- Jamf Nation Community
- Products
- Jamf Pro
- Re: Active Directory Lag on Login
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Active Directory Lag on Login
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-18-2013 05:46 PM
Has anyone had an issue with intermittent Active Directory Lag in their environment? We have a subset of our systems that, when waking from sleep, or opening up a new terminal, it takes roughly 20 seconds before the system awakes or the system lets you use the terminal. The systems are 10.8. and are bound to Active Directory. I've found that a quick fix for this is to simply do a 'killall opendirectoryd'. I am not sure what causes this to occur and why it only happens to certain systems. Has anyone encountered this type of behavior? If so, how were you able to remediate it?
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-18-2013 08:35 PM
No solution for you but I'd be curious to know what happens if you hard code the IP address and other TCP/IP settings on the computer including DNS servers.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-19-2013 12:15 AM
Yes, I had this problem and it was caused by two issues.
1) Check your DNS, I found that our Mac's couldn't always resolve the DNS service records on a large forest. Use dig -t SRV _service._tcp.fqdn.example.com and also check ldap, kerberos, _kpasswd and _gc. Simple fix for me was to send dsconfigad -preferred <Name of your domain server>* to each mac client.
2) If you are on a large domain try pointing your clients directly to the domain controller rather than the "All Domains" settings within the Directory Utility. This is under the Administrative tab and the check box is called "Allow authentication from any domain in the forest" make sure this is not checked.
Here is the script which I use that fixed it for us.
#!/bin/sh
# Make sure that Active directory settings are turned on
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
# Check the searhc policy settings
searchPolicyAuth=(dscl /Search -read / | grep SearchPolicy: | awk '{print $2}')
searchPolicyCont=(dscl /Search/Contacts -read / | grep SearchPolicy: | awk '{print $2}')
dsconfigad -alldomains disable
dsconfigad -preferred <Name of your domain server>
dsconfigad -mobile enable
dsconfigad -mobileconfirm disable
dsconfigad -protocol smb
dsconfigad -groups "<Name of your domain>/domain admins,domain admins"
dsconfigad -useuncpath disable
osversionlong=sw_vers -productVersion
osvers=${osversionlong:3:1}
echo $osvers
dscl localhost -list /Active Directory
if [ $osvers -eq 6 ]; then
echo "old OS detected as ${osversionlong}"
dscl localhost -read /Search CSPSearchPath | grep "Active Directory"
sudo dscl /Search -delete / CSPSearchPath "/Active Directory/All Domains"
sudo dscl /Search -delete / CSPSearchPath "/Active Directory/"
sudo dscl /Search -delete / CSPSearchPath "/Active Directory/<Name of your domain>"
sudo dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/All Domains"
sudo dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/"
sudo dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/<Name of your domain>"
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search -append / CSPSearchPath "/Active Directory/<Name of your domain>"
sleep 10
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/<Name of your domain>"
else if [[ ${osvers} -eq 7 || 8 ]]; then
echo "new OS detected as ${osversionlong}"
dscl localhost -read /Search CSPSearchPath | grep "Active Directory"
sudo dscl /Search -delete / CSPSearchPath "/Active Directory/<Name of your domain>/All Domains"
sudo dscl /Search -delete / CSPSearchPath "/Active Directory/<Name of your domain>/"
sudo dscl /Search -delete / CSPSearchPath "/Active Directory/<Name of your domain>"
sudo dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/<Name of your domain>/All Domains"
sudo dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/<Name of your domain>/"
sudo dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/<Name of your domain>"
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search -append / CSPSearchPath "/Active Directory/<Name of your domain>/<Name of your domain>.com"
dscl /Search -append / CSPSearchPath "/Active Directory/<Name of your domain>/"
sleep 10
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/<Name of your domain>/<Name of your domain>.com"
dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/<Name of your domain>/"
dscl /Search/Contacts -append / CSPSearchPath "/Local/Default/"
fi
fi
exit 0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-19-2013 06:26 AM
-preferred, is that address really used every time the client talks to AD?
I've always been under the impression that is only used during the initial bind.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-19-2013 09:48 AM
Awesome thanks for the tips guys. What makes this so difficult to troubleshoot is that I'm not able to reproduce this issue. We also have a separate issue where users randomly lose admin rights to their system. Simply doing a 'dscacheutil flushcache' and logging out / in seems to fix that. I wonder if its related to this issue. Stevie, for #1, we have all our clients point to a preferred domain controller. Going to try #2 to see if it makes a difference.
