Solved

OS X in Active Directory Slow Login

Posted on 2008-09-30
10
1,545 Views
Last Modified: 2013-11-24
We are just starting to move our OS X (10.4.10, 10.4.11) machines into Active Directory (Windows 2003R2).  I am having periodic issues with the Macs logins.

When binding to Active Directory, the machines will always hang on Step 5.  If you restart the machine and re-bind them they go in about 30 seconds (from Step 1 to Step 5).  After that, they all log in -- but it is hit or miss on how long it takes.  Sometimes it takes 30 seconds to get to the desktop with your home drive, and sometimes it takes almost 5 minutes and no home drive mounted.

The consistent thing is that when it takes a long time to log in, there is no home drive.

Any ideas on how to consistently log in quickly and mount the home drive?
0
Comment
Question by:ParadiseITS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 28

Expert Comment

by:jhyiesla
ID: 22609155
Do you happen to have a Mac running Leopard or the ability to upgrade one to at least 10.5.4?  I know that Leopard fixed many issues with AD integration.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 22609170
Sorry... didn't finish my thought.  If you have a leopard system in your mix you might try and see if it has a consistency that you are looking for concerning logging into AD. My Mac has been set to log into AD for several months now and I have not experienced any slowness issues of any kind.  I kind of suspect Tiger itself may just have issues with AD integration since you are experiencing this on more than one mac.
0
 
LVL 9

Author Comment

by:ParadiseITS
ID: 22613130
I can and plan on trying 10.5 machines -- we have many.  I am doing testing with 10.4 because the machines are mostly 10.3 and 10.4 and I need to know what to expect.  We even have some 10.1 and 10.2 machines out there that I know are going to be a nightmare but upgrading isn't in the cards here.


What is the method most folks are using to get a true Active Directory experience out of their Macs?  IE: mounted network drives at login and everything else...?
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 9

Author Comment

by:ParadiseITS
ID: 22613131
I can and plan on trying 10.5 machines -- we have many.  I am doing testing with 10.4 because the machines are mostly 10.3 and 10.4 and I need to know what to expect.  We even have some 10.1 and 10.2 machines out there that I know are going to be a nightmare but upgrading isn't in the cards here.


What is the method most folks are using to get a true Active Directory experience out of their Macs?  IE: mounted network drives at login and everything else...?
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 22613181
I bound my Mac Pro to AD so that I can log in with my AD user ID and then I wrote the script to do the "drive mapping" so that I could have similar access to my important network shares just like I did under Windows. I can also user network shared printers as well, but would probably have been able to do that without binding AD.
0
 
LVL 9

Author Comment

by:ParadiseITS
ID: 22613441
I hear what you are saying, but we have about 300 Macs... we need an enterprise solution and the things I've been looking at so far don't do what we need.

What are other people doing to auto-mount Windows network drives and allow for consistent AD logins?  I am just not seeing it in 10.3-10.4.  We are going to test 10.5 today.
0
 
LVL 1

Expert Comment

by:heathyob
ID: 22616974
As far as AD slowness it usually comes down to the complexity of the AD structure.  At least with our org, which contains thousands of objects and OUs it can be slow.  It seems if the user object is buried deep within multiple OUs it causes issues.

Also make sure you can do DNS lookups both ways on the mac.  So nslookup the IP and you should get a fully qualified name.  Do an NSlookup on the fully qualified name and you should get the IP.  I've found that the lack of reverse lookups causes issues with AD as well.

Another thing I would look at is that there's nothing blocking kerberos.  The AD/OSX login requires kerberos.  It'll modify the edu.mit.Kerberos file.  Make sure that there are entries and they appear correct.

WIth that said I run my own AD structure.  It's small and I've not had any time lag with logins.  I have network home folders setup and the path is in AD.  I would recommend using the triangle method.

Basically you use AD just for authentication.  Then you bind your clients to an OSX server and manage the mounting of shares and other management with the OSX server.

You can read: http://www.bombich.com/mactips/activedir.html

I would also read this: http://www.afp548.com/article.php?story=20071210105328355

10.4 and 10.5 should work just fine.  10.5 has vast improvements for AD integration and I would recommend upgrading anything you can to 10.5.  10.3 and below will be a giant pain and you might get stuck with just using ldap authentication against AD versus using AD.
0
 
LVL 9

Accepted Solution

by:
heteronymous earned 500 total points
ID: 22622589
Note that some iterations of 10.5 also have problems binding to AD in complex AD environments/structures. 10.5.5 fixed this for some.

Agreed about DNS, that's critical.
But use "dig" rather than nslookup on your Mac clients.

The AFP548 article on AD-OD integration is here:
http://www.afp548.com/filemgmt/visit.php?lid=12

How are the home folders hosted ?
smb is an option (ie: on a Win server), as long as no Classic apps are needed.
0
 
LVL 9

Author Comment

by:ParadiseITS
ID: 22623179
I'll read over those docs... we can't use an OS X server for anything.  Basically we have a mix of Windows and OS X notebooks and anyone could be logging into either at any time.  So, they need to be able to have access to the same resources on either platform.  

When I say resources, I mean shared directories and printers -- not apps.  From what I've been reading, hit or miss is the best I'm going to do without buying something like AdmitMac which is pricey.
0
 
LVL 9

Expert Comment

by:heteronymous
ID: 22623273
I wouldn't say you should expect "hit or miss," lots of people are doing this successfully.

One thing to keep in mind is, 10.5 natively supports NTFS streams, and so that's a win there (the SMB client is generally better in 10.5 as well).
With 10.4, any Apple dual-fork files (legacy files) will have to be split into Apple Double format. ("filename" and "._filename" )
The Mac OS will handle that transparently behind the scenes, but it adds overhead.

Further resources of possible interest:
http://www.macwindows.com/AD.html
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question