We recently ran into a problem where our Macs kept "falling out" of our Active Directory domain and wouldn't authenticate, even if they had previously been working. We had support staff unbinding and rebinding multiple machines every day to get them working again.
The problem was eventually tracked down to this: http://support.apple.com/kb/TS2691
Essentially, the Kerberos configuration files in DSLocal were invalid/corrupt/empty (zero bytes), which seems to be an issue with Mac OS X 10.5.6. This is obviously more of a problem on lab machines where multiple users log in every day, than on staff machines where the same user logs in all the time and is cached. The machine hasn't actually dropped off the domain - it just doesn't have the right credentials to talk to the domain, is unable to authenticate users, and therefore appears to have "fallen out".
To resolve this, one of the things we did was to implement the following custom command-line as a Startup policy in Casper, scoped to all machines to intervene in a no-touch manner and fix the issue before anyone notices, even if the corruption keeps recurring.
if [ ! -s /var/db/dslocal/nodes/Default/config/Kerberos:DU.DEAKIN.EDU.AU.plist ]; then rm /var/db/dslocal/nodes/Default/config/Kerberos:DU.DEAKIN.EDU.AU.plist; killall DirectoryService; fi
The "if" statement first checks for whether the affected file is zero-length, and does nothing if it is non-zero. Otherwise, if the file is empty, the command performs Apple's recommended work-around, which is to remove the corrupted file and respawn DirectoryServices, thus regenerating the affected file, and restoring the workstation's credentials. No re-bind necessary.
It was also implemented in a Once Per Day policy, in case someone doesn't restart very often.
Instances of "falling out of the domain" have now dropped completely off. We're now moving forward with preparing 10.5.8 for release, which is said to resolve the issue once and for all. We had previously held off on updating existing machines to Mac OS X 10.5.7 and 10.5.8, except on new hardware out of necessity, as the versions of Safari bundled into those updates are not supported by a couple of our key corporate applications, so much of our fleet was (and is) still running 10.5.6.
Hope this might help someone.
