We help IT Professionals succeed at work.

OS X in Active Directory Slow Login

1,656 Views
Last Modified: 2013-11-24
We are just starting to move our OS X (10.4.10, 10.4.11) machines into Active Directory (Windows 2003R2).  I am having periodic issues with the Macs logins.

When binding to Active Directory, the machines will always hang on Step 5.  If you restart the machine and re-bind them they go in about 30 seconds (from Step 1 to Step 5).  After that, they all log in -- but it is hit or miss on how long it takes.  Sometimes it takes 30 seconds to get to the desktop with your home drive, and sometimes it takes almost 5 minutes and no home drive mounted.

The consistent thing is that when it takes a long time to log in, there is no home drive.

Any ideas on how to consistently log in quickly and mount the home drive?
Comment
Watch Question

CERTIFIED EXPERT

Commented:
Do you happen to have a Mac running Leopard or the ability to upgrade one to at least 10.5.4?  I know that Leopard fixed many issues with AD integration.
CERTIFIED EXPERT

Commented:
Sorry... didn't finish my thought.  If you have a leopard system in your mix you might try and see if it has a consistency that you are looking for concerning logging into AD. My Mac has been set to log into AD for several months now and I have not experienced any slowness issues of any kind.  I kind of suspect Tiger itself may just have issues with AD integration since you are experiencing this on more than one mac.

Author

Commented:
I can and plan on trying 10.5 machines -- we have many.  I am doing testing with 10.4 because the machines are mostly 10.3 and 10.4 and I need to know what to expect.  We even have some 10.1 and 10.2 machines out there that I know are going to be a nightmare but upgrading isn't in the cards here.


What is the method most folks are using to get a true Active Directory experience out of their Macs?  IE: mounted network drives at login and everything else...?

Author

Commented:
I can and plan on trying 10.5 machines -- we have many.  I am doing testing with 10.4 because the machines are mostly 10.3 and 10.4 and I need to know what to expect.  We even have some 10.1 and 10.2 machines out there that I know are going to be a nightmare but upgrading isn't in the cards here.


What is the method most folks are using to get a true Active Directory experience out of their Macs?  IE: mounted network drives at login and everything else...?
CERTIFIED EXPERT

Commented:
I bound my Mac Pro to AD so that I can log in with my AD user ID and then I wrote the script to do the "drive mapping" so that I could have similar access to my important network shares just like I did under Windows. I can also user network shared printers as well, but would probably have been able to do that without binding AD.

Author

Commented:
I hear what you are saying, but we have about 300 Macs... we need an enterprise solution and the things I've been looking at so far don't do what we need.

What are other people doing to auto-mount Windows network drives and allow for consistent AD logins?  I am just not seeing it in 10.3-10.4.  We are going to test 10.5 today.

Commented:
As far as AD slowness it usually comes down to the complexity of the AD structure.  At least with our org, which contains thousands of objects and OUs it can be slow.  It seems if the user object is buried deep within multiple OUs it causes issues.

Also make sure you can do DNS lookups both ways on the mac.  So nslookup the IP and you should get a fully qualified name.  Do an NSlookup on the fully qualified name and you should get the IP.  I've found that the lack of reverse lookups causes issues with AD as well.

Another thing I would look at is that there's nothing blocking kerberos.  The AD/OSX login requires kerberos.  It'll modify the edu.mit.Kerberos file.  Make sure that there are entries and they appear correct.

WIth that said I run my own AD structure.  It's small and I've not had any time lag with logins.  I have network home folders setup and the path is in AD.  I would recommend using the triangle method.

Basically you use AD just for authentication.  Then you bind your clients to an OSX server and manage the mounting of shares and other management with the OSX server.

You can read: http://www.bombich.com/mactips/activedir.html

I would also read this: http://www.afp548.com/article.php?story=20071210105328355

10.4 and 10.5 should work just fine.  10.5 has vast improvements for AD integration and I would recommend upgrading anything you can to 10.5.  10.3 and below will be a giant pain and you might get stuck with just using ldap authentication against AD versus using AD.
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I'll read over those docs... we can't use an OS X server for anything.  Basically we have a mix of Windows and OS X notebooks and anyone could be logging into either at any time.  So, they need to be able to have access to the same resources on either platform.  

When I say resources, I mean shared directories and printers -- not apps.  From what I've been reading, hit or miss is the best I'm going to do without buying something like AdmitMac which is pricey.
I wouldn't say you should expect "hit or miss," lots of people are doing this successfully.

One thing to keep in mind is, 10.5 natively supports NTFS streams, and so that's a win there (the SMB client is generally better in 10.5 as well).
With 10.4, any Apple dual-fork files (legacy files) will have to be split into Apple Double format. ("filename" and "._filename" )
The Mac OS will handle that transparently behind the scenes, but it adds overhead.

Further resources of possible interest:
http://www.macwindows.com/AD.html

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.