rcctech
asked on
Macs on Active Directory Gone Haywire - No connection and unable to login
Hello,
We have a mixed Apple/Microsoft environment running on Windows Server 2008. About a month ago, I transitioned all of our Mac users to Active Directory instead of using a local user account on their machine. That transition went relatively smooth. The only hoop I had to go through was to manually add the IP address of the domain controller as the DNS in each Mac's Network Preferences. All users have been transitioned to using Active Directory and setup with Mobile accounts so they can function when their at home and not connected to the domain controller. Everything was working well - for a few weeks.
Earlier this week, I began getting reports from Mac users being (1) unable to login (2) not being able to access the shared drives on the server.
- Lion users have been able to continue logging in and using their computers, as you would expect with the mobile accounts setup. Lion users can also still access the shared drives.
- Snow Leopard users are now unable to log into their computer at all sometimes. Occasionally, they are able to log into their machines after a full reboot. But, once logged in, they still cannot administrate their machines. It says the username/password is bad. The admin account I've been using is also not accepted, so I have no way of getting admin privileges on these SL machines. SL users are also unable to connect to the Shared Drives on the server. They get past authenticating fine, and get as far as the Shared List, but once making a selection from the list, Finder freezes trying to open it.
So, there's couple problems going on, but it seems to me the source of the problem is the server. I'm hoping to resolve the connection issue, and hoping that will get my Snow Leopard users back up and running without needing Admin privileges for their machines.
Using a Lion machine to troubleshoot, I have found...
- The login screen shows the red dot and says "Network Accounts Unavailable"
- But, after logging in (to an existing mobile account), the "Network Account Server" option in Account Prefs under "Login Options" is green.
- Trying to authenticate for admin priveleges with a server admin account fails. I can only authenticate with an existing mobile account.
- I unbinded from the domain, and when attempting to reBind, I receive the error:
I expected this based off of the problems I'm having, but didn't realize it would be so hard to rectify.
In order to reBind, I have tried:
- Deleting computer account from the AD and restarting client machine
- Restarting server
- Binding from GUI in prefs, and dsconfigad command in terminal. Same results
- Deleting all entries with my computers name from Forward DNS Lookup on the server
- Connecting via a different WiFi network, and by wired
- Deleting and readding IP address of server as DNS on the mac network prefs.
I'm out of ideas not, but this causing some pretty major issues for us. I could greatly use some help. I'm a production guy, not really an IT guy.
Thanks.
We have a mixed Apple/Microsoft environment running on Windows Server 2008. About a month ago, I transitioned all of our Mac users to Active Directory instead of using a local user account on their machine. That transition went relatively smooth. The only hoop I had to go through was to manually add the IP address of the domain controller as the DNS in each Mac's Network Preferences. All users have been transitioned to using Active Directory and setup with Mobile accounts so they can function when their at home and not connected to the domain controller. Everything was working well - for a few weeks.
Earlier this week, I began getting reports from Mac users being (1) unable to login (2) not being able to access the shared drives on the server.
- Lion users have been able to continue logging in and using their computers, as you would expect with the mobile accounts setup. Lion users can also still access the shared drives.
- Snow Leopard users are now unable to log into their computer at all sometimes. Occasionally, they are able to log into their machines after a full reboot. But, once logged in, they still cannot administrate their machines. It says the username/password is bad. The admin account I've been using is also not accepted, so I have no way of getting admin privileges on these SL machines. SL users are also unable to connect to the Shared Drives on the server. They get past authenticating fine, and get as far as the Shared List, but once making a selection from the list, Finder freezes trying to open it.
So, there's couple problems going on, but it seems to me the source of the problem is the server. I'm hoping to resolve the connection issue, and hoping that will get my Snow Leopard users back up and running without needing Admin privileges for their machines.
Using a Lion machine to troubleshoot, I have found...
- The login screen shows the red dot and says "Network Accounts Unavailable"
- But, after logging in (to an existing mobile account), the "Network Account Server" option in Account Prefs under "Login Options" is green.
- Trying to authenticate for admin priveleges with a server admin account fails. I can only authenticate with an existing mobile account.
- I unbinded from the domain, and when attempting to reBind, I receive the error:
Unable to add to server. Node name wasn't found.
(2000)
I expected this based off of the problems I'm having, but didn't realize it would be so hard to rectify.
In order to reBind, I have tried:
- Deleting computer account from the AD and restarting client machine
- Restarting server
- Binding from GUI in prefs, and dsconfigad command in terminal. Same results
- Deleting all entries with my computers name from Forward DNS Lookup on the server
- Connecting via a different WiFi network, and by wired
- Deleting and readding IP address of server as DNS on the mac network prefs.
I'm out of ideas not, but this causing some pretty major issues for us. I could greatly use some help. I'm a production guy, not really an IT guy.
Thanks.
Last Comment
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks for the article.
Based on my multiple computer issue simultaneously, I think it's a server issue. It looks like there are some updates I need to look at the folks mentioned in that thread, so I'm going to look at the log and see what updates have been installed in the past week. And, hopefully something is available to fix whatever has happened.
Based on my multiple computer issue simultaneously, I think it's a server issue. It looks like there are some updates I need to look at the folks mentioned in that thread, so I'm going to look at the log and see what updates have been installed in the past week. And, hopefully something is available to fix whatever has happened.
I'm not sure about your second error, but the first means that your clock on the client does not match that of the server. For Kerberos and therefore login to work correctly, the client computer and server clocks must be with a few seconds of each other. You need to point your clients to the same time server as the AD server at the least. It is even better to use the AD server as the time server and point the clients to it. When the time difference (skew) is too great, you will get the errors you are describing.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
My comment adds the specific solution to my problem, which was found in a very lengthy thread provided by amenezes.
Windows Server 2008
Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.
86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER
and