Solved

Switch off local profile creation on Mac OS X 10.9.4

Posted on 2014-09-09
18
652 Views
Last Modified: 2014-09-26
We have setup 60 iMac's on our AD/OD domain. We use Profile Manager to manage the devices and AD for users to logon.

Its taking 4 minutes to login a user as (i guess) the local profile is being created. Is there a way to switch this off?

How do other Network Admins tackle this?
0
Comment
Question by:Wilkinson1546
  • 9
  • 8
18 Comments
 
LVL 10

Expert Comment

by:schaps
ID: 40313628
Slow logins on OS X machines joined to A.D. are usually DNS-related, not from creating a local profile. Does your A.D. domain end in ".local"?
0
 

Author Comment

by:Wilkinson1546
ID: 40313699
I've setup manual reverse DNS for the clients as DNS wasn't being populated. We have Apple Server DNS which forwards to our AD DNS servers should I switch this off to see if it helps?

Have you any further advise or links related to DNS issues on macs?

Thank you for quick reply by the way
0
 

Author Comment

by:Wilkinson1546
ID: 40313700
AD domain ends in .internal
0
 
LVL 10

Expert Comment

by:schaps
ID: 40313734
Do you mean you have a Mac server with a secondary zone which syncs to Microsoft servers DNS primary?
If so, set the Macs in question with static DNS set for your Microsoft DNS server just to see if that is the problem. In any case, it's not the reverse DNS likely causing the problem, but perhaps a delay in finding the srv records for the domain controller.
Also, I should have confirmed before, you are not using Mobile Accounts, correct?
Another thing to try: On Directory Utility-> Services-> Active Directory-> Administrative tab, check mark "prefer this domain server" and put in the IP address (not hostname, as it suggests) of your domain controller.
0
 

Author Comment

by:Wilkinson1546
ID: 40313913
We set the Mac Server DNS to be switched on and set our AD DNS as forwarders. We then selected lookup for all clients

The clients are currently pointing towards the primary and secondary AD DNS Servers and not the Mac DNS Server

Should i set them to the mac or leave them as they are and switch off the Apple DNS Server?

Were not using Mobile Accounts and i will set the clients to prefer the domain server

Thank you
0
 

Author Comment

by:Wilkinson1546
ID: 40316705
We've set the preferred domain server and logins are still taking a while. I have also looked at our DNS servers and they all look fine. Im planning on switching off the Apple Server DNS would you suggest this or should i leave it on?
0
 
LVL 10

Expert Comment

by:schaps
ID: 40316980
Just checking that you used an IP address, not hostname, in the preferred domain server?
Regarding the Apple DNS server, you wrote: "The clients are currently pointing towards the primary and secondary AD DNS Servers and not the Mac DNS Server." In that case, it doesn't matter whether the Mac DNS server is running. If no clients ever query the Mac Server for DNS, it does nothing, has no effect. You may as well turn it off. It makes me wonder why it was on, though, if it doesn't hold the primary zone and no clients point to it?
Further question, are you using Open Directory on the Mac Server and have Mac clients bound to both, or just bound to Active Directory?
In Directory Utility, under "Search Policy" and "Authentication," is your AD domain at the top?
0
 

Author Comment

by:Wilkinson1546
ID: 40317052
Yes we used ip in the preferred domain

Yes were bound to AD and OD

We see the following in Directory Utility
Local/Default
Active Directory
LDAPv3/(our apple server FQDN)

Thank you
0
 
LVL 10

Expert Comment

by:schaps
ID: 40317086
In Directory Utility, under Services-> Active Directory-> User Experience-> what are the check-marked settings there?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:Wilkinson1546
ID: 40317116
Screenshot
0
 
LVL 10

Expert Comment

by:schaps
ID: 40317262
That all looks OK.
So you have a network home specified in the AD account on a Windows server?
0
 

Author Comment

by:Wilkinson1546
ID: 40317488
Yes we have a hoe folder which allows the users documents to load in Computer as a network drive and that works fine now

We have noticed that when users first log on it takes a while but then the second login is 95 seconds for all users is 95 seconds classed as good? i thought it would be more like 10 seconds
0
 
LVL 10

Expert Comment

by:schaps
ID: 40317514
If the Mac is merely mounting a network drive when it logs in, not copying all its contents to the local Mac, logins after the first one should be more like 10 seconds. When they first login, the Mac is creating a local profile from the template, so that does take a few more seconds, but unless it's loading a large template profile, that is not likely your problem (let me know if you've modified the user template).

I would create a test user with a mapped --but empty-- network home folder, then on the Mac time the first login for that test user, restart Mac, time the second login, then remove the network home path from the user record in AD, restart Mac, then time a 3rd and 4th login to see if the delay is related to the mounting of this network drive. Not that you'd want to keep it that way, but it would narrow down the problem.
0
 
LVL 27

Expert Comment

by:serialband
ID: 40317538
From http://www.peachpit.com/articles/article.aspx?p=1246089
It's specifically about 10.5, but it still relevant.

Understanding the Home Folder Default Behavior

When you log in with a user account for Active Directory, by default Mac OS X creates a home folder for the user on the startup disk in /Users/usershortname.

If a directory already exists with that name, Mac OS X will not create a new home folder. You may experience unexpected results because the Active Directory user does not have write permissions to the home folder.

See “Transitioning from a Local User to an Active Directory User,” later in this chapter, if that is appropriate for your situation.
Understanding Home Folder Synchronization

The default settings do not configure Mac OS X to synchronize the local home folder with a network home folder. If you log in as the same Active Directory user on multiple Mac OS X computers that are configured with the default settings for the Active Directory plug-in, you will have a different home folder on each computer, and the contents will not be synchronized. To prevent this situation you can do the following:

    Configure mobile accounts and home folder synchronization. See “Understanding Mobile Accounts” for more on this.
    Deselect the option to force the creation of a local home folder, and use Active Directory tools to assign a network home folder for the Active Directory user account. See “Specifying a Network Home Folder” for details.
0
 

Author Comment

by:Wilkinson1546
ID: 40320701
Some how our AD DNS Servers had a false A record for our Apple Server. It seems we have better results logging on now we know it's faster to login now (not 4 minutes) but we haven't timed it yet. Will update this ASAP
0
 
LVL 10

Accepted Solution

by:
schaps earned 500 total points
ID: 40321010
Good to hear. As I wrote before, slow logins on OS X machines joined to A.D. are usually DNS-related. It happens either by slowing authentication or slowing the finding of and mounting the home folder.  To that last point, I remember having success speeding up logins by using an IP address in the user home folder setting on the Windows server (usually something like "\\server\users\username" I used "\\172.16.0.1\users\username"). However, I still would establish a benchmark, as a wrote before, of testing a user without a home folder assigned and see if login time increase substantially by adding one.

None of these things to try are necessarily settings you'd continue using in normal practice, but they aid in finding out what's happening.

T
0
 
LVL 10

Expert Comment

by:schaps
ID: 40344448
Hi, have you had any luck?
0
 

Author Closing Comment

by:Wilkinson1546
ID: 40345698
Many thanks for your help with this, all your advice and comments aided the troubleshooting process and we now have successful log ins in 30 seconds
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This article will cover some tips for successfully installing the new update to OS X; 10.5.7. Although the information contained within could be used for any OS X point release.  Please note that this information applies to point releases to a parti…
Finder.   The ubiquitous, built-in feature of the Mac OS X platform, that never sleeps, can help get to any destination within your Mac OS X volume, allows you to customize your desktop, files and folders and so much more. As one of the primary…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now