Binding Lion To Active Directory

Active Directory binding can be a black art. Nuances abound, and they can be pitfalls for getting that first bind to actually take place. Take the following command for example:

dsconfigad -force -add "ad.mycompany.com" -c MyMac -u myusername -p mypassword -ou "OU=macs,OU=computers"

No DC’s are specified, but you’d think that’s OK. After all, you told the AD plugin what the DC’s were with the -add flag. It should be able to figure them out from the “ad.mycompany.com”, right?

Wrong. While third-party solutions like ADmitMac and Centrify can figure out DC’s from the supplied domain, Apple’s AD plugin cannot.

Worse, if you omit the explicit DC specification, the AD plugin won’t tell you. It will try for a while to bind, and eventually you’ll get an error, but it will be a “(10001) failure”, not something useful like “DC not specified”. And it will be at the end of a very long log of bind attempts (assuming you turned on debug logging).

So basically you must specify the domain twice, thusly:

dsconfigad -force -add "ad.mycompany.com" -c MyMac -u myusername -p my password -ou "OU=macs,OU=computers" -domain "DC=ad,DC=mycompany,DC=com"

or (shorter):

dsconfigad -force -add "ad.mycompany.com" -c MyMac -u myusername -p my password -ou "OU=macs,OU=computers,DC=ad,DC=mycompany,DC=com"

Specify your DC’s. Everyone will be happier.