[MacTUG] TIP: Fix for Active Directory unbinding problem
Marlon A. Griffith
m3griffi at engmail.uwaterloo.ca
Thu Aug 17 11:58:14 EDT 2006
MacWindows. August 16, 2006 -- Bill Wade reports a problem with
unbinding and rebinding Macs to Active Directory. He found a fix and
reports it here:
We've got G5 machines running on a Windows 2003 network. They
were bound to the domain and everything was working splendidly. When
we retired our old Primary Domain Controller, we were unable to log
into a Mac with an Active Directory account. If we log in with a
local account, we could browse the Internet, see all network
resources: We could even connect to shares on Windows PCs and
authenticate using AD accounts. If we tried to unbind, we got an
"unable to access domain controller" error.
Forcing the unbind worked, but trying to re-bind generated the
same error. 10.4.4, 10.4.5 and 10.4.7 all generated the same results.
I wiped clean and installed Tiger fresh on a machine to no avail and
I even moved to a couple different locations just to eliminate a
switch or fiber connection as the culprit. None of this made a
difference. I checked the registry and Group Policy settings
mentioned in the August 17, 2005 post here and found that the server
already had those settings.
Finally, I found the culprit: On the Domain Controller, go to
Start Menu/Administrative Tools/Domain Controller Security Policy.
Once that opens, go to Local Policies/Security Options and look for
the policy named "Domain Controller: LDAP server signing
requirements" We had it set at "Require Signing" so I tried setting
it to "Not Defined." My results were the same. However, after
changing it to "None" and refreshing the policy, everything is back
working normally again. One related note- if you have multiple DCs,
you'll want to do this for each in case the PDC goes down (which is
what started this whole mess for us).
More information about the MacTUG
mailing list