Jamf Nation Community

The only scheduled Tasso that I have is the every 15 minute check in.

---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Err "tasks" dang iPad autocorrrect :)

---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Are these machines bound to Active Directory and can they see a DNS entry
On 6/24/10 12:54 PM, "Nichols, Jared - 1170 - MITLL" <jared.nichols at ll.mit.edu> wrote:
for your domain controllers from your external DNS servers?

-- 

William Smith
Technical Analyst
MCS IT, Saint Paul
(651) 632-1492

Yes these are AD bound machines. Our dns is visible only from inside of our network. I take it you've seen something like this seeing how you've asked these specific questions.…

J

---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Also, try & turn off your wireless.. If it's a laptop...

We had the same issue, found that turning off the wireless helped as it
stopped the mac from trying to either find the jss or ad

Yeah have done that already. We generally have wireless turned off on machines. Still got the delayed login. :(

---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

You're describing a well-known issue but that's not to say this is
On 6/24/10 1:34 PM, "Nichols, Jared - 1170 - MITLL" <jared.nichols at ll.mit.edu> wrote:
specifically your issue.

Macs bound to Active Directory look to their local network for servers to
authenticate a user attempting to log in. If the Macs can't see their
domain controllers, they quickly give up and use the cached (mobile)
credentials.

However, while companies don't share out their domain controllers to the
Internet, their external DNS is often populated with internal server
information. So, when a Mac is connected to the Internet and is looking
for its domain controller, it will be referred to a company's external DNS
system. The external DNS then responds with the address to connect to a
domain controller. However, the Mac can't access the domain controller and
it hangs until it times out and gives up. Only then, after a lengthy wait,
will the machine revert to the locally cached credentials.

My understanding is that this was suppose to be addressed by Apple in
updates to the Mac OS, however, we still see these delays. Our
instructions to users is to turn on and turn off the Airport only while
using their computer at home. Some folks have made scripted workarounds
but we have too few laptop users to warrant this for our environment.

-- 

William Smith
Technical Analyst
MCS IT, Saint Paul
(651) 632-1492

Correct. We have internal and external DNS servers. The external DNS servers
do not see the Domain Controllers and thus the logins are snappy off-campus.
It was slow before this was put into place. Windows was affected, too, to an
extent.

Craig E

Does this specifically have to do with DNS changes in 10.6? In 10.5 directory services handled most dns look ups and in 10.6 it seems they changed the role over to mDNSResponder daemon to handle DNS look ups. Which is also used for network discovery like bonjour.

This issue has been around since at least 10.4. Maybe earlier.
On 6/24/10 3:48 PM, "Thomas Larkin" <tlarki at kckps.org> wrote:

Folks only notice it with laptops because they travel between the internal
and external networks. I'm not sure if this is limited to Active Directory
or can also apply to Open Directory as well. Would make sense that this
affects any portable connecting to any directory system for
authentication. But I dunno.

-- 

William Smith
Technical Analyst
MCS IT, Saint Paul
(651) 632-1492

I can understand the case whirr a computer is on a network but not on your LAN so therefore it takes a log time to time out, but I'm looking at cases where there's not network connectivity at all. Shouldn't the machine see a link down state on all interfaces and just go right to caches credentials? Seems obvious to me that that's the way it should work.

J

---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

I would agree. It was one method to stop the delays previously...make sure
your interfaces were off before you shutdown/logged out.

Craig E

Hmm. So if that's a case that's supposed to work, I'm going to have to isolate the issue. I'll re-image a machine that has no Casper agent and then join it to our AD and see how that goes.

j

---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

This was the issue we've seen with mobile homes (not synced) from ad & off network logins.

That's why we run the turn off airport @ logout & clear dns for 10.5+ machines as ares are all dhcp supplied.

The issue we're having now is long-logoff.. which do appear to be because this offline policy is trying to contact the JSS

Ben Toms
IT Support Analyst GREY Group
The Johnson Building, 77 Hatton Garden, London, EC1N 8JS
T: +44 (0) 20-3037-3819 Main: +44 (0) 20 3037 3000 | IT Helpdesk: +44 (0) 20 3037 3883