Some computers loosing AD binding
Posted on 2011-09-17
We just setup new computer labs with iMacs running OS X 10.6.8 (Snow Leopard). This is setup on a network with AD authenticating users and Xserve managing the client rules. After setting up the Lion clients we noticed the users intermittently cannot log in, the correct password is entered and the screen just shakes. The only way to get them to log back in was to log in a local admin, unbind then rebind them to our AD server.
This happens quite often, sometimes twice a day, and the laborious task of going computer to computer to do this is unacceptable. I cannot say for sure but I believe the problem only, again intermittently, happens after rebooting the computer. We saw some things online, including on apples website, about this issue and apples fix was to increase the mdns timeout option to 5 instead of 2 to allow the computer more time to authenticate to AD. This proved completely ineffective. I wrote a startup script that will unbind then rebind the machine every time the computer boots. This seems to work, obviously since it is doing exactly what I am doing, once the computer is on, every time it boots.
We then, just yesterday, got 2 more machines that did this same thing, only these 2 machines were Mac OS X 10.5.8 (Leopard) clients. So it now seems as if it may not be isolated to Snow Leopard. But we do not have any issues with our Windows clients on the network, not yet anyway.
Now after talking to an apple engineer he told us that our problem was we were binding to "our company.org" and "ourcompany.org", when checking the hosts, points to "dc1New.ourcompany.org" dc2New.ourcompany.org" "dc1Old.ourcompany.org" dc2Old.ourcompany.org" and something like "nodeXXXXX.accessdc.com" (which i am not really sure what that is, i think it is some data management, backup company or something? I will investigate that further). He said we need to bind specifically to "dc1New.ourcompany.org" AND "dc2New.Ourcompany.org". When binding to just "our company.org" he said it could at any point look at the old AD hosts or the other host that is in there and fail to bind. This made perfect sense, or at least it seemed to.
Anyway, dc1old and dc2old are, yes you guessed it, our old DC controllers that we don't use anymore and dc1new/dc2new are out current DC controllers running AD. So I removed the bind for "our company.org" and tried to bind to "dc1new.ourcompany.org", this failed, it could not resolve the host name, then I tried doing the same for "dc2new.ourcompany.org", this failed, could not resolve host name.
So, my question is, is the apple engineer correct in saying that we need to be more specific with our bind, and bind to both AD servers? If so, why do our windows machines work perfectly fine when joining just simply "ourcompany.org"?
Should I create more specific lookup zones for these domain controllers so I can get the Apples to be able to resolve those server names? Or should I just remove the old domain controllers, and the weird site that I am not familiar with, so that the Apple computers, and all windows computers can still join to just simply "ourcompany.org" and now it only has 2 (correct) choices to choose from when using that host name?
Also, if modifying the lookup zones to reflect the change to allow 2 binds for the apple computers to the specific domain controllers, as apposed to "ourcompany.org" is this going to make the windows machines not function properly?
I know it is a lot of information. Thank you in advance!