Skip to main content

Hello, I've been troubleshooting "slow login times" for some AD bound systems in the corporate environment. I've stumbled upon a oddity that I'd like some clarification on. The AD search paths differ from client to client in my environment. New macs are bound to AD at imaging time via Casper Directory binding, existing Macs were bound using a third party tool mid last year.

I wrote a simple extension attribute to return what Active Directory searth paths the client was using:

#!/bin/bash

result="`dscl /Search -read / | grep "/Active Directory/" | sort -u`"
echo "<result>$result</result>"

exit 0

and got the following results across 1100 clients globally:

/Active Directory/[COMPANY] & /Active Directory/[COMPANY]/All Domains /Active Directory/[COMPANY]/All Domains /Active Directory/All Domains /Active Directory/AD/All Domains
/Active Directory/ad.[COMPANY].com

so I'm wondering, which path should I be seeing and why is there such a diversity?

A lot of these sounds like the Allow authentication from any domain in the forest setting in the Apple AD plug-in is not being consistently set. Here's where this setting is in the Apple AD plug-in:

external image link

/Active Directory/[COMPANY]/All Domains - This one corresponds to 10.7 or higher Macs where Allow authentication from any domain in the forest setting in the Apple AD plug-in is checked.

/Active Directory/All Domains - This one corresponds to 10.6 or lower Macs where Allow authentication from any domain in the forest setting in the Apple AD plug-in is checked.

What was the third party tool used to bind existing Macs?

I don't know that anyone would be able to explain why you have such a wide number of results, but I believe the proper search path in most cases is
/Active Directory/[COMPANY]/All Domains

At least that's what we use and things seem to work well. Though, when talking about AD, there is often more than one correct answer to such questions, so don't just take my word for it.

My hunch is that your Macs are polling different DCs (sites and services setup) and are getting different responses. My hunch is differing SVR records.

@rtrouton
that's good info! Thank you for your insight.

What was the third party tool used to bind existing Macs?

We hired 318 to develop a custom user-driver AD binding app. I'm not sure if "Allow authentication from any domain in the forest" is addressed. We only have one domain globally.

@jarednichols
We have a singe DNS entry for ad.[company].com, ~30 AD servers globally sit behind it. How can I verify differing SVR records?

Thank you!

Terms & ConditionsCookie settingsAccessibility statement