2019. 7. 8. 11:47

Tips for AD on Mac


Advanced AD options for profiles:

Best Practices:

Active Directory naming considerations when binding:

Requesting a certificate:

Renewing a certificate:

Export AD CS root cert:

Binding from CLI:
The functionality of Directory Utility and the Directory payload is also accessible from the command-line interface with the dsconfigad command. For example, the following command can be used to join a system to Active Directory:

dsconfigad -preferred ads01.example.com -a COMPUTERNAME –domain example.com -u administrator -p "password"

After you’ve bound a system to the domain, you can use dsconfigad to set the administrative options in Directory Utility:

dsconfigad -alldomains enable -groups domain admins@example.com, enterprise admins@example.com

Note: Using dsconfigad in a script requires using clear text for the password. Configuration profiles are preferred.

Troubleshooting and Debugging:

List of available trusted root certs in OS X:

Increased logging:
odutil set log debug
Stored in: /var/log/opendirectoryd.log
(persists across restarts)

Standard logging:
odutil set log default

Disable packet encryption while troubleshooting:
dsconfigad -packetencrypt disable
dsconfigad -packetencrypt allow

TCP Dump Example:
tcpdump –K -i en0 -s 0 -w capture.pcap port 88 or port 464 or port 53 or port 389 or port 3268

DNS Troubleshooting:
dig -t SRV _ldap._tcp.example.com

telnet dc01.example.com 88

TCP 88 - Kerberos
TCP 389 - LDAP
TCP/UDP 464 - Kerberos password changes
TCP 3268 - Global Catalog
