Active Directory client bind via Terminal

Discussion in 'Mac OS X Server, Xserve, and Networking' started by Omena.com, Mar 11, 2010.

  1. macrumors newbie

    Joined:
    Mar 11, 2010
    #1
    Hi!

    I have a problem concerning about binding a client computer to Active Directory via Terminal. The binding works perfectly when I do it with the GUI, but with Terminal its just fails.

    Client OS: 10.6.2
    AD server: Windows 2008 R2

    It seems that the Active Directory plug-in won't activate.

    Terminal commands:
    Code:
    sudo defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" Active
    
    dscl localhost -list /
    displays
    Code:
    BSD
    Local
    
    Contact
    Search
    After I do it with the GUI
    Code:
    dscl localhost -list /
    displays
    Code:
    Active Directory
    BSD
    Local
    
    Contact
    Search
    I deleted all the AD plist files from the /Library/Preferences/DirectoryService/
    before running the Terminal commands.

    Any ideas?
     
  2. macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #2
    Just to be sure, you are not just running this are you?

    Code:
    sudo defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" Active
    
    If so, you cannot bind to AD that way. You need to use dsconfigad and then create and append the Search Policy with dscl.
     
  3. thread starter macrumors newbie

    Joined:
    Mar 11, 2010
    #3
    Hi!

    Yes, that is just the first step.

    then
    dsconfigad (binding)
    dscl ... (add search paths)
    ...
     
  4. macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #4
    To my knowledge you do not have to change the directory services plist to bind to AD. Most daemons, like DirectoryService load with the plist on initial startup, so any changes after DirectoryService is loaded would mean that you need to log out or possibly reboot (or restart the service in Terminal, but I wouldn't try that with DirectoryService. So this would be an ineffective method for activating the AD plugin and subsequently binding.

    As far as I know, you simply need to bind and set the search paths. If successful, the AD plugin will activate automatically.


    You may want to refer to Apple's document on the subject of Macs and AD:
    Best Practices: Integrating Mac OS X with Active Directory
     
  5. macrumors 6502

    Joined:
    Feb 2, 2003
    #5
    This is what I do on my lab machines (sensitive info changed of course):

    Code:
    sudo defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" Active
    sudo dsconfigad -a `hostname | cut -f 1 -d '.'` -u administrator -p adminpasswd -domain yourdomain.com -ou "OU=Macs,DC=yourdomain,DC=com"
    sudo dscl /Search -create / SearchPolicy CSPSearchPath
    sudo dscl /Search -append / CSPSearchPath "Active Directory/All Domains"
    sudo dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
    sudo dscl /Search/Contacts -append / CSPSearchPath "Active Directory/All Domains"
    sudo killall DirectoryService
    
    This is with Leopard, not Snow Leopard but I do not think much has changed in this department. This should take effect without a reboot because launchd will restart DirectoryService if it sees that it died.

    This is the 10.6 version of the article I got my information from: http://www.peachpit.com/articles/article.aspx?p=1431816
     

Share This Page