apple.com/kb/TS3346

To force a local home folder do this:

Directory Utility > Active Directory > Show Advanced Options

Place a checkmark in "Force local home on startup disk" and uncheck "use UNC path from AD" to force a local home and ignore what's in the directory.

Enable Screen Saver Locking From the Command Line: Snow Leopard

2010-05-28T10:30:00.000+01:00

The settings are now stored in ~/Library/Preferences/com.apple.screensaver.plist:

$ defaults read com.apple.screensaver
{
askForPassword = 1;
askForPasswordDelay = 5;
}
$

To turn on the screen saver lock:

defaults write com.apple.screensaver askForPassword -int 1

To turn off the screen saver lock:

defaults write com.apple.screensaver askForPassword -int 0

Turn on Mac screen saver password from command line (not for Snow Leopard)

2010-05-27T14:09:00.000+01:00

Turn on the screen saver password:

defaults -currentHost write com.apple.screensaver askForPassword -int 1

Turn off Screen saver password:

defaults -currentHost write com.apple.screensaver askForPassword -int 0

Again, this doesn't work for Snow Leopard.

PC: slow login - DFS refferal to wrong DC -using dfsutil

2010-03-19T19:17:00.002Z

After a re-IP two sites were experiencing slow logins. Both sites had a "shared services" network where the DC was placed. The shared services network is on a different VLAN than the user VLANs on the sites.

Start troubleshooting by logging into the local DC, going to Start\Run and typing \\full.domain.name.com\sysvol. Once the sysvol window opens, right-click on any blank area and go to Properties/DFS. The local DC should be set as the active referral ("Yes" next to the DC's name and a little tick on the name). NOTE: you can perform this check from any server or desktop on the site.

If the DFS referral is pointing to anything else than the local DC chances are there is a problem with Sites and Services; additionally a cleanup of the DFS cache on the DC might be necessary.

Make sure all the subnets at the location are in Sites and Services, INCLUDING the one the DC is in
Use dfsutil to clean up the DFS packets and cache

Full details of the dfsutil commands can be found HERE

On the DC run:

dfsutil /purgemupcache
dfsutil /pktflush
dfsutil /spcflush
dfsutil /pktinfo (shows which DC the DFS share is referring to)
dfsutil /spcinfo (shows the full path to the DFS share)

Typing "dfsutil" from the command prompt will get a list of commands.

Restarting after running these commands.

Mac User can't log in: computer bound to AD

2010-03-15T14:49:00.000Z

In the ongoing saga of Mac users unable to log into a bound machine, we add this to the list:

A user could log into bound PCs but was unable to log into any bound Mac. The user would get a shaky login screen with a cryptic message.

The problem was the user's AD account had a home folder set in their AD "profile" tab that pointed to an invalid share.

We have also seen the same problem with SMB shares full-stop. Removing the home folder path in the AD account allowed the user to log in.

Entourage database and Time Machine

2010-03-10T13:10:00.000Z

Time Machine and the Entourage database don’t play well together. The problem most people have is that their Entourage profile is a massive, monolithic database and even opening Entourage causes Time Machine to back up the entire database not just the changes. Normally the advice is to manually copy the user profile every once and a while and not let Time Machine back it up unless you have an infinite amount of disk space.

You can also have problems because even if all your Office apps are closed the database daemon is still running and this can lead to corrupt database backups. Before you backup the Office database you can run this command:

tell application "Microsoft Database Daemon" to quit

And after you are done you can do restart or run this command:

tell application "Microsoft Database Daemon" to launch

PC slow login- Sites and Services correct but incorrect SRV record

2010-03-10T13:07:00.000Z

A site that had recently been re-IPed was complaining about slow logins on their PCs- it could take a user up to 15 minutes to log in.

Sites and Services was setup correctly with the proper subnet and DC assigned to the site.

We found that there was an erroneous entry in DNS which was causing the machines to use the wrong DC for authentication. The entry was found here:

Forward Lookup Zones
[our domain]
DomainDnsZones
_sites
[site name]
_tcp

There were two _ldap entries in this location. One pointing to the correct DC and one to an incorrect DC. Removing the incorrect record resolved the issue.

Note: it is a good idea to check all the Sites entries in DNS to make sure that there are not other erroneous _ldap entries

Computer name not appearing in DHCP lease

2010-02-05T16:20:00.000Z

We were seeing a problem where some DHCP leases were not showing the computer name. None of these machines with blank lease names would show up in DNS.

It turned out that each of the machines with blank DHCP lease names were Macs and they had different sharing names than the computer names there were bound to the AD with.

The solution was to make the sharing name the same as the AD computer name. As soon as this was done and the computer was restarted the machine appeared in DNS and the DHCP lease had the proper name associated with it.

Changeip command for updating IP and host names: OS X Server

2009-12-30T16:42:00.001Z

If you need to update the IP address or host name on an OS X server you need to do a changeip command:

First do sudo changeip –checkhostname to see what the true host name is.

You can then change the IP and the host name in one fell swoop:

Sudo changeip - [old IP] [new IP] [old host name] [new host name]

ex: sudo changeip - 100.192.46.10 100.192.46.12 oldserver.mynetwork.com newserver.mynetwork.com

If you just want to change the IP then leave out the host name part. If you want to change only the host name you still must put the IP addresses- even if they are the same.

On the sever open a Terminal window and type “man changeip” for a good rundown of the command syntax and parameters.

Here is a link to the man page.

Snow Leopard: Kerberos ticket not renewing coming out of Screen Saver

2009-12-18T10:15:00.002Z

We had another case opened with Apple about Kerberos ticket not renewing after typing in password coming out of screen saver in Snow Leopard. They send me this instruction on modifying a file in /etc and it looks like it is resolving the problem. If you guys have Snow Leopard machine bound to AD. Please try it out too so we can confirm it does work.

Please edit the "“system.login.screensaver” entry in the /etc/authorization file to read like this:

system.login.screensaver

class
rule
comment
(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.
rule
authenticate-session-owner-or-admin

Note that the string:

The owner or any administrator can unlock the screensaver

is changed to:

(Use SecurityAgent.) The owner or any administrator can unlock the screensaver

To cache secondary mailboxes in Outlook

2009-11-16T13:54:00.000Z

One of the problems in Outlook is that if a user wants to send/receive mail using multiple accounts it is a pain to set up. Not only that but once you've attached the second account in Outlook it is ON-LINE and not cached. This results in very slow performance.

MS has a registry fix for this (if you are using Exchange 2007):

http://support.microsoft.com/kb/955572

Snow Leopard: first impressions

2009-10-19T17:41:00.000+01:00

I did these tests using an older 1.83 GHz iMac Core Duo with 1GB of RAM

Binding

Logged in as “administrator” binding from the “Join” button in Accounts failed with an error “unable to add server eServerSendError -14740.”

When binding through Directory Utility I received a notice that the computer account already existed. I checked the entire directory and the account was not there.

In Terminal I typed “dsconfigad- show” and found that the computer name was different than the name I had specified for the computer. I searched the AD and found the computer account listed by the “show” command and deleted it.

I also deleted all the PRT records for my subnet and reconfigured DHCP so that our DNS service account owned the DNS records. This is our new standard DHCP/DNS setup for all subnets.

I attempted to bind again with the [binding service account] and the bind failed with “insufficient privileges.” Using my domain admin account, I was able to bind the computer.

The edu.mit.kerberos file generated by the binding process was incorrect (lacking realm and server information) so I replaced with a file containing the correct information.

LDAP lookups were handled properly after the bind.

dsconfigad- show displayed the correct computer name.

Restarted the computer and logged in with my AD account. I was given a warning that my password would expire in 29 days (I had just changed my password) and it prompted me to set up a mobile account. On subsequent logins I was not given the password expiration warning.

Restarting the computer was very quick- it only took about 40 seconds. Directory Services was slow to start: 30-45 seconds after the login window appeared.

File handling and transfers

It has been reported that connecting to an SMB volume produces a beach ball lockup. I was able to connect to SMB shares (using SSO) but it took about 2 minutes. AFP connections were virtually instantiations.

3GB transfers to/from a SMB share on a Windows 2003 server across a 100mb network took 3 minutes.

3GB transfers to/from an AFP share on a Mac Mini running 10.5.8 server across a 100mb network took 6 minutes.

If I enabled Secure Empty Trash I was unable to delete the 3GB file. It would hang about halfway through the process and I was forced to restart the Finder. Turning off Secure Empty Trash allowed me to empty the trash without a problem.

Deleting an item from an AFP or SMB server volume closed the window.

There is now a “put back” function in Trash just like in XP.

Mac Mail

Auto setup asked twice to trust the certificate from IPG mail server.

There was no need to configure LDAP to do a GAL lookup.

Mail cannot access Public Folders.

There is now an archive mail function.

Meeting invites from Outlook and Entourage functioned perfectly regardless of whether or not they had attachments.

Meeting invites to Outlook and Entourage functioned perfectly.

It took a long time for mail to download and display in the Inbox window. Both my Blackberry and Entourage received mail much faster.

Notes are now synced properly with Blackberries.

Removing signatures locks up Mail.

There is no way to remove attachments! You must delete the entire mail.

Calendar

Delegates are limited to Calendar viewing only: you cannot configure shared mailboxes from the Mail client.

Free/Busy status in Calendar worked very well and it is nice that you can search for the next available time your invitees are available.

When viewing another person’s calendar their events are merged into your calendar and displayed as a different colour. People will either love this or hate it.

Once you’ve started to create a meeting request there is no “Cancel” button. You have to finish the request and then delete it.

Tasks entered into Mail say they will be put into a Tasks calendar but they are not.

There doesn’t seem to be a way to change the colour of calendar events.

Invites sent from a different time zone display the correct local time in the message header. The body text shows time for the sender, accepting the invite puts it into Calendar at the correct time. Entourage still has the problem where meeting invites sent from different time zones display the incorrect time when you double click on the event in your calendar.

There is a handy button that changes the time zone for all events in your calendar. Changing them back works too!

Address Book seems to be pretty much unchanged.

Very good description of AD binding process for the Macs

2009-10-15T19:12:00.000+01:00

http://www.peachpit.com/articles/article.aspx?p=1246089&seqNum=2

Accents in display names causing problems in Entourage

2009-08-18T19:13:00.002+01:00

We have seen problems in Entourage where an e-mail will arrive and have the sender's name split in two parts. One part will contain the valid e-mail address and the other will simply have a question mark before it. Attempting to reply to messages like this results in the message bouncing with a failure notice similar to "invalid e-mail address."

We have found that users who have accents in their display names cause this problem. Removing the accent in the user's AD display name resolves the issue.

This is only a problem in Entourage 2008- Entourage Web Services Edition and Outlook do not display this behavior.

Mac: Kerberos time-outs and locked screen saver

2009-08-06T18:32:00.001+01:00

This is an interesting little glitch.

On AD bound Macs if a user has their screen-saver set to require a password to deactivate and the user leaves their computer on for more than 10 hours, they will not be able to unlock the screen-saver. Apple has confirmed that this is a problem and advises that the user should enter their user name and password and then wait for one minute before they press “OK.”

This affects all versions of OS X through 10.5.7. The latest 10.5.8 patch is supposed to fix the issue.

The default time-out for a Kerberos ticket is 10 hours but with the screen-saver password lock enabled the Mac doesn’t auto renew the ticket properly. Normally every time you unlock your screen-saver it refreshes the Kerberos ticket back to 10 hours but this simply doesn’t happen if they machine has been sitting on and idle for over 10 hours.

Creating a mobile account after the fact: Mac

2009-08-06T18:28:00.003+01:00

If you need to enable a mobile account after you have already set up a user's network account (and didn't create the mobile account at first log in) do the following:

On the client, log in as the local Administrator, and in Terminal
issue the command:

sudo /System/Library/CoreServices/ManagedClient.app/Contents/
Resources/createmobileaccount -vsn myusername /my/homedirectory

The variables "myusername" and "/my/homedirectory" are specific to
the account you are working with.

If you don't want syncing enabled, the argument is -vSn

Shaky login on Mac

2009-07-30T13:18:00.002+01:00

Normally shaky logins are caused by missing or corrupt edu.mit.kerberos files so always check that first but you might also want to look at the user's e-mail address in AD too.

We had a user who couldn’t log into any bound Mac using his AD account however he could log into a PC. On the Macs, he would get a shaky login box and a cryptic error saying “you can’t log in at this time”.

Checking his AD account I noticed that he didn’t have a secondary SMTP of @corp.ipgnetwork.com. I added the SMTP, waited for replication and then he was able to log in.

Outlook 2007 command line tools

2009-07-09T18:00:00.000+01:00

Great set of Outlook 2007 command line tools:

http://office.microsoft.com/en-gb/outlook/HP012185891033.aspx

Garbled Text in Entourage

2009-06-03T10:17:00.003+01:00

Problem: Entourage displays garbled text in all fields- header, folder names and message body.

Fix: Go to /Users/[user name]/Library/Caches and delete the com.microsoft.browserfont.cache file.

Relaunch Entourage and the text should be back to normal.

Entourage not sending mail MSS and MTU packet size problem

2009-05-29T17:29:00.005+01:00

We have had a problem in one of our Warsaw offices where their Entourage 2008 clients (connected to Exchange 2007 via OWA) were not able to send mail.

After much trial and error we found that the MSS packet size was set incorrectly. Allowing larger packets resolved the problem.

We set the MSS packet size to 1300 and the internal and external MTU size to 1500

Doing a tcpdump and searching for "MSS" found that the packet size was 1460. However it looks like the tcp packet length to the OWA server is 1400.

Macs not logging in: duplicate AD names

2009-04-29T17:09:00.003+01:00

Problem: A user in EMEA can't log into their AD bound Mac. After investigation it is found that a duplicate name exists in another forest (North America). We have been working around this by renaming one of the accounts.

Possible solution (being tested now): from a command line on the user's machine type disconfigad –namespace domain name and then log in with domain\shortname

See this link for more details: http://archive.netbsd.se/?ml=macos-x-server&a=2008-09&t=8621106

Incorrect host names on Mac clients

2009-04-29T15:33:00.005+01:00

As many of you are no doubt aware the Mac hostname displayed on the client and in the DNS Name field of ARD are more than likely incorrect. For example, your Mac might be named ldntam-DMX1234 but you get a hostname of OSLggk-DXP5678 or some other random name. This is a problem for applications such as LANDesk which need accurate DNS names associated to IPs.

After much research and many discussions with Apple we have finally received this definitive reply:

“Mac OS X 10.5 clients do not update PTR (reverse) records. The 10.5 Mac
clients will register an A record and the DHCP server must register
the Mac's PTR record. If a PTR record already exists with the IP
address that a Mac has, the Mac will be given the hostname of the
previous PTR record. That is why scavenging and choosing the option
to discard A and PTR records when the lease is deleted is necessary.”

DHCP servers can be configured to either update A and PTR records only if requested by clients or to always update DNS A and PRT records. The problem with the later method is that the server, rather than the client, will own the record and the client’s ACL is not included in the DNS object’s security list. This can cause problems if the client goes to another location, if the DHCP server is changed or if the A and PTR records are not released properly (which happens a lot).

It is also highly recommended that DHCP servers NOT reside on domain controllers. In such a configuration (DHCP and DNS on the same server) MS recommends using an account with DNS credentials to update the DNS records to ensure the integrity of Dynamic DNS updates.

According to Apple, Snow Leopard should have the ability to dynamically update PTR records.

BEUTILITY (BackupExec Utility)

2009-03-07T22:12:00.004Z

To migrate the BackupExec databases after the server has been migrated to a new domain:

Make sure you change all the BackupExc services so that they launch using a local service account not a domain or local admin account. DO THIS FIRST and then run the beutility.exe app.

The beutility.exe file is located in the in the same folder as the main BE application.

Launch beutility.exe. The option is not so easy to find.. You click on the List of servers, right click on the server name and select "update configuration to reflect new media server name", then fill in the new domain and server name and the old domain and server name.

Enable random signature in Entourage

2009-02-27T20:24:00.002Z

Setup your signatures in tools/signatures
In the signature put a tick in "Include in random list"
Close the signatures and go to tools/accounts/
Double click on your mail account and go to the Options tab
In the "Default signature" pull-down select "Random"
Click "OK"

Now each time you create a new mail message it will select a signature from your Random list.

OS X Server: Speeding up directory searches

2009-02-19T11:01:00.002Z

One of the major complaints about OSX Server is that once they are bound, searching for users/groups from the AD can take a long time (and sometimes times out before completion).

The problem, according to Apple, is that AD doesn’t index any attributes for a substring search and therefore all records have to be searched. The Workgroup Manager plug-in times out after 60 seconds and even an ldapsearch from the command line will only search for 120 seconds and then give up.

Apple has two suggestions to speed up searches:

In Workgroup Manager, click on the little magnifying glass in the search window and select "Name is" and enter the last, first of the user you are searching for

In Workgroup Manager, click on the little magnifying glass in the search window, go to “advanced” and search for “Real Name” This will search the cn attribute and is much faster than a normal search- this works for groups too

I have tested both of the above work-arounds and found that they work very well. The Real Name search is particularly fast.

Enable access rights in ARD

2008-12-01T16:33:00.001Z

Run this from the Unix command in ARD as root. It will set the user's access privileges in ARD to "all".

cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/
^M
./kickstart -configure -access -on -users [USER SHORT NAME] -privs -all

OS X: create user account from command line and ARD

2008-12-01T13:58:00.004Z

For Tiger:

Run the following as "root" in ARD:

dscl / -create /Users/toddharris
dscl / -create /Users/toddharris UserShell /bin/bash
dscl / -create /Users/toddharris RealName "Dr. Todd Harris"
dscl / -create /Users/toddharris UniqueID 503
dscl / -create /Users/toddharris PrimaryGroupID 1000
dscl / -create /Users/toddharris NFSHomeDirectory /Local/Users/toddharris
dscl / -passwd /Users/toddharris PASSWORD
dscl / -append /Groups/admin GroupMembership toddharris

Replace "toddharris" with the user name and "PASSWORD" with the password you want to use.

For Leopard use:

dscl . -create /Users/toddharris
dscl . -create /Users/toddharris UserShell /bin/bash
dscl . -create /Users/toddharris RealName "Dr. Todd Harris"
dscl . -create /Users/toddharris UniqueID 503
dscl . -create /Users/toddharris PrimaryGroupID 1000
dscl . -create /Users/toddharris NFSHomeDirectory /Local/Users/toddharris
dscl . -passwd /Users/toddharris PASSWORD
dscl . -append /Groups/admin GroupMembership toddharris

Starting ARD from command line

2008-11-28T13:07:00.000Z

http://docs.info.apple.com/article.html?artnum=108030

This is the Apple tech reference for turning on ARD from the command line if you can ssh into a box. NOTE: Apple fails to note that you have to put ./ in front of the "kickstart" command.

For turning on ARD using ssh and enabling it for all users type:
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources root# ./kickstart -activate -configure -access -on -restart
-agent -privs -all

MUST BE SUDO or ROOT

Outlook: registry change to allow connection ot a differnt mail server

2008-11-28T13:05:00.000Z

After a migration, if you need to switch the user's mail back to the old server you need to delete a reg setting or Outlook will not connect to the old server. Do this:

HKEY_CURRENT_USER
Software
Microsoft
Exchange
Exchange Provider

Delete the Closest GC key

Go back into Outlook and connect to the old mail server

PXE booting a Dell

2008-11-28T13:04:00.001Z

• Getting PXE boot to work on Dell machines presented problems as there was no obvious way in BIOS to enable PXE. The internet provided the solution:
o Enter BIOS
o Go to Security Settings
o Disable the Deny PXE boot option.
o Return to main BIOS screen
o Enter Integrated Peripherals screen
o On network card settings, press right arrow to add the ‘pxe’ boot option to the setting
o Exit and save settings
• Dell machines caused a small error with the installation script due to an extra ISDN card requiring installation.

Rename a PC using netdom

2008-11-28T13:02:00.000Z

You will need to install the XP Support Tools located in the Tools folder on the XP disk. Full instructions can be found here:

http://support.microsoft.com/kb/298593

Here is a real-world example of renaming a computer MLNMOW-NXP1002 to MLNMOM-NXP1002

netdom renamecomputer MLNMOW-DXP9001 /newname:MLNMOM-NXP1002 /userd:[domain]\[admin account] /passwordd:* /usero:administrator /passwordo:* /reboot:15 /force

This will rename the computer, prompt you for your domain admin and local machine admin passwords and force a reboot after 15 seconds. You have to be using a domain account with full admin rights to the computer you are renaming.

You can enter the real passwords instead of the "*" to speed up the process.

Unable to log in to a Mac (Tiger only)

2008-11-28T13:00:00.001Z

Symptom: A user on a bound Mac is unable to log in; they receive the "shaky" log-in box at each authentication attempt. Other users can log into the machine and the same user can log into other machines.

Fix: Log on as admin and open Netinfo Manager and select "Users" in the middle column. In the right-hand column the user should be listed ONCE. If the user is listed TWICE, delete both users. Restart and the user should be able to log back in.

NOTE: if this does not resolve the problem then you will have to use the Kerberos file fix which is explained in another post.

Mail problems checklist

2008-11-28T12:55:00.002Z

For VPN access:
LDN SML RAS
There is now a VPN user group created by default in each OU but make sure it is a member of the SML RAS group

For IT staff to modify Exchange settings in the user’s AD account:
EMEA Exchange View-Only Admins

For IT staff to create a new user:
EMEA GIS Exchange2003 Reg Settings Group Admins

Newly created user must be in this group:
EMEA GIS Exchange2003 Registry settings

In order for an IT guy to add computers to the Non-Restricted Workstation group, the IT guy must be a site-level full admin not a brand-level full admin.
Example: SHM 11ATUR Full Admins and not SHM 11ATUR MEW Full Admins

If no one can send to a DL make sure the group type is set to UNIVERSAL

If a user is unable to receive internal mail make sure they have a NOTES entry in their E-mail Address tab with an address of user name@NAExchange. Also make sure they have a tick in “Automatically update e-mail addresses based on recipient policy” under the E-mail Addresses tab (this is very important for new users especially).

(Generally, not being able to receive internal mail means that they are missing or have a misspelling in their @corp.... address)

If the user receives a “Mailbox Closed” message from System Administrator it means their mailbox is over the size limit.

Name changes not showing in the GAL on some computers: update the GAL in Outlook. Tools/Send&Receive/Update address book. Make sure you update all entries.

Can not search default Contacts folder in Outlook

2008-11-11T08:54:00.003Z

Problem: Users are not able to search the default Contacts in Outlook. Right-clicking and going to Properties/Outlook Address Book displays the "show this folder as an Outlook address book" field greyed out and unticked.

Solution:

In Outlook, Choose Tools->Email Accounts...
Select Add a new directory or address book, then click next.
Select Additional Address Books, then click next.
Choose Outlook Address Book from the list, then click next.
You will have to close Outlook and open again for changes to take effect.
You will then be able to select the Show this folder as an email Address Book from the Outlook Address Book tab within the Contacts properties

General info about making Contacts searchable (but not specifically this fix): http://support.microsoft.com/kb/287563

User can't log into a bound mac (cont...)

2008-10-29T15:56:00.000Z

On a problem Mac, check if the mit.edu.kerberos file has been modified back to a default. We’ve been seeing machines overwriting our custom file and replacing it with a default one. If the file has been changed try this:

In the default file look for the line that says [libdefaults]. Chances are the only thing under it will be “dns_fallback = no” or it could give you a realm list. Either way, cut and paste from your modified edu.mit.kerberos file everything under [libdefaults] line. Don’t replace the Kerberos file this time: cut and paste into it.

After you have done this go System/Library/Core Serivces/Kerberos.app and delete any Kerberos ticket you might find.

Restart and try to log in again.

On a problem Mac you could also try stopping and restarting directory services:

Sudo killall DirectoryServices

The service will start again automatically.

Then check that AD is in the search path: dscl /Search –read / CSPSearchPath SearchPolicy

It should return:

/Local/Default,
/BSD/local
Active Directory/All Domains

Lastly, if you are still having problems, turn on Directory Services logging at startup:

Sudo killall –USR1 DirectoryServices
Touch /Library/Preferences/DirectoryService/.DSLogDebugAtStart

After the restart the logs can be found in:

/Library/Logs/DirectoryService/DirectoryService.debug.log

Import/Export DHCP scopes on a Windows 2003 server

2008-10-29T13:50:00.000Z

http://www.geekadmin.com/?p=13

Creating a Password Reset Disk for XP

2008-10-29T13:44:00.000Z

Direct from Microsoft: http://support.microsoft.com/kb/305478

Print spooler on client PCs (XP) falling over

2008-10-29T13:11:00.001Z

In Amsterdam we had a problem where the print spooler was repeatedly stopping on the server. The fix was to translate TT fonts to bitmap in each printer's advanced settings (right-click on the printer and go to properties)

More details:

The printer drivers were upgraded, and used PCL5 rather than PCL6, this
stopped the print spooler from crashing.

A symptom arised that people were getting garbage printed out when
printing from Outlook (other apps OK). This issue was resolved by
forcing the default option of printing TT fonts as bitmaps.

OS X Tiger slow logins: LDAPv3 fix

2008-10-29T13:10:00.001Z

I can confirm that if I remove the LDAPv3 settings from my Macs, then the boot process is MUCH MUCH faster...reduced from minutes to seconds on my really fast Macs. Removing the entry completely (or disabling it by un-checking the check mark on the main Directory Access screen) will make my machines boot faster.

Mac Binding problem and fix: report from Hamburg

2008-10-29T13:06:00.000Z

Problems

The HAM office reported several problems:
Slow log in on Macs (up to an hour)
Macs which would not bind
Macs would take a long time to bind
Mac which were bound not having network accounts available at log in
Users on bound Macs unable to log into the computer if it was disconnected from the network (a real problem for laptops)
When the local DC was taken off-line the Macs could not log in
When the office was removed from the WAN, the Macs could not log in

I believe that we have now resolved all of the above issues, however the last one involves a change which the Directory Team is not in favour of.

We have a full testing matrix but I’ll hit the highlights:

The local DC’s error log showed a good number of replication errors; it also had the primary and secondary DNS servers reversed and 28 updates and critical patches waiting to be applied. The DNS entries were corrected, patches applied and the DC was restarted- it seems to be operating well now.

On a problem Mac (network accounts unavailable and the user couldn’t log in even if they had a mobile account) we did two things: deleted the edu.mit.kerberos file from Library/Preferences and deleted the live Kerberos ticket (sometimes, if a user was having problems logging in they did not have a Kerberos ticket at all). After a restart, network accounts became available after about 15 seconds and after the user entered their AD credentials it took 10 seconds further to completed the login process.

Checking the edu.mit.kerberos file after login we found that it had been successfully recreated and had the correct entries for the site and the EMEA realm:

Kdc = hamgdc02.xxx.xxx.xxx.com.:88
Kdc = amsgdc02.xxx.xxx.xxx.com.:88 (this entry sometimes displayed other EMEA DCs)
Admin_server = hamgdc02.xxx.xxx.xxx.com.
Admin_server = amsgdc02.xxx.xxx.xxx.com. (this entry sometimes displayed other EMEA DCs)

All of the above entries are exactly what they should be. Before we made changes to the DC and rebooted it, the edu.mit.kerberos files could have any random DC within the global IPG network (we found them pointing to Hong Kong, Dublin, Milan, etc.)

If we disconnected this Mac from the network the user could still log in using their mobile account.

If we disconnected the network cable from the DC, after about 60 seconds network accounts on the Mac became available and the user could log in (it took a while, about 90 seconds but it still worked). If the Mac had either no Kerberos ticket and/or a edu.mit.kerberos file with improper entries, the client could never log in if the DC was unplugged from the network.

If we disconnected the DC from the WAN and connected it via cross-over cable to a PC (simulating the office dropping its WAN connection) the PC was, after a while, able to authenticate an AD user and log in. If we connected a Mac to the DC with a cross-over cable, network accounts would never become available and we could not log in using an AD account.

If I added ldap and kerberos entries into DNS/emea.xxx.xxx.com/msdcs/dc/_tcp for the local then a Mac connected via crossover cable to the DC would, after about 60 seconds, have network accounts become available and an AD user can log in (takes about 90 seconds).

If I removed the DNS entries, the Mac was unable to log in and network accounts never became available.

Conclusions

“Cleaning up” the DC and rebooting it allowed the Macs to generate properly configured edu.mit.kerberos files.

Based on our testing it would seem that deleting the edu.mit.kerberos file along with the active Kerberos ticket and rebooting the Mac fixes the problem of unavailable network accounts and slow user log in. It also seems to make the Macs bind faster and more reliably.

Once a proper edu.mit.kerberos file has been generated, removing the Mac from the LAN or disconnecting the DC from the LAN still allows for user log in. However, if the office loses its connectivity to the WAN, Macs which are still connected to the LAN are unable to log in at all unless we add the above mentioned DNS entries.

It should be noted that none of the Macs we tested, nor any user’s Mac which had authentication problems during the time I was in the office, ever unbound themselves from the AD. Not being able to authenticate is not necessarily a symptom of a binding problem.

Mac bining and SRV records (part 1)

2008-10-29T13:05:00.000Z

Form MacWindows:

I recently had an issue whereby all OS X 10.4 clients/servers I tried to bind to a customer's Active directory would fail with "unknown error" at Step 5. The ADPlugin log would show the binding failing while trying to set the computer password. I found your very useful pages through googling the issue, and thought I would let you know what eventually fixed my issue.

I believe I had two issues causing this binding problem, both DNS related.

The first was that some SRV records for one of their domain controllers were missing from DNS (in particular _ldap and _kpasswd). Running "nltest /dsregdns" on the missing server should sort this, but they should also be added in automatically when the Netlogon service starts on the server, so if they are missing there could be some wider domain controller issue to investigate.

The second problem (once the SRV records were sorted), and the one that was causing the step 5 failure, was that the domain controllers were multi-homed: they each had more than one IP address, and these addresses were all registered in DNS. For some reason, the AD bind process would retrieve the correct IP from DNS for each step until step 5 when it would try and talk to the servers second IP for the kpasswd (464 UDP) part of the bind. This would fail.

To fix this, if possible remove the second IP address from the server. If you can't do this, remove the server A record in DNS that points to the second IP address (you might have to go in to the TCP/IP properties on the server and tell it "not to register this connection in DNS" if you leave more than one IP address on the server, else it will re-register it in DNS). This fixed the issue for me