Active Directory Q&A

azbikowski
New Contributor II

Heard a few issues I've run into myself so throwing out what I've found so far. I'm still testing some of this, so no promises.

Filevault 2 Unlock out of Sync with Active Directory
We've run into a few laptops where Filevault doesn't sync up when the Active Directory password is changed. Removing the user from Filevault worked but adding them back to Filevault failed in GUI and fdesetup. The only fix seemed to be to decrypt and then encrypt the computer. I recently found another work around that so far has been successful for two attempts.

  1. Verify that you have second working account able to unlock Filevault or that your recovery key works. If the only way to unlock the drive is the out of sync user, stop and decrypt.
  2. Remove out of sync user from Filevault:sudo fdesetup remove -user username
  3. Clear EFI Boot Cache: sudo touch /System/Library/PrivateFrameworks/EFILogin.framework/Resources/EFIResourceBuilder.bundle/Contents/Resources
  4. Use Run Maintenance in Self Service (This item resets NVRAM via script, and executes Reset Computer Name, Fix Disk Permissions, Fix ByHost Files, Flush System Caches, Flush User Caches, Verify Startup Disk, and then Restarts the computer.
  5. Log in under local admin account.
  6. Add mobile account to FileVault under System Preferences > Security > FileVault
  7. Reboot and verify user can unlock computer.

Disable mounting Network Home
Remote users often got "path not found" type errors and delays when logging on. I've unchecked "Use UNC path from Active Directory to derive network home location." I packaged up an Automator workflow as an application that mounts the user's home directory and group shares as needed.

Active Directory and .local DNS domains
Bonjour is a mDNS implementation, and having an Active Directory domain that ends in .local can cause lookup delays. I have an extension attribute that checks the mans_timeout and resets it to 1 (default 5). This has helped speed things up.

Extension Attribute just runs:
defaults read /System/Library/SystemConfiguration/IPMonitor.bundle/Contents/Info mdns_timeout

Setting it from 5 to 1: defaults write /System/Library/SystemConfiguration/IPMonitor.bundle/Contents/Info mdns_timeout -int 1

DSBindTimeout
Default value is unset, but the hard coded value is very high and conservative. I've only tested this on a couple computers so far. Needs much more testing before I roll it out.

Set it lower: /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow DSBindTimeout -int 10

Extension Attribute to monitor value: /usr/bin/defaults read /Library/Preferences/com.apple.loginwindow DSBindTimeout

Sources: https://jamfnation.jamfsoftware.com/discussion.html?id=10894
https://jamfnation.jamfsoftware.com/discussion.html?id=6025
https://jamfnation.jamfsoftware.com/discussion.html?id=8598

6 REPLIES 6

Josh_Smith
Contributor III
DSBindTimeout Default value is unset, but the hard coded value is very high and conservative. I've only tested this on a couple computers so far. Needs much more testing before I roll it out. Set it lower: /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow DSBindTimeout -int 10

I set this value to 2 on my MacBook Pro for testing about 4 months ago and haven't had an issue yet. I was trying to set it low enough to see what problems could arise, but haven't found one yet....the only difference I have seen is the great boot times.

/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow DSBindTimeout -int 2

azbikowski
New Contributor II
/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow DSBindTimeout -int 2

Changed from 10 to 2 on my Mac and cut boot time from 30+ seconds to just under 15 seconds. Progress as long as things are trouble free tomorrow when I'm back in the office.

azbikowski
New Contributor II

JAMF Post

Some testing today on my work Mac. Retina, 15-inch, Mid 2014. 2.5 GHz Intel Core i7, 16 GB 1600 MHz DDR3.

Boot: Time it takes from pressing enter on Filevault 2 unlock to desktop.

DSBindTimeout Unset: Boot Time Offline (No network at all): 73 sec.
Boot Time Ethernet Only: 43 sec. Boot Time WiFi (Corporate): 43 sec. Boot Time WiFi (Home, no AD): 73 sec.

That seems conclusive, so I set DSBindTimeout to 45 and got about 45 second boots for all scenarios. I think I'll go with 50 as the conservative setting.

Fastest boot time with DSBindTimeout set to 1 is about 25 seconds. Main problem I see with that is outlook throws up a Kerberos prompt when started, so network logon is definitely timing out with DSBindTimeout set to 1. I'm going to assume that setting DSBindTimeout would cause problems if no mobile account existed. I'll have to test that on a clean Mac and see, but this should be OK if you've got a director breathing down your neck demanding that his Mac boots faster. :D

rcurran
Contributor

This was extremely helpful! Thank you!

mikeuva123
New Contributor

Very helpful to me as well! Trying to figure out what to do with the extra 2 mins of my life you just gave back to me everyday. :)

davidacland
Honored Contributor II
Honored Contributor II

On the FileVault issue, I've had this a few times. I found that 'poking' fdesetup, in our case a script that created a FileVault user, then deleted it and other affected accounts started working again. This was on 10.8 last time I noticed it.

For the main AD connection I normally set the passinterval (dsconfigad) to 0 for any mobile Macs. They seem to have intermittent issues reconnecting to AD if their computer password changes while they are off the network.