Binding OS X to AD

jmcconathy
New Contributor III

I am new to JAMF and will be attending training soon, but I want to get a head start on getting setup on the Casper suite. I have read through a lot of documentation and forums, but there are still a few things puzzling me.

First I have this issue, I created a Configuration Profile to bind my computers to AD, which appears to work fine, except the 'Namespace' option that I configured is not being applied to my machines. I can manually change the Namespace on my clients manually with a dsconfigad call, but I don't think I should have to.

My second issues comes from troubleshooting that issue, I cannot find any logs that provide any useful information as to why my profile is applying all but that one setting. The impression I get from forums is that Casper does not currently have very good client logging capability. Is this accurate?

Finally, from this issue, I am curious if people are more using Policies, to bind their clients, or Profiles?

1 ACCEPTED SOLUTION

davidacland
Honored Contributor II
Honored Contributor II

We looked at using a configuration profile recently (its quite a new feature), but reports were that it wasn't 100% reliable.

We normally use the built-in directory binding available in the JSS (Settings > Computer Management > Directory Bindings). We like to use this feature so we don't have to leave an AD admin password in a script.

We then use a script to configure a few extra settings with dsconfigad that aren't in the GUI like passinterval.

View solution in original post

9 REPLIES 9

Look
Valued Contributor III

We use a script, but to be honest thats most likely because we already had it and it still works.
As they say "If it aint broke..."

gachowski
Valued Contributor II

I would guess that you are on the cutting edge, using a Config Profile to bind to AD... I am going to look in to that for our X.10.11 "build"...

Do you really need to Bind to AD there was a a thread last week about Admins who are enforcing password policy with Config Profiles and not binding to AD.

C

davidacland
Honored Contributor II
Honored Contributor II

We looked at using a configuration profile recently (its quite a new feature), but reports were that it wasn't 100% reliable.

We normally use the built-in directory binding available in the JSS (Settings > Computer Management > Directory Bindings). We like to use this feature so we don't have to leave an AD admin password in a script.

We then use a script to configure a few extra settings with dsconfigad that aren't in the GUI like passinterval.

gachowski
Valued Contributor II

With AD I am "assuming" that it's the AD part that is not reliable not the Profile part : )

C

calumhunter
Valued Contributor

@gachowski No it would definitely be the Apple part that is not reliable
Apple's track history with AD binding is atrocious.

davidacland
Honored Contributor II
Honored Contributor II

Here was my previous discussion on it: https://jamfnation.jamfsoftware.com/discussion.html?id=13397

jmcconathy
New Contributor III

I see, as I said, I'm new to Casper, and only have about a year really now managing Macs, but I didn't realize the AD Profile option was new. I have already gotten a policy working for it and using parts of our previous binding script to make changes to that. Thanks for the insights.

gachowski
Valued Contributor II

@calumhunter

For sure I agree!! I wasn't clear.... We have issues AD with both Windows and Mac, I was trying to point out that there shouldn't be with pushing profiles. : )

C

joshuasee
Contributor III

I've been using configuration profiles to join to AD for about a year. Unfortunately, they've been a headache, and now I'm moving back towards policy and post imaging tools for AD. To be fair, the problems may partially lie in permissions on the account used for AD binding, rather than just in the configuration profiles. However, the lack of feedback when a config profile fails to bind means that I'm unlikely to notice issues before customers complain. Also, changing the scope or touching the profile in anyway can cause binding to break on any computer using it, even ones seeming not within the scope of changes.