Active Directory Login After Sleep?

Question

Active Directory Login After Sleep?

We finally have a group of about 35 users with Mac OS X 10.4.1/10.4.2 (we're getting everyone up to date slowly) who are logging in against our Active Directory at work. Our network includes about 200 Macs and 10,000 Windows PCs. We've configured the Directory Assistance utility and bound the workstations to the AD and almost by accident discovered we could then login this way without manually creating users first. They have a variety of different hardware configurations: Dual 2.7GHz G5s, Dual 1.2GHz G4s, Aluminum PowerBooks and even a couple of eMacs.

Until recently this has been working very well. When the computer is first turned on in the morning, it may take a few seconds, maybe a minute, before the login window will accept your LAN ID and password. It will "shake" if you're logging in too soon. For the most part, folks were willing to put up with this. However, it now seems to be taking longer and longer each morning before one can login.

Also, it is now almost impossible to login after the screen saver has been activated. For two months it's been working fine and now almost no one can authenticate against the screen saver.

And finally, the computers have been set to sleep after one hour of inactivity but after waking a computer it will be impossible to login against the screen saver at all. Pretty much your only option is to login as the local administrator and then log out and have the user log back in from the login window (and not the screen saver).

Well, for obvious reasons, I can't really wander around the halls patrolling for people whose computer has gone to sleep so I can login as the admin and get the login window to come back. None of these issues appeared for the first month we were logging in like this. But it's now happening so often, that I am unable to do any other work but walk around logging myself in as the admin and then logging out again. We have about 150 more people to upgrade and some of them are remote users. We'll need to address this issue before we can start giving them support from across the country. Any suggestions on what settings on the Mac to check or issues with the network or Active Directory would be greatly appreciated. Unfortunately, it is EXTREMELY doubtful I would be able to affect any changes to the Active Directory itself. Even though the Mac support folks are, technically, in IT, we're pretty much ignored and poo-pooed when issues come up... Don't get me started!

-Doug

Posted on Sep 28, 2005 6:09 PM

Reply

Answer 1

Sep 28, 2005 9:55 PM in response to Pentium Burner

Your link just gives me an error. However, we have no OS X Servers in our network. I'm not sure why that might be pertinent to our situation. We're logging in to the Active Directory without any OS X servers in between our Macs and the AD.

-Doug

Reply

Answer 2

MacMuse

Level 7

20,796 points

Sep 30, 2005 7:52 AM in response to Douglas McLaughlin

Douglas,

What do you have on the Adminstrative tab in Directory Access? Have you manually set a local AD server or are you letting them hunt on their own? I suspect you're getting systems attached to distant AD servers. Try manually setting a couple as an experiment.

My environment is much smaller (2:100 v. 200:10,000), so I haven't seen this issue here.

Also, are you "married" to letting the systems sleep? If you set them for screen & disk sleep only do they behave any better?

Reply

Answer 3

Sep 30, 2005 8:46 AM in response to MacMuse

Letting the systems sleep could be avoided. The screen saver cannot, however. That's another annoying Sarbanes-Oxley compliance issue. If you leave your computer for fifteen minutes it's required to have the screen saver with password protection come on. I have disabled sleep on a couple of the workstations with the most trouble.

I'll check the AD servers, I believe they're set to "automatic" or another similar setting... I'll take a peek when I actually get to work this morning, this is the only tab we've ever altered from the default settings so maybe we do need to specify a local server. I may be a bit busy as today is the "IT Golf Tournament" so a few hundred of the IT folks will be out of the office most of the day. I'm not going...

Thanks for the suggestion! And to be clear, it will eventually be 200:37,000. There are 10,000 PCs in the corporate campus here in Seattle, but we have Macs in the region as well and if you add-up all the PCs in the region there are 37,000. :-/

-Doug

Reply

Answer 4

Sep 30, 2005 10:51 AM in response to MacMuse

Can I go in your place?

LOL! Well, you can sit here at my desk and do my job if you like. But it's pouring rain and 50 degrees outside so I'm not really sure you'd want to go golfing in Seattle today...

In the "Administrative" tab, the first two check boxes are not checked but the third is. So, the "Prefer this domain server" is dimmed and filled-in with a generic "server.domain.forest.example.com". I have now filled-in a domain server in this building on my workstation. I've logged-out, restarted and logged back in without any issues. However, I have never once encountered a single issue with my workstation. Never ever. While I do use some different tools, I do often have the same applications running that my customers use all day long. I've never encountered a problem. I am on a different floor, which leads me to think there's an issue with the switch in the network closet on that floor. But, it's inconsistent. You can't MAKE the problem appear which makes me think it's not the switch in the network closet since it would, I assume, always respond the same way.

-Doug

Reply

Answer 5

MacMuse

Level 7

20,796 points

Sep 30, 2005 11:52 AM in response to Douglas McLaughlin

Try forcing that setting on one of the problematic systems, I think this will help.

In most network environments, this key server association has an automated match me to the "nearest" master server concept. In a diverse environment with a variety of WAN links at varying speeds, it's possible for a client to choose an inappropriate server that later becomes unavailable or extremely slow to respond. If the client does not give up on the balky server and look for another in a timely manner, then the result would match your descriptions.

Forcing the setting to a single server obviously has drawbacks as well. The loss of that server can result in a hard down condition for these clients until you change their preferred server or it returns. Ideally, the preferred server can be replaced by any available server if the preferred is unavailable.

Assuming Windows native clients that sleep in a manner similar to the Mac clien and living on the same network switch/LAN do not exhibit similar behaviour then I believe we're looking at a fault in the AD client implementation in Tiger.

Are you definitely seeing this behaviour in both 10.4.2 & 10.4.1 clients? The .2 release definitely improved the AD client in other aspects.

For the record, I'm speaking from general experience based on Novell & Windows NT/2000 (pre-XP/AD) environments. But AD is basically an extended LDAP implementation, and the concepts of server association should hold true here as well. Speaking of LDAP, do you have any non-default settings configured in Directory Access? Is LDAP on in the clients?

Reply

Answer 6

Sep 30, 2005 12:43 PM in response to MacMuse

Are you definitely seeing this behaviour in both 10.4.2 & 10.4.1 clients?

The majority of users have 10.4.1. The 10.4.2 update broke our "By Host" preferences hack to make sure the screen saver is enabled after 15 minutes and requires a password. So, we were unable to install 10.2.4 from scratch from our image for these users. However, now that they have the correct By Host preferences, we could Software Update them to 10.4.2. One or two people already have it, but it's not clear if it's helping or not, it's only been this week.

-Doug

Reply

Answer 7

Sep 30, 2005 1:51 PM in response to Andbrowny

Hi Douglas, in console logs what errors do you get on the affected machines?

All records of any activity by any users attempting to log in with a LAN ID are specifically not logged because their UID is beyond a certain number. So, there is a note to that effect in the log and that's it! If someone would know how to enable the logging of activity by users with higher UIDs, that would be helpful.

I will check the Terminal next, thanks!

-Doug

Reply

Answer 8

Sep 30, 2005 4:14 PM in response to Andbrowny

The dsconfigad -show command does not show any significant differences between my workstation and one that has started having some trouble. (The one I looked at had "afp" as the network protocol and mine is still set to "smb" for the home folder path.)

The local administrator has all their actions logged, but when you check the logs, for example, after a "wake event" when someone is trying to log back in after the computer has gone to sleep, there is simply a chunk missing out of the log until some other kind of activity is detected.

-Doug

Reply

Answer 9

Andbrowny

Level 4

1,614 points

Sep 30, 2005 5:03 PM in response to MacMuse

So I'd be looking at the prefer this Domain Name Server line, Can't remember offhand what exactly, as I don't have my iBook with me but see if the settings are the same on good, bad and ugly machines.

Reply

Answer 10

MacMuse

Level 7

20,796 points

Sep 30, 2005 10:26 PM in response to Douglas McLaughlin

For those looking for more information on this topic, I picked up some of my info from bombich.com & macwindows.com. Both have at least a couple articles on OSX clients in an AD only environment.

And of course, a wonderful array of documents produced by our gracious hosts.

Reply

Answer 11

Oct 4, 2005 2:24 AM in response to Douglas McLaughlin

Why don't you use mobile accounts? This is very helpful with mobile computers and slow networks, because you can always log in even when not connected to your AD network at all. Login with network connected, go to sleep/screen saver mode, unconnect network cable, wake up, login - no problem. Does not work with WLAN though.

Reply

Answer 12

Oct 4, 2005 12:10 PM in response to Fortyfoot

Because the mobile accounts, for some completely unknown reason to me, pull the default settings from a DIFFERENT User Template folder. I have no idea where this folder is or why the "mobile account" users get files from a different User Template in the first place. We've spent a considerable amount of time perfecting our User Template and it's important for the users or they simply won't be able to get their e-mail...

-Doug

Reply

Answer 13

Oct 5, 2005 1:01 AM in response to Douglas McLaughlin

You said you don't have any MacOS X Servers. So where do those user templates reside anyway? If not on an X Server, without Workgroup Manager, defaulting user profiles for Mac clients isn't possible, as far as I know. But alas, I'm relatively new to MacOS X and am more concerned with Active Directory.

Reply

Answer 14

Oct 5, 2005 1:05 AM in response to MacMuse

Douglas, does the "different" user template resemble a "virgin" install - just the base Mac provided entries?

Yes, that's exactly what it looks like. As if we had never altered our User Template folder. I couldn't find another User Template folder anywhere on the Mac...

-Doug

Reply

Answer 15

Andbrowny

Level 4

1,614 points

Oct 5, 2005 10:44 AM in response to Douglas McLaughlin

Hi Douglas are you using these steps?
4. User Template
Each time a new AD user logs onto a Mac they will be setup with a default Dock, which may
not include the various applications that you need, or may include others that you dont need.
4.1. The default Dock settings are stored in the System > Library > User Template >
English.lproj folder on the local hard disk.
4.2. Log on to the computer as a local Admin user.
4.3. Create a new Student user.
Setup the new users Dock exactly as you want each users Dock to appear.
(You can also do this for default Browser home page, Image capture defaults, etc, etc.)
4.4. Log off as the new user.
4.5. Log on as the Root user.
4.6. Copy (Option-drag) the new users Library folder to replace the Library folder in the
User Template > English.lproj folder.

Reply