Anyone have experience binding a 10.5+ workstation to a 2008 active directory structure. We tested this functionality in our test domain prior to upgrading and saw no issues. Now that we've upgraded the production environment, we're getting invalid username/password errors. We are pre-creating machine accounts (as we always do) and I've tried binding with OU admin level and enterprise admin level privileges. Same error comes back from both. Communication to the domain seems to be working, as it finds a DC properly (DNS forward and reverse are fine) and it also finds my pre-created computer object and asks to bind to it. I've also tried deleting the directory service info and tried to bind from scratch with no luck. I've been beating my head over this for a while and could use some help.
UPDATE 3: Traced back to possibly an issue with the krbtgt user. As binding fails when executing a changepw command on the computer object. Microsoft and Apple are currently working together on this, and I will update with a solution when one is reached.
UPDATE 4: Hotfix to correct this issue is in the answer below.
Install this hotfix if you are suffering from this issue. It results from having previously performed an authoritative restore in your domain. This fixed our problem.
http://support.microsoft.com/kb/968140/
I am not at home at present so I can't look at my Mac. However I believe you are looking for the "Directory Utility" which would be installed in Applications->Utilities. Last time I had to do this config I did it in 10.4 but it well well then.
One problem I ran into though is sometime windows dynamic dns would get two records for the same machine and things would break. You can check for this by running "hostname" in terminal and seeing if you get more than one name.
Another problem is time sync. AD uses kerberos and time cannot drift more than 5 minutes between DCs and the client. I owuld set up the DC as your time server at least as part of a test to rule this out.
Next try creating a new AD object with a different name. Sometimes bot doing that caused problems. I found that with the right group membership (tt is slipping my mind, "Power User" perhaps) I didn't need to pre-stage my machines in AD. I would just move them to right OU later.
You may want to check these other questions on ServerFault as well for some hints:
Are you getting the errors during binding or after binding? What is being spit out in Console.app?
Not sure if it applies here, but I am having the same problems. Found this:
http://support.apple.com/kb/HT3394?viewlocale=en_US
Good luck.