Solved

OS X in Active Directory Slow Login

Posted on 2008-09-30
10
1,537 Views
Last Modified: 2013-11-24
We are just starting to move our OS X (10.4.10, 10.4.11) machines into Active Directory (Windows 2003R2).  I am having periodic issues with the Macs logins.

When binding to Active Directory, the machines will always hang on Step 5.  If you restart the machine and re-bind them they go in about 30 seconds (from Step 1 to Step 5).  After that, they all log in -- but it is hit or miss on how long it takes.  Sometimes it takes 30 seconds to get to the desktop with your home drive, and sometimes it takes almost 5 minutes and no home drive mounted.

The consistent thing is that when it takes a long time to log in, there is no home drive.

Any ideas on how to consistently log in quickly and mount the home drive?
0
Comment
Question by:ParadiseITS
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 28

Expert Comment

by:jhyiesla
Comment Utility
Do you happen to have a Mac running Leopard or the ability to upgrade one to at least 10.5.4?  I know that Leopard fixed many issues with AD integration.
0
 
LVL 28

Expert Comment

by:jhyiesla
Comment Utility
Sorry... didn't finish my thought.  If you have a leopard system in your mix you might try and see if it has a consistency that you are looking for concerning logging into AD. My Mac has been set to log into AD for several months now and I have not experienced any slowness issues of any kind.  I kind of suspect Tiger itself may just have issues with AD integration since you are experiencing this on more than one mac.
0
 
LVL 9

Author Comment

by:ParadiseITS
Comment Utility
I can and plan on trying 10.5 machines -- we have many.  I am doing testing with 10.4 because the machines are mostly 10.3 and 10.4 and I need to know what to expect.  We even have some 10.1 and 10.2 machines out there that I know are going to be a nightmare but upgrading isn't in the cards here.


What is the method most folks are using to get a true Active Directory experience out of their Macs?  IE: mounted network drives at login and everything else...?
0
 
LVL 9

Author Comment

by:ParadiseITS
Comment Utility
I can and plan on trying 10.5 machines -- we have many.  I am doing testing with 10.4 because the machines are mostly 10.3 and 10.4 and I need to know what to expect.  We even have some 10.1 and 10.2 machines out there that I know are going to be a nightmare but upgrading isn't in the cards here.


What is the method most folks are using to get a true Active Directory experience out of their Macs?  IE: mounted network drives at login and everything else...?
0
 
LVL 28

Expert Comment

by:jhyiesla
Comment Utility
I bound my Mac Pro to AD so that I can log in with my AD user ID and then I wrote the script to do the "drive mapping" so that I could have similar access to my important network shares just like I did under Windows. I can also user network shared printers as well, but would probably have been able to do that without binding AD.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 9

Author Comment

by:ParadiseITS
Comment Utility
I hear what you are saying, but we have about 300 Macs... we need an enterprise solution and the things I've been looking at so far don't do what we need.

What are other people doing to auto-mount Windows network drives and allow for consistent AD logins?  I am just not seeing it in 10.3-10.4.  We are going to test 10.5 today.
0
 
LVL 1

Expert Comment

by:heathyob
Comment Utility
As far as AD slowness it usually comes down to the complexity of the AD structure.  At least with our org, which contains thousands of objects and OUs it can be slow.  It seems if the user object is buried deep within multiple OUs it causes issues.

Also make sure you can do DNS lookups both ways on the mac.  So nslookup the IP and you should get a fully qualified name.  Do an NSlookup on the fully qualified name and you should get the IP.  I've found that the lack of reverse lookups causes issues with AD as well.

Another thing I would look at is that there's nothing blocking kerberos.  The AD/OSX login requires kerberos.  It'll modify the edu.mit.Kerberos file.  Make sure that there are entries and they appear correct.

WIth that said I run my own AD structure.  It's small and I've not had any time lag with logins.  I have network home folders setup and the path is in AD.  I would recommend using the triangle method.

Basically you use AD just for authentication.  Then you bind your clients to an OSX server and manage the mounting of shares and other management with the OSX server.

You can read: http://www.bombich.com/mactips/activedir.html

I would also read this: http://www.afp548.com/article.php?story=20071210105328355

10.4 and 10.5 should work just fine.  10.5 has vast improvements for AD integration and I would recommend upgrading anything you can to 10.5.  10.3 and below will be a giant pain and you might get stuck with just using ldap authentication against AD versus using AD.
0
 
LVL 9

Accepted Solution

by:
heteronymous earned 500 total points
Comment Utility
Note that some iterations of 10.5 also have problems binding to AD in complex AD environments/structures. 10.5.5 fixed this for some.

Agreed about DNS, that's critical.
But use "dig" rather than nslookup on your Mac clients.

The AFP548 article on AD-OD integration is here:
http://www.afp548.com/filemgmt/visit.php?lid=12

How are the home folders hosted ?
smb is an option (ie: on a Win server), as long as no Classic apps are needed.
0
 
LVL 9

Author Comment

by:ParadiseITS
Comment Utility
I'll read over those docs... we can't use an OS X server for anything.  Basically we have a mix of Windows and OS X notebooks and anyone could be logging into either at any time.  So, they need to be able to have access to the same resources on either platform.  

When I say resources, I mean shared directories and printers -- not apps.  From what I've been reading, hit or miss is the best I'm going to do without buying something like AdmitMac which is pricey.
0
 
LVL 9

Expert Comment

by:heteronymous
Comment Utility
I wouldn't say you should expect "hit or miss," lots of people are doing this successfully.

One thing to keep in mind is, 10.5 natively supports NTFS streams, and so that's a win there (the SMB client is generally better in 10.5 as well).
With 10.4, any Apple dual-fork files (legacy files) will have to be split into Apple Double format. ("filename" and "._filename" )
The Mac OS will handle that transparently behind the scenes, but it adds overhead.

Further resources of possible interest:
http://www.macwindows.com/AD.html
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
antivirus on mac 8 63
AD FSMO Issues 14 62
PCI scan - CIFS NULL Session Permitted 10 28
Folder NTFS Permissions 14 66
In this article we will discuss some EI Capitan Mail app issues and provide some manual process to resolve them.
Set up iPhone and iPad email signatures to always send in high-quality HTML with this step-by step guide.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now