Alberto Torres
asked on
MacOS Active Directory Authentication Issue
We have several MacOS devices running Mojave that are having trouble staying connected to our AD Domain. These machines are bound and join AD successfully at first. We are able to login with domain credentials, however, after a while, these machines will stop authenticating domain credentials. We have 3 locations that are all macos devices and the other 2 locations do not have this issue, only this one location.
All 3 locations share the same ad domain but each site does have its own domain controller.
Any advice on troubleshooting steps to see why this one location keeps "losing" its authentication to AD?
All 3 locations share the same ad domain but each site does have its own domain controller.
Any advice on troubleshooting steps to see why this one location keeps "losing" its authentication to AD?
OS X tends to do that with AD. You must rebind them periodically.
You should set your AD accounts as Mobile accounts to cache them, so they can continue to log in, after AD is lost. This only mitigates the effect so that you don't need to rebind them all the time, and so the user account profile does not disappear. from the Mac. All AD accounts are Mobile accounts, because they are external to the Mac.
Open the Directory Utility.app
Unlock it so you can make changes.
Select Active Directory
Click on the Pencil icon to edit.
Click on the show advance options.
Check the Create mobile account at login.
You may also want to force a domain controller in the Administrative tab. You can also set the Administrative users, as you would on Windows.
You should set your AD accounts as Mobile accounts to cache them, so they can continue to log in, after AD is lost. This only mitigates the effect so that you don't need to rebind them all the time, and so the user account profile does not disappear. from the Mac. All AD accounts are Mobile accounts, because they are external to the Mac.
Open the Directory Utility.app
Unlock it so you can make changes.
Select Active Directory
Click on the Pencil icon to edit.
Click on the show advance options.
Check the Create mobile account at login.
You may also want to force a domain controller in the Administrative tab. You can also set the Administrative users, as you would on Windows.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@eridzone Yes we are using DHCP and the DNS servers on the scope options are set correctly. Our Student Lab ( all iMacs) are currently on ethernet. The issue still happens on ethernet for us.
@serialband For our staff who are assigned a macbook pro, we made sure to put them on mobile accounts as you said and works for them. Our bigger issue is really with the student lab where students may log in for the 1st time at several different times in the year.
I guess what makes this stranger is that we don't experience this issue at our other 2 all mac locations.
@serialband For our staff who are assigned a macbook pro, we made sure to put them on mobile accounts as you said and works for them. Our bigger issue is really with the student lab where students may log in for the 1st time at several different times in the year.
I guess what makes this stranger is that we don't experience this issue at our other 2 all mac locations.
This suggests that you have different network setups or network issues at the location in question.
If WiFi and Ethernet is connected at the same time is can cause problems, but the usual cause I have experienced is losing timesysnc, which usually is the Mac losing timesync, and sometimes the DCs losing sync (usually in virtualised environments).
I also have the similar issue in one of our IT Lab consists of only iMacs, some of them had this issue and was resolved by disabling Wifi and going through Ethernet. See if it helps