none
Mac OS X binding to AD domain ending in .local

    Question

  • I am attempting to bind several Mac OS X (10.4 10.5 & 10.6) notebooks to my ".local" domain hosted by a Windows Server 2008 AD Domain Controller.  According to apple, there should be no problem with this as long as the DNS server is "properly" configured with the required SOA record for the top level domain "local".  (Ref: http://support.apple.com/kb/HT3473)  My question is how do I properly add this zone to my DNS server?  I have a single server as the domain controller and DNS server.

    I have tried to create a forward lookup zone (local) that shows SOA and NS as my DNS server and a Host (A) with the IP address of the server, these are all 3 have the name (same as parent folder).  Still the MacBooks show the domain as not responding.

    And yes, I am new to configuring DNS zones.  Any help would be greatly appreciated!

    Saturday, August 21, 2010 10:32 PM

Answers

  • Just to add to everyone's responses, part of joining or "binding" a MacOSx using the Active Directory application plug-in that's provided in OSx (assuming you're not using the "LDAP" feature to bind it), and Phillip hinted at this, is the 2003 and 2008 DCs need to be detuned to allow unsigned SMB traffic. It would have to be set on all the DCs, or add a separate GPO with higher precedence with this being the only setting, in the Domain Controllers OU.

    Server Message Block communication between a client-side SMB ...Aug 15, 2006
    http://support.microsoft.com/kb/916846

    If you haven't seen the following link, which was linked in Mervyn's link to the Mac support site, it provides a script to run on Panther to allow it to join. It sets and allows Rendezvous and Bonjour on OSx 10.3 to use DNS instead of its own internal resolution service for any .local query. It may have been added as a selectable built in feature in later versions, but I'm not sure.

    Mac OS X 10.3: How to look up ".local" hostnames via both Bonjour and standard DNS:
    http://support.apple.com/kb/HT2385?viewlocale=en_US

     

     


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Friday, August 27, 2010 1:43 PM
  • Hi,

    Please try the suggestions below:

    Binding Issues with AD
    http://www.macwindows.com/AD.html#080304
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, August 23, 2010 8:03 AM
    Moderator
  • You don't add anything.  The Zone is the Active Driectory enabled Zone and it already has the SOA records or else AD would be throwing up all over you.
     
    The joing problem is because it is a 2008 Domain and will not accept the old "nt4 style" of doing things that the Linux (Mac) is going to try to use.  I've been looking for links to material on that for that last 30 minutes but have not found any (can't come up with the right keywords I guess).  But in the material I read last week there was no workaround.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    "George-DDI" <=?utf-8?B?R2VvcmdlLURESQ==?=> wrote in message news:65953769-417a-4c2d-9efd-f1a02528e35f...

    I am attempting to bind several Mac OS X (10.4 10.5 & 10.6) notebooks to my ".local" domain hosted by a Windows Server 2008 AD Domain Controller.  According to apple, there should be no problem with this as long as the DNS server is "properly" configured with the required SOA record for the top level domain "local".  (Ref: http://support.apple.com/kb/HT3473)  My question is how do I properly add this zone to my DNS server?  I have a single server as the domain controller and DNS server.

    I have tried to create a forward lookup zone (local) that shows SOA and NS as my DNS server and a Host (A) with the IP address of the server, these are all 3 have the name (same as parent folder).  Still the MacBooks show the domain as not responding.

    And yes, I am new to configuring DNS zones.  Any help would be greatly appreciated!

    Tuesday, August 24, 2010 3:17 PM
  • I thank you all for your replies.  I have found some work arounds for this problem, which seems to be affect OS X 10.6 the worst.  I have 10.4 and 10.5 notebooks working fine.  For the 10.4 OS I had to make sure that the domain search path had both "local" and "<domain>.local" added.  Oddly enough I did not have to make any changes to the 10.5 OS, they just bound and worked with only the very minor problem that you have to restart the computer when a new user logs into the computer for the first time.  And this is only if a different user has previously logged in.

    My workaround to get 10.6 up and running for now was to impliment what was found on this page:  http://www.macwindows.com/Fix-AD-dot-local-domains.html 

    This script does seem to correct the problem though I am still geting panic screens about once a day.  I will try some of the suggestions I have been given here to see if they will help with this problem which still seems to be tied into somekind of networking problem.

    Don't know how Apple can take something that seems to work in OS 10.5 and break it in OS 10.6.

    Thanks again and I will give updates if I can find a better solution without rebuilding my entire domain.

    Thursday, September 09, 2010 2:27 PM

All replies

  • I am pretty sure that I read somewhere that there was an incompatibility with Macs and .local.  Try .loc or .int.

    Can someone else confirm this?

     


    Visit: anITKB.com, an IT Knowledge Base.
    Saturday, August 21, 2010 11:08 PM
  • According to the apple support article it will work if you can configure the DNS server.  Of course they don't offer any suggestions as to how to setup that configuration.  I would prefer to not have to reconfigure the domain.  Would be ok if this were a new setup, but it's not.
    Saturday, August 21, 2010 11:31 PM
  • I have found another reference that was made regarding Apple/Mac and .local issues.  However, I cannot find a support article which references this, nor can I find information on resolution.

    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/3b9b621c-a6ed-4382-8f8c-42580ffc34e3/

    Let's see if someone else may have some information regarding this topic.

     


    Visit: anITKB.com, an IT Knowledge Base.
    Sunday, August 22, 2010 5:39 PM
  • Hi,

    Please try the suggestions below:

    Binding Issues with AD
    http://www.macwindows.com/AD.html#080304
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, August 23, 2010 8:03 AM
    Moderator
  • I think that was with older Mac OS's before they when Linux-ish.
     
    I was probably the one you read that from.  I hated ".local",...still do,...but my reasons have changed,...I've gotten better at hating it :-)
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "[JM]" <=?utf-8?B?W0pNXQ==?=> wrote in message news:9065f25e-b8ff-4d46-aec8-3957aa644ffb...

    I am pretty sure that I read somewhere that there was an incompatibility with Macs and .local.  Try .loc or .int.

    Can someone else confirm this?

     


    Visit: anITKB.com, an IT Knowledge Base.
    Tuesday, August 24, 2010 2:54 PM
  • You don't add anything.  The Zone is the Active Driectory enabled Zone and it already has the SOA records or else AD would be throwing up all over you.
     
    The joing problem is because it is a 2008 Domain and will not accept the old "nt4 style" of doing things that the Linux (Mac) is going to try to use.  I've been looking for links to material on that for that last 30 minutes but have not found any (can't come up with the right keywords I guess).  But in the material I read last week there was no workaround.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    "George-DDI" <=?utf-8?B?R2VvcmdlLURESQ==?=> wrote in message news:65953769-417a-4c2d-9efd-f1a02528e35f...

    I am attempting to bind several Mac OS X (10.4 10.5 & 10.6) notebooks to my ".local" domain hosted by a Windows Server 2008 AD Domain Controller.  According to apple, there should be no problem with this as long as the DNS server is "properly" configured with the required SOA record for the top level domain "local".  (Ref: http://support.apple.com/kb/HT3473)  My question is how do I properly add this zone to my DNS server?  I have a single server as the domain controller and DNS server.

    I have tried to create a forward lookup zone (local) that shows SOA and NS as my DNS server and a Host (A) with the IP address of the server, these are all 3 have the name (same as parent folder).  Still the MacBooks show the domain as not responding.

    And yes, I am new to configuring DNS zones.  Any help would be greatly appreciated!

    Tuesday, August 24, 2010 3:17 PM
  • Hi,

    Do you need any other assistance? If there is anything we can do for you, please let us know.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, August 27, 2010 6:07 AM
    Moderator
  • Just to add to everyone's responses, part of joining or "binding" a MacOSx using the Active Directory application plug-in that's provided in OSx (assuming you're not using the "LDAP" feature to bind it), and Phillip hinted at this, is the 2003 and 2008 DCs need to be detuned to allow unsigned SMB traffic. It would have to be set on all the DCs, or add a separate GPO with higher precedence with this being the only setting, in the Domain Controllers OU.

    Server Message Block communication between a client-side SMB ...Aug 15, 2006
    http://support.microsoft.com/kb/916846

    If you haven't seen the following link, which was linked in Mervyn's link to the Mac support site, it provides a script to run on Panther to allow it to join. It sets and allows Rendezvous and Bonjour on OSx 10.3 to use DNS instead of its own internal resolution service for any .local query. It may have been added as a selectable built in feature in later versions, but I'm not sure.

    Mac OS X 10.3: How to look up ".local" hostnames via both Bonjour and standard DNS:
    http://support.apple.com/kb/HT2385?viewlocale=en_US

     

     


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Friday, August 27, 2010 1:43 PM
  • Yes, that is part of it.   But I just read last week or so of "more" problems with 2008 that you didn't have with 2003.  Actually it may be just since 2008R2, but I'm not sure.  I wish I could find the material I was reading, but I haven't been able to,...however it was a KB Article on MS's site.  If he is falling into the trap mentioned in that article,...the article specifically stated that there was no workaround,...needless to say it was causing a lot of screems and protests from people running non-Windows machines (or old Windows) on their Domains.  I had found the articles (forums) of the "screeming people" first,...it was one of the guys answering them in the forums that posted the link to the KB Article (that I forgot to bookmark).
     
    I'll still keep an eye out for it.

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    "Ace Fekay [MCT, MVP DS]" <=?utf-8?B?QWNlIEZla2F5IFtNQ1QsIE1WUCBEU10=?=> wrote in message news:699d7a56-76df-4571-a2be-a2a372da3e8c...

    Just to add to everyone's responses, part of joining or "binding" a MacOSx using the Active Directory application plug-in that's provided in OSx (assuming you're not using the "LDAP" feature to bind it), and Phillip hinted at this, is the 2003 and 2008 DCs need to be detuned to allow unsigned SMB traffic. It would have to be set on all the DCs, or add a separate GPO with higher precedence with this being the only setting, in the Domain Controllers OU.

    Server Message Block communication between a client-side SMB ...Aug 15, 2006
    http://support.microsoft.com/kb/916846

    If you haven't seen the following link, which was linked in Mervyn's link to the Mac support site, it provides a script to run on Panther to allow it to join. It sets and allows Rendezvous and Bonjour on OSx 10.3 to use DNS instead of its own internal resolution service for any .local query. It may have been added as a selectable built in feature in later versions, but I'm not sure.

    Mac OS X 10.3: How to look up ".local" hostnames via both Bonjour and standard DNS:
    http://support.apple.com/kb/HT2385?viewlocale=en_US

     

     


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Friday, August 27, 2010 3:15 PM
  • Hi,

    Do you need any other assistance? If there is anything we can do for you, please let us know.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, August 31, 2010 1:51 AM
    Moderator
  • This is correct but no longer specific to Macs so to speak.

     

    Macs utilize Bonjour which leverages mutlicast DNS when presented with a .local will broadcast a request out via bonjour awaiting for a reply, in 10.6 this became a real pain as the time out limit is set quite high and causes the request to hang as it gets lost with no reply.

    You can over come this in various ways Apple have an article on their developer connection specific to 10.6 regarding lowering the timeout period on 10.6.

    On 10.5 this is still a problem but the time out got fine-tuned over the point releases and should after a set time fall back to its predefined search path which are set in the directory utility.

    .int is the preferred domain over .local now as mutlicast reliant services will broadcast out over .local which would in theory bypass any default search or authentication path you may have set.

    This is my interpretation of the situation so the exact technicalities may differ but this is a correct summary.

     

    If you are binding using Apples Active Directory Extension then you can interactively browse your directories using the Directory Service Command Line in the terminal: dscl

    Issuing this command will put you into interactive mode in the Directory Service shell and from here you can browse your records and paths accordingly to verify if the 'binding' is working correctly.

     

    A couple of obvious pointers....

    If you are binding the Macs to the AD then they should be using the Active Directories DNS server or this is going to go nowhere fast.

    A quick check after ensuring that is the case would be to do a simple NS lookup on the tree that you are trying to bind too for example

     

    nslookup server1.yourdomain.local

    should resolve you to the correct IP address of the server your are trying to bind with.

     

    The theory should be if your PC can join the domain then DNS shouldn't be an issue at this stage (providing like I said earlier the Macs are using the AD DNS)

    Thursday, September 02, 2010 7:47 PM
  • This is correct but no longer specific to Macs so to speak.

     

    Macs utilize Bonjour which leverages mutlicast DNS when presented with a .local will broadcast a request out via bonjour awaiting for a reply, in 10.6 this became a real pain as the time out limit is set quite high and causes the request to hang as it gets lost with no reply.

    You can over come this in various ways Apple have an article on their developer connection specific to 10.6 regarding lowering the timeout period on 10.6.

    On 10.5 this is still a problem but the time out got fine-tuned over the point releases and should after a set time fall back to its predefined search path which are set in the directory utility.

    .int is the preferred domain over .local now as mutlicast reliant services will broadcast out over .local which would in theory bypass any default search or authentication path you may have set.

    This is my interpretation of the situation so the exact technicalities may differ but this is a correct summary.

     

    If you are binding using Apples Active Directory Extension then you can interactively browse your directories using the Directory Service Command Line in the terminal: dscl

    Issuing this command will put you into interactive mode in the Directory Service shell and from here you can browse your records and paths accordingly to verify if the 'binding' is working correctly.

     

    A couple of obvious pointers....

    If you are binding the Macs to the AD then they should be using the Active Directories DNS server or this is going to go nowhere fast.

    A quick check after ensuring that is the case would be to do a simple NS lookup on the tree that you are trying to bind too for example

     

    nslookup server1.yourdomain.local

    should resolve you to the correct IP address of the server your are trying to bind with.

     

    The theory should be if your PC can join the domain then DNS shouldn't be an issue at this stage (providing like I said earlier the Macs are using the AD DNS)


    Good info, Steve. Thanks.

    One part you said about making sure that the OSx machines are pointed to only the internal DNS. Of course, we assume this is always true in any infrastructure, but also of course, there may be instances where an admin may not have configured it properly as such, which binding will never occur.

    Also, just to be clear, if the internal AD domain is .local, you're implying that OSx will simply sucesfully resolve .local queries for AD resources without any other action after a successful bind?


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Friday, September 03, 2010 11:14 PM
  • I thank you all for your replies.  I have found some work arounds for this problem, which seems to be affect OS X 10.6 the worst.  I have 10.4 and 10.5 notebooks working fine.  For the 10.4 OS I had to make sure that the domain search path had both "local" and "<domain>.local" added.  Oddly enough I did not have to make any changes to the 10.5 OS, they just bound and worked with only the very minor problem that you have to restart the computer when a new user logs into the computer for the first time.  And this is only if a different user has previously logged in.

    My workaround to get 10.6 up and running for now was to impliment what was found on this page:  http://www.macwindows.com/Fix-AD-dot-local-domains.html 

    This script does seem to correct the problem though I am still geting panic screens about once a day.  I will try some of the suggestions I have been given here to see if they will help with this problem which still seems to be tied into somekind of networking problem.

    Don't know how Apple can take something that seems to work in OS 10.5 and break it in OS 10.6.

    Thanks again and I will give updates if I can find a better solution without rebuilding my entire domain.

    Thursday, September 09, 2010 2:27 PM