Problems binding various versions of Mac OS X clients to Active Directory are quite common. You can track down where in the binding process the plug-in fails by using the Terminal application.
Type the following commands in the Terminal from the machine that is having trouble with the ADPlugin:
- sudo killall -USR1 DirectoryService
- tail -f /Library/Logs/DirectoryService/DirectoryService.debug.log | grep ADPlug
After you have entered these commands, go back to the Directory Services application and retry binding the Mac to the Active Directory domain. This will output debugging information from the ADPlugin to the terminal window. This real time viewing of the AD debugging log will allow you to determine at which step the Active Directory bind fails.
If you find an error and are not sure what it means, please cut and paste your AD log into our online support request form: http://www.grouplogic.com/support/requestform/
The most common error we see is, "KRB5KRB_AP_ERR_SKEW: Clock skew too great" This is caused by the clocks of the server and client varying by more than the allowed amount of time. Setting the domain controller as the timeserver on all Mac clients is the recommended solution for this issue. If needed, you can also change the "Maximum tolerance for computer clock synchronization" in Active Directory. This should only be used if the problem is latency between the client and the server and not if the clocks are significantly different from each other.
Another common problem binding Macs to Active Directory relates to DNS configuration. Best practices dictate that both the Active Directory server and the Mac client should have accurate forward and reverse DNS records. To test whether DNS is properly setup use nslookup from a Terminal window on the Mac.
- nslookup ADserver.yourdomain.com (replace "with the name and domain of your AD server) - this should return the IP address of the Domain Controller.
- nslookup IP address (enter the server's IP address) - this should return the domain name
- nslookup Macclient.yourdomain.com (replace Macclient with the name of the Mac and "yourdomain" with the name of your AD server) - this should return the IP address of the client.
- nslookup Macclient IP address (enter the IP address for the Mac client) should return the name of the Mac client
If any of the DNS lookups fail, resolving the DNS issues may solve the problem with binding the Mac to Active Directory.
Some customers have found that pre-creating the computer object in Active Directory helps. Other customers have reported that removing an old computer object of the same name can also solve the problem.
Note: In order to bind a Mac OS X Clients to AD - the Mac needs to be given unique computername.