Home > Active Directory, Mac administration, Mac OS X > Diagnosing AD binding problems from the command line

Diagnosing AD binding problems from the command line

Every so often, a user may call the help desk to report that they can’t log into their Mac using their Active Directory account’s username and password. Here’s a way to diagnose remotely if their workstation is having an AD problem and needs to be re-bound.

1. Use SSH to remotely connect to the Mac in question: ssh administrator@workstation-name.domain.org

This message may appear if it’s the first time connecting from your workstation to the remote Mac:

The authenticity of host ‘workstation-name.domain.org (ip.address.here)’ can’t be established.

RSA key fingerprint is 47:15:1f:e0:b1:dc:05:25:2c:cf:ae:aa:8c:ac:83:c3.

Are you sure you want to continue connecting (yes/no)?

Enter yes when prompted and hit Return.

2. Verify that the Mac has the correct system time by running the following command:

date


Screen shot 2012-03-29 at 10.56.23 AM

The output should show you the current date and time.

If the time is off by more than a minute, run the following commands:

sudo /usr/sbin/systemsetup -setnetworktimeserver time.server.here
sudo /usr/sbin/systemsetup -setusingnetworktime on

The two commands above will set the network time server to the time server you want (time.apple.com should work in most cases) and tell the Mac to set its clock using that time server.

Next, run the following command to force the Mac to check in with your network time server and get the correct time

sudo ntpd -g -q

Next run the following command and verify that the time is now correct:

date


3. If the Mac has the correct time, next check to see if the Mac is communicating with the AD domain. To do this, run the following command to look up the username of an account that you know is not on this Mac (like your own account):

id username


If the Mac is communicating properly with AD, you should see the AD account’s ID information and associated groups be listed in the output.

If the Mac is not communicating with AD, you should see output that says “id: username: no such user” (no quotes).

Screen shot 2012-03-29 at 10.20.47 AM

4. If the time is correct and the username lookup is reporting “no such user“, you’ll need to unbind and rebind the Mac. For this, you’ll need the username and password of an AD account with the needed admin rights to unbind and rebind the Mac to your Active Directory domain.

To unbind:

sudo dsconfigad -f -r -u username


You may receive a Password: prompt. At this prompt, put in the password for the administrator account you’re using.

Next, you’ll receive a Network Password: prompt. At this prompt, put in the password for your AD account that has binding and unbinding rights.

You should then receive the following message:

Computer removed from Active Directory

Screen shot 2012-03-29 at 11.01.34 AM

To bind:


sudo dsconfigad -a computername_here -u username -ou "CN=Computers,DC=domain,DC=org" -domain domain.org

(Note: You may need to set additional dsconfigad options for your organization. See the dsconfig man page for all the options available.)

For the computername_here value, put in the workstation’s name. For example, here’s how I would use my rtrouton AD account to bind a workstation named rtrouton-wm1.

sudo dsconfigad -a rtrouton-wm1 -u rtrouton -ou "CN=Computers,DC=domain,DC=org" -domain domain.org


You may receive a Password: prompt. At this prompt, put in the password for the administrator account you’re using.

Next, you’ll receive a Network Password: prompt. At this prompt, put in the password for your AD account that has binding and unbinding rights.

You should then receive the following message:

Computer was successfully Added to Active Directory

5. To verify that the Mac is now communicating correctly with the AD domain, run the following command to look up the username of an account that you know is not on this Mac (like your own account):

id username


If the Mac is communicating properly with AD, you should now see the AD account’s ID information and associated groups show up listed.

If the Mac is not communicating with AD, you should see output that says “id: username: no such user” (no quotes).

  1. kcg
    March 29, 2012 at 3:54 pm

    wonderful…!! I was looking for something to put in AM to check the status of a Bound Mac

  2. Dave ATX
    October 5, 2012 at 1:34 pm

    What I’m seeing in my environment (University computer labs) is that after we bind our Lion clients to AD, everything hums along fine….for a few days. Then the Lion clients just stop communicating with AD. We unbind and rebind them, and then the same thing happens all over again….authentication is fine for a while, but then then Lion stops communicating with AD and no users can authenticate and login. Any troubleshooting suggestions?

  3. Mat
    October 31, 2012 at 11:00 am

    Are your Macs on Static IP addresses..? What with Macs having a Hostname, Computername & the Bonjourname.. DNS gets multiple entries which messes up AD authentication. Static IP address solves the issue. Or there is a small script to set the 3 names the same.

  4. November 2, 2012 at 12:49 pm

    Ensure your hostname has the fully qualified AD domain. e.g., sudo scutil –set HostName “machine.domain.com”

  5. November 2, 2012 at 12:51 pm

    Ensure you machine has a fully qualified domain name. e.g., sudo scutil –set HostName “workstation.domain.com”

  6. November 2, 2012 at 12:51 pm

    Correction: should be a double dash before “set” command

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 155 other followers

%d bloggers like this: