How do I join an Active Directory domain when I get the 10001 error? What is the real cause of the failure?
This question is about the famous failure to join an Active Directory from OS X which seems to appeared somewhere around 10.7 or so, but which seems to still be consistent, even with 10.9 or 10.10 (beta).
Assumptions:
ABChostname of the OS X machineEXAMPLE.COMis the domain to be joined (not a.localdomain)
Checklist (collected from various sources)
- Current OS X username does is admin and does not overlap with an AD username.
- OS X hostname resolves with the DNS of the domain to be joined to (ABC.EXAMPLE.COM). Test that it works from other machines too. This is a documented reason for failure to join on Linux machines, tested it myself and solving this solved the problem on Linux.
- Machine is on LAN during the Join (better to disable Wireless while doing this)
- AD user is allowed to add machines to the domain. In some cases this does not require the user to be an Admin (that's my case)
In progress (bring more info and a full join script with debug logging)
8544.14278, Node: /Active Directory, Module: ActiveDirectory - Authenticate to LDAP using Kerberos credential - 0
8544.14278, Node: /Active Directory, Module: ActiveDirectory - verified connectivity to '10.80.0.150' with socket 13
8544.14278, Node: /Active Directory, Module: ActiveDirectory - Computer account either already exists or DC is already Read/Write
8544.14278, Node: /Active Directory, Module: ActiveDirectory - Adding record 'cn=nibbler,OU=MAC Machines,OU=EMEA,DC=example,DC=com' in 'example.com'
8544.14278, Node: /Active Directory, Module: ActiveDirectory - ODNodeCustomCall failed with error 'Plugin error' (10001)
Resources:
Best Answer
in my case, I got this error when tried to Bind MacBook Pro to Windows Domain. I had to shorten Mac Computer name by few characters to make it work. I guess there is a limitation in Windows AD on computer names.