Problem I've not seen before dsconfigad error 10002

aamjohns
Contributor II
Executing Policy Join ADS Domain...
    Binding IN-MDEP-130215 to ads.iu.edu...
    An error occurred binding to Active Directory: dsconfigad: The daemon encountered an error processing request. (10002). (Attempt 1)
    An error occurred binding to Active Directory: dsconfigad: The daemon encountered an error processing request. (10002). (Attempt 2)
    An error occurred binding to Active Directory: dsconfigad: The daemon encountered an error processing request. (10002). (Attempt 3)
    An error occurred binding to Active Directory: dsconfigad: The daemon encountered an error processing request. (10002). (Attempt 4)
    An error occurred binding to Active Directory: dsconfigad: The daemon encountered an error processing request. (10002). (Attempt 5)
    Error: Giving up on Active Directory binding after 5 attempts.

The computer account is being created in the domain successfully when this runs. It just will not bind. I've made sure the clock/time are correct and set to sync with DC.

I've tried many different approaches, too many to list right now with no success.

The doctor is getting impatient with me and I don't know what is going wrong here. I've had 10001 errors before but not 10002.

I have googled, been over the jamfnation forum, tried my own scripts, command line stuff...

Anyone have any suggestions for me? This all started because his machine would not show Self-Service. It just came up blank. Policy was executing successfully on his machine, but with no self service I had to fix that. Started with some things like fixing disk permissions and repairing disk. Ending up sudo jamf removeFramework and deleting the computer from JSS and ADS. Re-enrolled. It enrolls, but just fails on the ADS part. Now he cannot log on as his account is an ADS account.

Any ideas or suggestions? I just was working on another machine, enrolled it and everything went smooth.

8 REPLIES 8

bpavlov
Honored Contributor

I didn't see it mentioned but did you try using the Directory Utility to bind the computer?

mm2270
Legendary Contributor III

How weird! I am seeing this exact same error just starting today when trying to re-bind a Mac from the command line. I have never seen this error before though.
I'm investigating it and will post back if I figure out what's going on.

aamjohns
Contributor II

@bpavlov
Yes. I basically tried everything I could find. I tried manually binding, I tried command line. I could go on and on all the different things I tried. I always got the same error. I also got another error any time I tried to removeFramework, remove the account from the domain, and remove from JSS, and then re-enroll. Or any time I tried to re-enroll. And that was:

Problem installing MDM profile.
Problem detecting MDM profile after installation.

So that error was present along with what I posted above regarding joining the domain.

What started all of this, a blank Self-Service window is still not resolved.

Next week I am going to wipe the computer and start over.

BTW - I confirmed the ads account used for enrollment was not locked out and still worked. I took a machine here, did a clean OS install, enrolled, and everything worked fine. So it does not appear to be a systemic problem, just this one computer. Jamf version is 9.63 and that computer's OS was 10.8.5.

davidacland
Honored Contributor II
Honored Contributor II

It does sound like a wipe and re-install would be the quickest route. It might be worth trying to trash all the MDM related certificates, directory service preferences and local kerberos info on the client. Other than that I would head straight to wiping it!

calumhunter
Valued Contributor

I'd toss out the /Library/Preferences/DirectoryServices*
and try using directory utility to bind... or dsconfigad with the direcrtory service debug mode on and see if anything pops up in there that might point to the issue.
to enable ds debug mode

sudo odutil set log debug

but if its time critical, and you've confirmed a clean 10.8.5 install resolves the issue it might be quicker to backup nuke and pave and restore his data

aamjohns
Contributor II

I did try deleting the /Library/Preferences/DirectoryServices directory. And did try directory services to bind. I get the error 'cannot store password'. I did not enable the additional debugging. After a talk with the client we decided to do a wipe next week. I would be nice to know why so much is going wrong with this system.

Thank you for the suggestions.

bentoms
Release Candidate Programs Tester

@aamjohns, the computers AD Password is stored in the System.keychain (I think).

As is some of the MDM profile bits. I wonder if the macs keychain is at fault?

aamjohns
Contributor II

I too wonder that. The doctor does not really have time for me to keep his laptop and continue to try to figure it out so we agreed next week to wipe and start clean. If he had time I would continue to troubleshoot but he has work to do so it is difficult. Thank you for pointing that out.

Aaron.