Posted on 10-23-2014 12:08 PM
Heard a few issues I've run into myself so throwing out what I've found so far. I'm still testing some of this, so no promises.
Filevault 2 Unlock out of Sync with Active Directory
We've run into a few laptops where Filevault doesn't sync up when the Active Directory password is changed. Removing the user from Filevault worked but adding them back to Filevault failed in GUI and fdesetup. The only fix seemed to be to decrypt and then encrypt the computer. I recently found another work around that so far has been successful for two attempts.
Disable mounting Network Home
Remote users often got "path not found" type errors and delays when logging on. I've unchecked "Use UNC path from Active Directory to derive network home location." I packaged up an Automator workflow as an application that mounts the user's home directory and group shares as needed.
Active Directory and .local DNS domains
Bonjour is a mDNS implementation, and having an Active Directory domain that ends in .local can cause lookup delays. I have an extension attribute that checks the mans_timeout and resets it to 1 (default 5). This has helped speed things up.
Extension Attribute just runs:
defaults read /System/Library/SystemConfiguration/IPMonitor.bundle/Contents/Info mdns_timeout
Setting it from 5 to 1: defaults write /System/Library/SystemConfiguration/IPMonitor.bundle/Contents/Info mdns_timeout -int 1
DSBindTimeout
Default value is unset, but the hard coded value is very high and conservative. I've only tested this on a couple computers so far. Needs much more testing before I roll it out.
Set it lower: /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow DSBindTimeout -int 10
Extension Attribute to monitor value: /usr/bin/defaults read /Library/Preferences/com.apple.loginwindow DSBindTimeout
Sources:
https://jamfnation.jamfsoftware.com/discussion.html?id=10894
https://jamfnation.jamfsoftware.com/discussion.html?id=6025
https://jamfnation.jamfsoftware.com/discussion.html?id=8598
Posted on 10-23-2014 12:14 PM
DSBindTimeout Default value is unset, but the hard coded value is very high and conservative. I've only tested this on a couple computers so far. Needs much more testing before I roll it out. Set it lower: /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow DSBindTimeout -int 10
I set this value to 2 on my MacBook Pro for testing about 4 months ago and haven't had an issue yet. I was trying to set it low enough to see what problems could arise, but haven't found one yet....the only difference I have seen is the great boot times.
/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow DSBindTimeout -int 2
Posted on 10-23-2014 12:31 PM
/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow DSBindTimeout -int 2
Changed from 10 to 2 on my Mac and cut boot time from 30+ seconds to just under 15 seconds. Progress as long as things are trouble free tomorrow when I'm back in the office.
Posted on 10-24-2014 10:52 AM
JAMF Post
Some testing today on my work Mac. Retina, 15-inch, Mid 2014. 2.5 GHz Intel Core i7, 16 GB 1600 MHz DDR3.
Boot: Time it takes from pressing enter on Filevault 2 unlock to desktop.
DSBindTimeout Unset:
Boot Time Offline (No network at all): 73 sec.
Boot Time Ethernet Only: 43 sec.
Boot Time WiFi (Corporate): 43 sec.
Boot Time WiFi (Home, no AD): 73 sec.
That seems conclusive, so I set DSBindTimeout to 45 and got about 45 second boots for all scenarios. I think I'll go with 50 as the conservative setting.
Fastest boot time with DSBindTimeout set to 1 is about 25 seconds. Main problem I see with that is outlook throws up a Kerberos prompt when started, so network logon is definitely timing out with DSBindTimeout set to 1. I'm going to assume that setting DSBindTimeout would cause problems if no mobile account existed. I'll have to test that on a clean Mac and see, but this should be OK if you've got a director breathing down your neck demanding that his Mac boots faster. :D
Posted on 11-13-2014 02:04 PM
This was extremely helpful! Thank you!
Posted on 11-23-2014 06:44 AM
Very helpful to me as well! Trying to figure out what to do with the extra 2 mins of my life you just gave back to me everyday. :)
Posted on 11-24-2014 03:34 PM
On the FileVault issue, I've had this a few times. I found that 'poking' fdesetup, in our case a script that created a FileVault user, then deleted it and other affected accounts started working again. This was on 10.8 last time I noticed it.
For the main AD connection I normally set the passinterval (dsconfigad) to 0 for any mobile Macs. They seem to have intermittent issues reconnecting to AD if their computer password changes while they are off the network.