Unable to Bind OS X Mavericks to Active Directory

Discussion in 'OS X Mavericks (10.9)' started by PlebStatus, Oct 1, 2014.

  1. PlebStatus macrumors newbie

    Oct 1, 2014
    Hello everyone,

    I threw this same post on the apple community forums with no luck, so I'm spreading my search! Hopefully this is the right subforum for this.

    I'm having an issue binding a new OS X Mavericks iMac to an Active Directory domain. This is the first MAC I've ever really worked with in some time so I'm feeling kind of dumb at the moment.

    The first thing I want to mention is that the domain does not have a TLD. ie; it's simply named DOMAIN. Not domain.local, or domain.com, just DOMAIN. I think this might be what is causing the issue. (It's been like this since 2001~ to my knowledge).

    I've tried joining from both terminal using dsconfigad and the Directory Utility. It instantly fails with the following error:

    Error returned states:

    Authentication server could not be contacted. (5200)

    If I try it with a random TLD like DOMAIN.LOCAL, is takes some time before it errors out. If I just use DOMAIN, it fails instantly. This makes me believe the domain name is causing the issue.

    If this is the case, is there any way to work around the issue without having to rename my domain? I believe I've encountered a similar issue with a NAS unit running some distribution of linux.

    I am able to ping everything on the network by name. Time looks okay. NSLOOKUP DOMAIN displays all Domain Controllers (minus their names, just shows DOMAIN and IP, not sure if that is normal...)

    I have referenced this page with no luck: https://discussions.apple.com/thread/6008661?tstart=0

    Any help greatly appreciated! I feel like there's some basic troubleshooting I can do that I'm missing or I'm not aware of.
  2. JoelBC macrumors 6502a

    Jun 16, 2012
    I could be wrong on this but here goes....

    I was reading up on setting up an OS X server install and I think I recall reading that it was not possible to "directly bind" an OS X machine to a Windows Active Directory.

    The work around was called the "magic triangle" so I suggest you google this and read, hopefully it will help...
  3. chrfr macrumors 604

    Jul 11, 2009
    Yeah, that is incorrect. It is possible to bind a Mac directly to Active Directory.
  4. PlebStatus thread starter macrumors newbie

    Oct 1, 2014
    Video didn't really do anything different than what I'm doing. I can't get past the step where i put in server / client-id / admin / password.

    I enabled debugging on Open Directory. Here's the error that immediately displays in the log when i get my 5200 error.

    10/3/14 11:27:20.405 AM com.apple.preferences.users.remoteservice[1914]: -[ODCAddServerSheetController handleOtherActionError: gotError: Error Domain=com.apple.OpenDirectory Code=5200 "Authentication server could not be contacted." UserInfo=0x7fbce8d8ba40 {NSLocalizedDescription=Authentication server could not be contacted., NSLocalizedFailureReason=Authentication server could not be contacted.}, Authentication server could not be contacted.
  5. MisterMe macrumors G4


    Jul 17, 2002
    The error message says that you put in the wrong name for your AD server.
  6. PlebStatus, Oct 3, 2014
    Last edited: Oct 3, 2014

    PlebStatus thread starter macrumors newbie

    Oct 1, 2014
    I can assure you I know the name of the domain and domain controllers. I can also assure you that I am typing them correctly...

    Thank you for the reply though.
  7. chrfr macrumors 604

    Jul 11, 2009
    The problem is that without a TLD on your AD Domain, OS X will never find it. You may get it to work by adding an entry in /etc/hosts, but I would be surprised if you don't still have issues with domain services.
    Not that it helps you, but not using a fully qualified domain name is against any recommended practice, and causes lots of issues, like yours.
  8. pittmantechno macrumors newbie

    Nov 12, 2009
    @satcomer Good video - thats exactly what you need to do.

    Also (on the AD server) in DNS Managment, make sure forward and revers look ups are set up for secure and non secure dynamic updates, clear cashes, run scavenge stale records - an run windows update on the server until none are left (took me 3 times this morning lol)


Share This Page