Problems with AD bound Macs: keychain issue and very slow performance

rmacias07
New Contributor

Hello everyone,
I don't have a lot of experience so I need some help and guidance. I help managing about 500 Apple computers, a mix of laptops and iMacs. My College is part of a University, meaning we are under the umbrella of central IT. It is a requirement that we bind our Macs to AD, however for the last 2 years it has been a nightmare. First problem, after a user changes the AD password, the keychain does update to the new password and the user gets many pop up windows about the broken keychain. The user cannot even use the computer at this point. Second problem, after binding the Mac to AD the computer becomes super slow, very poor performance. Last, the login process takes like 5 minutes. I been reading about Enterprise Connect but don't understand some things. If we implement Enterprise Connect can we still access the user credentials from AD without binding the computers? No binding to AD, the performance will improve significantly. Sorry for my lack of proper lingo. This is driving me nuts, I have to manually reset the keychain every time a user is required to change the password, what a waste of time. Also people keep complaining about the computers being so slow so I end up re cloning the computers. This generates a lot of work for me. Finding a solution requires a lot of work, I guess that's why is easier to look the other way. I'm already wasting so much time on this, doing redundant work. Please any help is appreciated, just need some guidance..

7 REPLIES 7

snovak
Contributor

I bind for a handful of reasons but my performance isn't radically affected. Are the domain controllers on-prem or at the ~shared services~ datacenter?

It might be helpful to find a small switch you can do a port mirror on and tcpdump/wireshark all the traffic going to and from an affected Mac.

jkaigler
Contributor II

We currently bind out our University and have fought that keychain issue for years. Late last year I started testing NoMAD and NoMAD login, which allows us to use AD credentials without binding. It took a few days to get the preferences down (still tweaking preferences tbh) but it has worked great so far. NoMAD and NoMAD Login are now owned and supported by JAMF and it is free.

Tangentism
Contributor III

Another thing to consider is if you have multiple domains in your forest, uncheck 'Allow authentication from any domain in the forest'. Used to work at a place where we had 14 domains in a global forest so that could add + 2 minutes to a log in.

mschroder
Valued Contributor
First problem, after a user changes the AD password, the keychain does update to the new password and the user gets many pop up windows about the broken keychain. The user cannot even use the computer at this point.

This is a known feature. After a user has changed his AD password, he will need to update the keychain by unlocking it with his previous AD password. And if you use Filevault you will have to update the filevault password as well.

If we implement Enterprise Connect can we still access the user credentials from AD without binding the computers?

If my memory serves me well Enterprise Connect is deprecated, so perhaps not a good migration target.

Other options are "Nomad", and in case all your Macs run Catalina you might want to look at the Single Sign On extension.

boberito
Valued Contributor

Enterprise Connect is no deprecated....I do not believe. But it may end up being soon enough. The Single Sign On Extension is supposed to replace it. But it's no where near as good.

SSO Extension isn't really meant for password management on Mobile Accounts with machines bound to AD. So that won't help.

Are you using AD over SSL? Cause if so check out this thread...it may be some of your performance issues? ICYMI: Active Directory will require LDAP over SSL in 2020

Is there a policy that blocks updating the password through System Preferences? Because if you change it there it's supposed to propagate through all systems (AD, Keychain, Filevault)

snovak
Contributor

Well in Mojave Apple removed the 'Continue to Login' option from that 'Password has been changed' prompt which was a godsend.

@jkaigler Are you able to use LDAP accounts for things like SSH access? Nomad largely just for GUI auth?

jkaigler
Contributor II

We have SSH disabled on Macs (at least we are supposed to). We are still testing NoMAD, right now we use it for just authentication. We only have 10 devices using it at this time.