Apple Event: May 7th at 7 am PT

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Level 1

0 points

Active Directory - Network Accounts Unavailable after reboot

The issue I'm having with Snow Leopard is that I can bind accounts to AD and on the first boot it works perfectly. It shows Network Accounts Available and I can login using an AD account. After I reboot and on every boot after the first it then shows Network Accounts Unavailable. I logged in as local admin and it shows it is bound to the domain and it has a green light under the Directory Utility for the domain.

Here are the main bits of info regarding this problem:

1. Computer is bound to domain on first boot using Deploy Studio's firstboot script. This works brilliantly on 10.5 and only became a problem on 10.6.

2. On first boot, it binds to the domain correctly and shows Network Accounts Available. I can log in using a network account and everything is peachy.

3. If I reboot the machine, the status on the loginbox changes to Network Accounts Unavailable and has a red light.

4. If I've logged in to an AD account on first boot, it will log in even with the red light present (it is a mobile account). This is working properly.

5. If I try to log in using an account that has never logged in before, it will not log it in.

6. If I login in as local admin and check the Directory Utility, it shows the machine as being properly bound to the domain and has a green light even thought the login box shows a red one.

These are all the facts surrounding this issue that I have at the moment. I am booting up a 10.5 image right now that is freshly imaged and will report back its behavior using the same AD binding script that is being used on the 10.6 image.

MacBook Pro 17", Mac OS X (10.6.1)

Posted on Nov 4, 2009 8:28 AM

24 replies

Jan 21, 2010 4:43 AM in response to oniondip

This stinks... Since I have only 30 users I just entered all the accounts in the Mac Server and then removed the link to the active directory. It has run great for a few days now. I would like to find a permeant solution but this has got everyone off my back for now.

Thanks
Thom

S1F1

Level 1

0 points

Jan 23, 2010 4:23 PM in response to nawalck

Just adding that I am having a similar problem with AD binding on a Windows 2003 server. System installed on the Mac client is 10.6.2. The environment does not have an OD server.

I use DS AD binding script, and the bind performs successfully. I need to take a look at the system logs again but I recall there being a reported DNS error following the binding however.

Network account availability is intermittent when binding 13" MacBook latest model.

I have seen the above machines have a red light next to network accounts available, then after several attempts of logging in with a non-cached AD account network accounts are inexplicably available and I am able to login with an AD account.

I have also tested just unbinding and rebinding a machine manually using Directory Utility with exactly the same issue occuring. Problem seems to be more evident when attempting to authenticate over wireless, but I have seen it happen with these machines attached to Ethernet also.

Apologies that I can't provide any more info, unfortunately I can't perform any testing in the environment until Wednesday either. This is for a school environment, staff return on Wednesday and students return the following Monday, so it is getting urgent. Does anyone have any suggestions?

Monk1977

Level 1

5 points

Jan 23, 2010 8:09 PM in response to no1tmorrow

Try using the 192.168.1.11 as the first DNS server in Network Preferences.

Jan 31, 2010 11:41 PM in response to S1F1

Hi Folks,

Our school site is supported by a single Windows AD server. It is connected to district HQ by a slow congested WAN link. There are several other Windows AD servers at HQ that replicate accounts to/from our school site on a scheduled basis.

What I have found by packet tracing is that the OS X 10.5.8 Mac Bind process chooses a Windows DC seemingly at random in which to create/update its computer account when a Mac joins the AD. Typically that means it chooses one of the slow, off site DCs for the Bind. Following Bind completion the Mac will continue to work with the chosen DC for logins if it is not rebooted.

However, after the Mac has been rebooted once or twice a different algorithm appears to come into play whereby the Mac strongly prefers to use the DC on its local subnet.

This means that if you reboot a freshly bound Mac before your local Windows DC has received a copy of its machine account via replication... your logins will fail. This typically manifests as headshake behavior or sometimes you may see messages to the effect that "The system is unable to log you on at this time." Once scheduled replication has completed and all your DCs have a consistent copy of the Mac computer account this problem usually disappears.

Hope this helps.

Cielsys

Level 1

0 points

Feb 2, 2010 5:51 PM in response to piperspace

Hi,

I have a similar problem binding Macbooks to a Small Business Server 2008 Domain.

I found that it would bind to the domain and all was well until the network was disconnected (i.e user took the Macbook home). When it was reconnected the Macbook reported that the Domain was not responding. I replicated the environment, and problem, on a test bed and found that if I turned off the Windows Firewall Domain profile on the SBS Server the Macbooks would Bind without any issues.

I have been experimenting opening up various ports to try and workout what is being blocked. I can successfully telnet to all the Ports suggested in the Apple White Paper.

Having the Fiewall turned off is not a recommended solution. If anyone has suggestions on other ports that I can try to exclude I will try it out.

Regards

Cielsys

Level 1

0 points

Feb 2, 2010 8:32 PM in response to Cielsys

Update:

Gave up on the Apple AD Plug In and downloaded ADmitmac. It seems to work without issue on SBS 2008 with all Firewalls on.

hodous

Level 1

0 points

Feb 17, 2010 1:11 PM in response to Cielsys

****... I spent FOREVER on this issue and it keeps happening because the time is not the same in Active Directory as it is on the Mac.

Line them up and the **** thing will start syncing again.. and if you are allowing either the server or the mac to update off time servers make sure they are updating off the same server.. if the time on either machine is off by more that 7 seconds you will not bind.

Hope that helps some of you!

Feb 17, 2010 11:56 PM in response to hodous

@hodous thanks for your input. I checked my Mac time with our time on the AD but delay is only 1 second. And no bind. Waiting for 10.6.3

Feb 25, 2010 3:48 AM in response to nawalck

This problem is a strange one. I too have been experiencing problems. The newest member of my mac clan is the iMac, when i tried to install 10.6.2 and bind it to the network, i too had the problems listed about network accounts not available. I tried the rc.local fix without success and in the end couldnt login to the machine at all. It would halt on the Logging in screen trying to login as local user even after repairing permissions. My Macbook however has 10.6.2 and is from 2007/2008 and has no problems what so ever. I haven't installed on the MacMini but did experience the problems on the Macbook Air.so out of 3 computers i have tried snow leopard on, only 1 works. 10.5.8 never had an issue of logging on for me. I am currently going to try clean 10.5 install and upgrade to 10.6. Will let you know if this works. Previously were all clean 10.6 installs

Active Directory - Network Accounts Unavailable after reboot