[MacTUG] TIP: Fix for Active Directory unbinding problem

[Marlon A. Griffith]

MacWindows. August 16, 2006 -- Bill Wade reports a problem with 
unbinding and rebinding Macs to Active Directory. He found a fix and 
reports it here:

     We've got G5 machines running on a Windows 2003 network. They 
were bound to the domain and everything was working splendidly. When 
we retired our old Primary Domain Controller, we were unable to log 
into a Mac with an Active Directory account. If we log in with a 
local account, we could browse the Internet, see all network 
resources: We could even connect to shares on Windows PCs and 
authenticate using AD accounts. If we tried to unbind, we got an 
"unable to access domain controller" error.

     Forcing the unbind worked, but trying to re-bind generated the 
same error. 10.4.4, 10.4.5 and 10.4.7 all generated the same results. 
I wiped clean and installed Tiger fresh on a machine to no avail and 
I even moved to a couple different locations just to eliminate a 
switch or fiber connection as the culprit. None of this made a 
difference. I checked the registry and Group Policy settings 
mentioned in the August 17, 2005 post here and found that the server 
already had those settings.

     Finally, I found the culprit: On the Domain Controller, go to 
Start Menu/Administrative Tools/Domain Controller Security Policy. 
Once that opens, go to Local Policies/Security Options and look for 
the policy named "Domain Controller: LDAP server signing 
requirements" We had it set at "Require Signing" so I tried setting 
it to "Not Defined." My results were the same. However, after 
changing it to "None" and refreshing the policy, everything is back 
working normally again. One related note- if you have multiple DCs, 
you'll want to do this for each in case the PDC goes down (which is 
what started this whole mess for us).