I have a Mac configuration profile that has the Directory and AD Certificate payloads. I seem to be encountering a race condition when this profile applies (or tries to).
We have Active Directory domain controllers on all of our sites but we only have a Windows certificate authority in our main datacenter which is colocated. When the Mac joins the domain the computer account is created but the certificate request is denied.
The error in the JSS is The 'Active Directory Certificate' payload could not be installed. The certificate request failed.
In the certificate authority the error recorded is Directory object not found. 0x8007208d (WIN32: 8333) Denied by Policy Module 0x8007208d, The requestor's Active Directory object could not be retrieved <DN follows>
We have Splunk consuming logs from the Windows servers and in it we can see the following series of events:
1. Create computer account (DC)
2. Change computer account password (DC)
3. Request a certificate (CA)
4. Certificate request fails (CA)
5. Delete computer account (DC)
It appears to me that the new computer account has not replicated to the Active Directory domain controllers at the colo before the Mac requests a certificate. (Full convergence of our 6 domain controllers has been tested to take 30-45 seconds, 15-30 seconds if only the main office and the colo are considered.)
Has anyone seen this issue or worked around it?
