Active Directory Login After Sleep?

We finally have a group of about 35 users with Mac OS X 10.4.1/10.4.2 (we're getting everyone up to date slowly) who are logging in against our Active Directory at work. Our network includes about 200 Macs and 10,000 Windows PCs. We've configured the Directory Assistance utility and bound the workstations to the AD and almost by accident discovered we could then login this way without manually creating users first. They have a variety of different hardware configurations: Dual 2.7GHz G5s, Dual 1.2GHz G4s, Aluminum PowerBooks and even a couple of eMacs.

Until recently this has been working very well. When the computer is first turned on in the morning, it may take a few seconds, maybe a minute, before the login window will accept your LAN ID and password. It will "shake" if you're logging in too soon. For the most part, folks were willing to put up with this. However, it now seems to be taking longer and longer each morning before one can login.

Also, it is now almost impossible to login after the screen saver has been activated. For two months it's been working fine and now almost no one can authenticate against the screen saver.

And finally, the computers have been set to sleep after one hour of inactivity but after waking a computer it will be impossible to login against the screen saver at all. Pretty much your only option is to login as the local administrator and then log out and have the user log back in from the login window (and not the screen saver).

Well, for obvious reasons, I can't really wander around the halls patrolling for people whose computer has gone to sleep so I can login as the admin and get the login window to come back. None of these issues appeared for the first month we were logging in like this. But it's now happening so often, that I am unable to do any other work but walk around logging myself in as the admin and then logging out again. We have about 150 more people to upgrade and some of them are remote users. We'll need to address this issue before we can start giving them support from across the country. Any suggestions on what settings on the Mac to check or issues with the network or Active Directory would be greatly appreciated. Unfortunately, it is EXTREMELY doubtful I would be able to affect any changes to the Active Directory itself. Even though the Mac support folks are, technically, in IT, we're pretty much ignored and poo-pooed when issues come up... Don't get me started!

-Doug

Posted on Sep 28, 2005 6:09 PM

31 replies

Oct 5, 2005 12:18 PM in response to Andbrowny

Yes. We've been altering the User Template folder for a couple of years now with all of our Mac OS X images (as far back as 10.2). A user who logs in without the "mobile accounts" option enabled will get our settings from the /System/Library/User Template/English.lproj/ folder. However, if you enable the mobile accounts, the user gets a generic Desktop and Dock. I can't figure out where or why this secondary User Template is coming from. If someone logs in first, then we change to mobile accounts they continue to see their original home folder with our settings. However, if someone else needs to log in to that same workstation they get a generic set-up. This is not really an issue I'm overly concerned about right now, but I would be curious to know why it's happening... 🙂

-Doug

Oct 6, 2005 9:58 AM in response to Douglas McLaughlin

It sounds like you are talking about how the Apple AD plug-ins selects a Domain Controller...

This isn't some magic that the Mac does by itself. It doesn't look at your network and take a best guess.

The AD plug-in must access Active Directory DNS service records. Your Mac clients must be looking to a DNS server, that can deliver these, as their primary DNS server. Usually that'll be a AD-based DNS server. From this they retrieve either a "site record" or "global catalog". These special "databases" identify, for the client, who its nearest Domain Controller is.

This Microsoft KBase article advises a Windows server admin on how to optimise what info is delivered via the site or gc:

http://support.microsoft.com/default.aspx?scid=kb;en-us;306602

Setting the preferred dc (which should be set with the FQDN) will bypass the use of the site record or gc.

Besides that I am worried about sleep being an issue for AD-integrated Macs. In saying that I always advocate switching system and hard drive sleep off... leaving only display sleep on (desktops not notebooks running from battery). I'd like to see if I can experience any sleep related issues with either the Apple AD plug-in or ADmitMac. I can then escalate to engineering.

Oct 6, 2005 12:31 PM in response to Andrew-ACT-ACSA

Thank you, Andrew, for your reply. I will check out the article you linked.

Besides that I am worried about sleep being an issue for AD-integrated Macs. In saying that I always advocate switching system and hard drive sleep off...

It's not only sleep, but the authentication against the screen saver as well. In both cases, for some reason, when the authentication window comes up the "Name" field (which is usually filled-in with the user's long name) is blank. When this happens, there is no choice but to click the "Switch User" button and change to another user. Then, the new user can log out and the original user can use the "real" login screen to log back in to their currently running account.

-Doug

Oct 7, 2005 3:11 AM in response to Douglas McLaughlin

I just tested two iBooks with the screensaver and didn't experience any problems.

One iBook had ADmitMac. The other Apple AD Plug-in.

Neither had any issues showing me the authentication dialog and after password input I got back into the desktop fine.

I will try sleep now.

Oct 7, 2005 3:41 AM in response to Andrew-ACT-ACSA

I've tried sleep and I'm unable to recreate the issue on Mac OS X v10.4.2 (8D37). I tried normal sleep and then deep sleep. Normal sleep is when it's left for only a few minutes and deep sleep is when you choose the Sleep command or if it's left for a long period.

These are brand new iBooks with a newer build of v10.4.2 than the general release. There's a chance you're experiencing an issue which is hardware model-specific or it's an issue that Apple has fixed in newer builds of Tiger already. I wouldn't imagine that to be the case. We will never know though.

10.4.3 should be out soon... worth giving that a go.

Am I missing something in this picture that would allow me to recreate your experience? Annoyingly, engineering usually don't want to know if I can't show them how to recreate an issue.

Oct 7, 2005 2:09 PM in response to Andrew-ACT-ACSA

Am I missing something in this picture that would allow me to recreate your experience?

Well, we had no trouble at all like this at first with only four or five Macs that were bound. But, now that we have fifteen or twenty it's happening more often. So, it appears to me to be some kind of accumulative issue. It may even have something to do with the switch in the network closet rather than the Active Directory itself as I am on the same subnet but on a different floor connected to a different switch and I do not encounter the same trouble. If I knew what piece was missing between your environment and mine, I might know enough to solve the issue! 😉

I'm definitely hoping that 10.4.3 will include an updated AD Plugin and maybe that's all we'll need.

-Doug

Joe Lake

Level 1

55 points

Nov 17, 2005 12:46 PM in response to Douglas McLaughlin

Don't mean to hijack this thread, but I didn't see how else I might be able to contact you.. We're looking to lock down the screen saver to 10 minutes per our client' and SOX compliancy. How do you keep your users from being able to turn off the Screen Saver or adjust the time on it.

Thanks so much, and sorry again for jumping in.

Sep 28, 2005 6:17 PM in response to Douglas McLaughlin

This may be more of a question to ask here:

http://discussions.info.apple.com/webx?127@@.68ae01ad

Sep 28, 2005 6:18 PM in response to Pentium Burner

If link doesn't work: check OS X Server discussions and search for active directory (or you may have done so already)

Sep 29, 2005 7:31 PM in response to Douglas McLaughlin

There are more pertinent posts in the OSX server world relating to Active Directory Issues.

MacMuse

Level 7

20,796 points

Sep 30, 2005 9:26 AM in response to Douglas McLaughlin

] "IT Golf Tournament" .... I'm not going

Can I go in your place?

] 37,000

You have my sincere condolences.

Andbrowny

Level 4

1,614 points

Sep 30, 2005 12:57 PM in response to Douglas McLaughlin

Hi Douglas, in console logs what errors do you get on the affected machines?
also if you type in dsconfigad -show in terminal are there differences between your machine and the trouble makers?

Andbrowny

Level 4

1,614 points

Sep 30, 2005 2:00 PM in response to Douglas McLaughlin

Hi again, Yeah I know about the UID too large issue, but my AD admin account still logs sytem errors and disconnections in console on my iBook.

MacMuse

Level 7

20,796 points

Sep 30, 2005 3:42 PM in response to Andbrowny

cool - dsconfigad -show - another toy to play with, thanks!

MacMuse

Level 7

20,796 points

Oct 4, 2005 6:27 PM in response to Douglas McLaughlin

Douglas, does the "different" user template resemble a "virgin" install - just the base Mac provided entries?

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Active Directory Login After Sleep?