Apple

Pro tip: Fixes for common Active Directory connectivity issues on OS X

Jesus Vigo covers five common Active Directory connectivity issues affecting OS X and offers solutions to help resolve them.

Active Directory

Anyone who has ever had to manage systems on a network typically finds the tools and commands necessary to perform administrative tasks across the board that suit their type of computers. For example, Microsoft sys admins are encouraged to use PowerShell to implement management of Windows-based hosts.

However, the days of homogeneous networks is quickly coming to a close. The BYOD push is flooding networks with everything from various Linux distros to iOS and Android operating systems — heterogeneous networks are growing in a big way.

One increasingly common trend amongst those mentioned above are SMB switching over to Apple computers for their native support of OS X, Windows, and other operating systems. Similar to how a Windows desktop would join an Active Directory domain, Macs also offer binding to several directory-based domains for central management of nodes.

And while Apple does have their own Open Directory rolled into OS X Server, it has gotten better in its support of other standards-based directory binding — though there are still a few hiccups that cause for a breakdown in communication. And sometimes, these breakdowns can be downright frustrating behaviors from Apple computers bound to Active Directory domains.

Let's take a look at a few of the more general errors, along with causes, and how to resolve them in little to no time.

1. Pre-stage the account in Active Directory (AD)

Symptoms: Trying to bind OS X to Active Directory produces errors that the account or object cannot be found.

Causes: In most cases, this comes down to a communication error between the client (OS X) and the directory server (AD). Further investigation could reveal if the issue lies with DNS not forwarding requests properly or perhaps a network configuration issue. Other times, it may be a permissions issue between the account being used to bind machines and/or permissions to add or modify objects within AD.

Solution: Aside from network configuration issues, such as separate subnets or VLANs, pre-staging computer accounts in Active Directory is one of the quickest and easiest fixes to objects not being found. Start by manually creating the computer object in the desired Organizational Unit (OU) prior to attempting to bind any Macs to AD. Once AD has replicated across the organization, try binding again.

By creating the pre-staged object, relevant DNS records and network settings now have an endpoint to target when attempting to bind. Especially if the access level of the account used to bind may not have domain admins or enterprise admins-level status, it may be enough to bind OS X to the directory and populate the object with the information pertaining to that particular Mac.

2. Allow network users to login

Symptoms: Apple computer will not allow users to authenticate to the AD server, thus preventing logon.

Causes: Loss of connectivity to the network or systems configuration changes have been made, limiting access to local accounts only.

Solution: 99% of the time, experience has taught me to check the network cable/Wi-Fi power status first. Once connectivity has been verified, the next step is to ensure that the checkbox next to Allow network users to log in at login window has been checked. A further step to review is to click the Options... button next to it and verify that all users that should be allowed access to login are whitelisted.

3. Active Directory Search Policy

Symptoms: User cannot login with AD credentials as the computer processes the account until it times out or shakes "no" as if an invalid password was entered.

Causes: Sometimes it is, in fact, an incorrect password. Other times, when the Mac is initially bound to the domain, it will automatically populate certain fields of information, such as the Search Policy, which dictates what domain(s) the AD plug-in will look to in order to authenticate the account. The populated Search Policy is usually correct, but as is common within forests of multiple domains, the wrong entry may be set as the default.

Solution: Access the Directory Utility, System Preferences | Users | Login Options, then click the Edit... button, and select the Open Directory Utility... button. From here, you can view the entries in the Search Policy by clicking on the Search Policy tab and use the "+" or "-" buttons to add/remove entries to point to the correct domain to which the Mac is bound.

4. Configure directory settings for AD plugin

Symptoms: Similar to above, users cannot login with AD credentials as the computer processes the account until it times out or shakes "no" as if an invalid password was entered.

Causes: OS X binds to AD using default settings of maximum compatibility. However, specific settings may be required in order to ensure that the client communicates with the correct AD server. These settings need to be modified manually or scripted.

Solution: Clicking on Services in the Directory Utility and selecting the Active Directory service allows users to modify the settings used by the service to specify network protocols, custom attributes, and (most importantly) preferred domain servers, adding administrative security groups to manage the client or allowing authentication from any domain in the forest. This is accomplished by simply check marking the entries you wish to modify and entering the relevant information.

5. Check DNS name

Symptoms: Difficulty communicating on the network with other computers or Wake-on-LAN (WOL), though internet access work just fine.

Causes: Changes in computer name are frequently attributed to changes in network access. For example, a Mac named "MAC-FU" may suddenly rename itself to "MAC-FU (1)" when it detects a "ghost" of itself on the network or another computer with the same name. Changes from one subnet to another will sometimes trigger a name change like this to prevent both desktops from going offline. Also, when desktops are bound to the domain, unbound and then rebound, they will sometimes cache the DNS information and rely on that during rebinding. This can cause a newly renamed computer, say "MAC-123.domain.com" to have a DNS hostname of "MAC-456.domain.com," which is its previously bound name.

Solution: Check the computer name by going to System Preferences | Sharing and verify that the computer name listed is the same as the name entered when the computer was bound to the domain. Additionally, clicking the Edit... button will bring up the local hostname. If these two entries are different (as in the example above in the Causes section), then unbind the machine and modify the computer name and hostname so they are the same, reboot the computer, and then bind it again to Active Directory. This should resolve any DNS-related issues to reflect the proper name — both locally and on the directory server.

This is not, by any means, a comprehensive listing for troubleshooting Mac-AD connectivity issues. As with any software, the sad truth is that there are seemingly endless possibilities for certain products to malfunction or outright fail that make troubleshooting sometimes incredibly difficult.

Troubleshooting is, in my opinion, a sacred art. It is what allows us to resolve the problems of the technical world around us without being a developer or an engineer for that specific product. At the same time, with product offerings, such as ADmitMac and Centrify, directly from developers and engineers and aimed directly at tackling such issues head on, perhaps a software-based solution is a better fit for the specific needs of your specialized network.

What other common troubleshooting tips and tricks do you recommend when working with Active Directory? Share your experience in the discussion thread below.

About Jesus Vigo

Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from seve...

Editor's Picks

Free Newsletters, In your Inbox