Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Major problem with ActiveDirectory

I've just updated some of my mac to Leopard.

It seems that there's a major problem with the ActiveDirectory integration... the login / logout and all the operation on the Windows 2003 server are VERY slow.. (the login take around 40 seconds)..

With the other mac running Tiger all is running well.. so it's not a network problem or windows issue!

May someone confirm the same issue??.. Do you have a solution?

IMAC 24", Mac OS X (10.5)

Posted on Oct 26, 2007 9:32 AM

Reply
74 replies

Oct 26, 2007 10:06 AM in response to fabryx

nope, but we don't do upgrades in this shop; too much potential for bugs. I've actually been very happy with AD performance in Leopard.

I'm guessing you have some carryover settings that aren't all that peachy, or you have an SMB home directory vs a local home and the ACL resolution is slowing things down. Try unbinding, rebooting, then rebinding.

Oct 28, 2007 6:13 AM in response to fabryx

I've got the same problem after a fresh install. No upgrade. Installed Leopard the first thing I did was bind to Active Directory (that took for ever by the way) and then tried to login. Waited 2 minutes and finally got to the desktop. I'm using Active Directory with Portable Home Directories. It used to work reasonably well in Tiger (I won't say it was perfect, because it wasn't) but now with Leopard it's not playing to nice. Not having fun to say the least. Luckily I haven't rolled it out to my production environment right away (which I wouldn't have done anyway) so I can wait for a patch or two.

Oct 28, 2007 9:01 AM in response to fabryx

Having the same problem with Active Directory in Leopard 10.5.0. Three different Macs (two Intel, one PPC). First, tried an upgrade of an AD bound machine (that was working fine bound to AD in 10.4.10) - the upgrade made the machine almost unusable - login times for network users became several minutes with a spinning beach ball. Sometime the login would fail altogether (had to reboot).

So, tried a clean install of 10.5 to 2 different machines. The binding process was very slow (4 to 5 minutes) - although didn't generate any errors in the console. Tried to bind to an existing computer account in AD with one - tried to bind to a new computer account in the other.

Still - no luck.

Have deleted the contents of /Library/Preferences/Directory Service - re-bound the machines - no luck.

Checked the DNS/PTR records/netbois name of machine - no luck.

Network logins take > 2 minutes on the Leopard AD-bound machines. 30 seconds of spinning beachball. Two minutes more of greyed-out disabled login screen (as if frozen).... then, once logged in, very unstable behavior (lots of freezing/stuttering).

Meanwhile, my un-upgraded 10.4.10 AD bound machines are zipping right along with network logins.

I've been at this for over 10 hours now - examining logs, console messages, 3 fresh installs - can't make it work. All the usual tips for getting AD binding to work under older versions of OS X (when it was also flaky have been exhausted....

(It is a .local domain - but I've added "local" to the DNS search defaults).

HELP!!

Doing a clean install of TIger now to get these machines working again.... We need the AD integration working more than we need Leopard by tomorrow AM.

john

Oct 28, 2007 2:26 PM in response to fabryx

After performing a clean re-install of Tiger (10.4.10) - AD integration works again - flawlessly. Initial AD binding takes about 5 seconds - the machine is automatically created in the AD domain - user logon's take a few seconds the first time - and sub-second logins thereafter. Tiger works.

After performing a clean reinstall of Leopard (10.5.0) - AD Integration does NOT work. AD Binding takes 10 minutes or so - beachball spins, screen freezes... user logins take 2 to 3 minutes. Computer sputters frequently. Authentication dialogs take several minutes to authenticate. Very broken...

Same network. Same machines (one intel/one PPC). Same Active Directory domain.

The server is a Windows 2003 SBS R2/SP1. The domain is a .local. All dns/ptr records are in place.

john

Oct 29, 2007 4:48 AM in response to William Lloyd

We are having the same problem on an iMac. I have only put Leopard on it to fix a weird issue with Pages (see my other open question) however fixing that has come at the price or a ridiculously long log in and authentication time for anything AD related.

There doesn't seem to be large awareness on the intarwebs about this, could it be confined to ADs with certain characteristics. I'm not the network admin here and we contract out our actual management to RM so we can't actually go tinkering that much with the AD. However we shouldn't need to as Tigger works like a snappy snappy thing on the AD... bad Leopard.

Oct 29, 2007 4:57 AM in response to fabryx

This issue has certainly been flagged up to Apple over the Leopard beta cycle by a number of my colleagues who administer Macs binding to AD. Desperately needs fixing for us but interesting note below found on the web.

From 'Joseph' at http://hinkle.wordpress.com/2007/10/27/leopard-problems-active-directory-integra tion/


'I’m guessing that both issues are related to the re-written Kerberos engine. Our call with Apple support has been escalated to engineering, so I’ll post when we get a solution.'

Oct 29, 2007 10:51 AM in response to fabryx

I've been posting on the Mac Enterprise mailing list (non-Apple list) regarding this problem. I can't bind 10.5 machines to our AD either.

From what I've discovered so far, it seems that most people can not bind to AD though some users have been able to bind in their AD environments. I haven't figured out why this works for some and not for others.

In our case, we fail in step 4, when the plugin is checking for existing machine objects. At this point the Mac should have connected to AD and verified my admin credentials. This is interesting because the error message indicates that the AD plugin can not contact the AD domain controllers. ???

I've heard of many reports of this to Apple's bug-tracker, some of which have been closed as "duplicate" bug reports. I've also heard that this worked in the past but AD authentication broke in the later builds of 10.5. I wasn't up on my builds (too busy) so I can't say which ones worked or didn't in our particular environment.

For us, we don't have a particularly large AD by many enterprise standards. We do have a lot of user objects, being a University.. too many users to fit in any default view (from a Mac or from the MMC in Windows). Our general layout has user accounts in AD.LOCAL which is our Forest (yes I have Local in IP search path) and our machine accounts reside in a tree, AD.UCHICAGO.EDU.

steven.

Oct 29, 2007 11:18 AM in response to p_halcomb

Thanks for the suggestions.

I have deleted existing AD machine objects. I had noticed that the 10.4 AD plugin seemed to bind more reliably when it was allowed to create its own computer objects so I tried that in 10.5 also.

This hasn't helped at all.

One thing of note, my fail occurs much sooner than 3-4 minutes. When it hits step 4 in the process I die in about 20-30 seconds. I'm wondering if there is some central AD time-out that is set lower than at other sites.

In general, I've tried everything configurable on the client side to troubleshoot this. I've specified different AD Servers, I've let it auto-detect, I've checked and unchecked all the options in the Advanced config (in the plugin) and nothing has worked. All DNS is correct forward and backward, "local" is in my search path. As far as the client is concerned, there is nothing left to troubleshoot.

thanks,
Steven.

Major problem with ActiveDirectory

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.