kes601 join:2007-04-14 Virginia Beach, VA |
kes601
Member
2010-Oct-20 11:14 am
OS X Clients Suddenly Slow Login to ADI've had no problems w/OS X clients logging onto my AD before this week. Now, suddenly they take several minutes to login, if they login at all. This started Monday. The only thing I can think of is to roll back the weekend Security Updates on my servers, but I hesitate to do that.
Any ideas? |
|
Weasel Premium Member join:2001-12-03 Minnesota |
Weasel
Premium Member
2010-Oct-20 4:14 pm
DNS and search domain information correct and working? |
|
SerbtasticYou Know How Many People I Have Buried? Premium Member join:2002-02-24 Stoney Creek, ON |
to kes601
I'd throw a network sniffer on there and monitor the traffic to/from an OSX client and see where the holdup is. |
|
kes601 join:2007-04-14 Virginia Beach, VA 1 edit |
to Weasel
Yep, both are correct. I am seeing DNS Failed to Update! errors in the logs of the machines not working, however DNS is working if I do an nslookup on local or external domains via Terminal.
I can also type in smb://acadfileserver/ and it connects w/o an issue.....
Nothing at all has changed on the client machines, it really is annoying the #$@#$@ out of me. |
|
kes601 |
to Serbtastic
Thanks for the idea, I'll give that a shot tomorrow. |
|
kes601 |
kes601
Member
2010-Oct-20 4:42 pm
One thing I noticed on the OS X machines today, and I don't know if it was this way before or not, but they are appending .local to the Local Hostname instead of .academic.chcs.lan (our AD domain name). Not sure what it was like before today. Doesn't seem like it should be .local to me though. |
|
craig70130 Premium Member join:2004-04-27 New Orleans, LA |
Make sure they are pointing to your internal DNS server that Active Directory uses.
Slow domain logins are most often DNS issues - the .local showing up points to that as well. (DHCP should be giving it the the proper AD DNS server as well as the domain and it seems like it isn't.) |
|
kes601 join:2007-04-14 Virginia Beach, VA |
kes601
Member
2010-Oct-20 5:09 pm
Yep, the 2 DNS servers listed are the 2 Domain servers. If I look at the DNS entry on the server it is listed correctly -- i.e. boyd-room-05.academic.chcs.lan |
|
kes601 |
kes601
Member
2010-Oct-20 6:24 pm
One more quick update. I installed Wireshark and just ran it on the entire network (nobody is on campus right now). My fileserver is sending out a bunch of these:
11 15.359753 10.2.1.12 10.255.255.255 UDP Source port: 4489 Destination port: 53271
Any clue what this is? I can't find any information on these ports. |
|
rugbyI think I know it all. join:2000-09-26 Plainfield, IN |
to kes601
What version of AD? |
|
kes601 join:2007-04-14 Virginia Beach, VA |
kes601
Member
2010-Oct-20 9:28 pm
We are running Win2k3 R2.
And I figured out what Wireshark was picking up from 10.2.1.12, wasn't the cause of the problem. |
|
rugbyI think I know it all. join:2000-09-26 Plainfield, IN |
rugby
Member
2010-Oct-21 9:01 am
Have you tried unbinding and rebinding?
I've heard of this issue, but only using .local domains. |
|
PToN Premium Member join:2001-10-04 Houston, TX |
to kes601
Yeah, rebind the machine. Sometimes is the clocks differ too much, it will cause it to be really slow or not even let you log in. |
|
kes601 join:2007-04-14 Virginia Beach, VA |
to rugby
Clocks are all in sync and when I try to unbind and rebind, unbind literally takes 15 minutes. Rebinding can take up to 30 minutes, it gets to step 3 of 5 and just spins for a very long time.
I also noticed today when connecting to the fileserver via smb it was taking an extraordinarily long time to connect. If I do it via AFP it connected quickly.
I know over the weekend there was a security update for Win 2k3 that had to do w/security and SAMBA, so I am wondering if that is at fault. I removed the updates from both of our Domain Controllers yesterday and it did not help, but have not removed it from our Fileserver yet.
As a temporary fix I have setup a local login on the machines and the students can mount their home folders and the group share via AFP once logged in. |
|
rugbyI think I know it all. join:2000-09-26 Plainfield, IN |
rugby
Member
2010-Oct-21 10:44 am
Were there any changes on the network at this time? Any vlan specific modifications made? |
|
kes601 join:2007-04-14 Virginia Beach, VA |
kes601
Member
2010-Oct-21 10:56 am
Nope, haven't touched anything on the network or on the servers.
I do have an Apple rep coming on Nov. 2 w/an OS X server to test out for a couple of weeks (already had been planned). I'm hoping using Open Directory with them will help fix this.... |
|
|
rugbyI think I know it all. join:2000-09-26 Plainfield, IN |
rugby
Member
2010-Oct-21 11:04 am
It shouldn't make a difference, we use OD and WorkGroup Manager to augment AD, not replace it. Basically we do management with OD but use the AD credentials. |
|
kes601 join:2007-04-14 Virginia Beach, VA |
kes601
Member
2010-Oct-21 11:09 am
I may have just figured it out. Not 100% convinced yet, but on one machine I just edited the /etc/hosts file and put in the two Domain Controllers and the Filesever, then unbinded and rebinded and now it works as it should. So, seems to be a DNS issue if this works on the other machines. |
|
kes601 |
to rugby
Well, I've gotten them to login via AD again, but then things get slow. I get this in the console log once logged in:
10/22/10 8:25:33 AM com.apple.loginwindow[40] 2010-10-22 08:25:33.816 ManagedClient[262:903] ODUGetMCXRecordWithCache() Accessing network user record from Active Directory not allowed because no authentication information was supplied.
Really makes NO sense to me as I was obviously logged in and authenticated or it wouldn't have let me past the login window in the first place. |
|