Posted on 03-07-2014 06:42 AM
Hi all,
I'm looking for any tips at all on setting up mobility with AD integration. I'm seeing log-in times upwards of 2 minutes on machines. I've looked around for a "best practices" on setting up mobility with AD integration but I haven't found much. The setup is fairly small. We have 12 machines right now that should have mobility enabled, there is a single domain controller local to the site, the JSS is in a remote datacenter, and a synology diskstation is holding the 'profiles'. The synology never pings over 3MB on it's interface (it's capable of 120'ish MB) and the Macs are sitting at about 5MB of total transfer since I booted them, so I don't think its a congestion issue. All links are gig throughout. So ruling out throughput and ruling out IO constraints (the synology is pushing a fraction of what it is capable of with these drives), what else should I be looking at? I'm eyeballing the AD setup itself as a possible culprit, though the windows machines boot within 30-50 seconds with the same users who have redirected folders and roaming profiles. I'm mainly concerned that the JSS setup is hacky though. I haven't found a good 'best practices' guide for anything dealing with it.
Long winded, but I need some help. Been dealing with this in 10+ hour days all week. Thanks!
Posted on 03-07-2014 07:05 AM
You could turn on Open Directory logging and paste the results of a login session into the thread.
Depending on the client OS version follow http://support.apple.com/kb/HT4696 or http://support.apple.com/kb/HT3186
Posted on 03-07-2014 07:30 AM
Not sure what to tell you. I've read about this issue, and we use AD mobile accounts as well with ~7000 Macs and I haven't heard any reports of this.
However, I am not doing my AD binds through the JSS, it's done outside of that by one of our internal setup apps. What's your "dsconfigad -show" output? Feel free to scrub your domain name.
Posted on 03-07-2014 07:35 AM
@jardoin1 lots of moving parts when you're looking at login lags. I will just +1 @psliequ's comment on OD logging and recommend a couple tweaks that have helped us with mobile devices + wifi connectivity + directory-based auth:
Posted on 03-07-2014 08:41 AM
I second the comment on dropping share mounting. We disabled that on the dsconfigad side as well as for most Mac users in AD since it never worked right and would lead to login issues.
If users really need a share, I would have them either just mount it as a favorite or via login script rather than have it happen automagically. It's one of those things that should work, but at the end of the day you just need to compromise in favor of keeping things running smooth and reliably.
Posted on 03-07-2014 10:27 AM
So as it turns out, this is actually the problem:
http://macmule.com/2013/10/30/updating-managed-settings-popup-at-login-window/
I'm taking steps now to mitigate. Thanks everybody!
Posted on 03-07-2014 10:30 AM
Posted on 03-10-2014 02:59 PM
@clifhirtle wonk. haha