dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
4173
kes601
join:2007-04-14
Virginia Beach, VA

kes601

Member

OS X Clients Suddenly Slow Login to AD

I've had no problems w/OS X clients logging onto my AD before this week. Now, suddenly they take several minutes to login, if they login at all. This started Monday. The only thing I can think of is to roll back the weekend Security Updates on my servers, but I hesitate to do that.

Any ideas?

Weasel
Premium Member
join:2001-12-03
Minnesota

Weasel

Premium Member

DNS and search domain information correct and working?

Serbtastic
You Know How Many People I Have Buried?
Premium Member
join:2002-02-24
Stoney Creek, ON

Serbtastic to kes601

Premium Member

to kes601
I'd throw a network sniffer on there and monitor the traffic to/from an OSX client and see where the holdup is.
kes601
join:2007-04-14
Virginia Beach, VA

1 edit

kes601 to Weasel

Member

to Weasel
Yep, both are correct. I am seeing DNS Failed to Update! errors in the logs of the machines not working, however DNS is working if I do an nslookup on local or external domains via Terminal.

I can also type in smb://acadfileserver/ and it connects w/o an issue.....

Nothing at all has changed on the client machines, it really is annoying the #$@#$@ out of me.
kes601

kes601 to Serbtastic

Member

to Serbtastic
Thanks for the idea, I'll give that a shot tomorrow.
kes601

kes601

Member

One thing I noticed on the OS X machines today, and I don't know if it was this way before or not, but they are appending .local to the Local Hostname instead of .academic.chcs.lan (our AD domain name). Not sure what it was like before today. Doesn't seem like it should be .local to me though.

craig70130
Premium Member
join:2004-04-27
New Orleans, LA

craig70130

Premium Member

Make sure they are pointing to your internal DNS server that Active Directory uses.

Slow domain logins are most often DNS issues - the .local showing up points to that as well. (DHCP should be giving it the the proper AD DNS server as well as the domain and it seems like it isn't.)
kes601
join:2007-04-14
Virginia Beach, VA

kes601

Member

Yep, the 2 DNS servers listed are the 2 Domain servers. If I look at the DNS entry on the server it is listed correctly -- i.e. boyd-room-05.academic.chcs.lan
kes601

kes601

Member

One more quick update. I installed Wireshark and just ran it on the entire network (nobody is on campus right now). My fileserver is sending out a bunch of these:

11 15.359753 10.2.1.12 10.255.255.255 UDP Source port: 4489 Destination port: 53271

Any clue what this is? I can't find any information on these ports.
rugby
I think I know it all.
join:2000-09-26
Plainfield, IN

rugby to kes601

Member

to kes601
What version of AD?
kes601
join:2007-04-14
Virginia Beach, VA

kes601

Member

We are running Win2k3 R2.

And I figured out what Wireshark was picking up from 10.2.1.12, wasn't the cause of the problem.
rugby
I think I know it all.
join:2000-09-26
Plainfield, IN

rugby

Member

Have you tried unbinding and rebinding?

I've heard of this issue, but only using .local domains.

PToN
Premium Member
join:2001-10-04
Houston, TX

PToN to kes601

Premium Member

to kes601
Yeah, rebind the machine. Sometimes is the clocks differ too much, it will cause it to be really slow or not even let you log in.
kes601
join:2007-04-14
Virginia Beach, VA

kes601 to rugby

Member

to rugby
Clocks are all in sync and when I try to unbind and rebind, unbind literally takes 15 minutes. Rebinding can take up to 30 minutes, it gets to step 3 of 5 and just spins for a very long time.

I also noticed today when connecting to the fileserver via smb it was taking an extraordinarily long time to connect. If I do it via AFP it connected quickly.

I know over the weekend there was a security update for Win 2k3 that had to do w/security and SAMBA, so I am wondering if that is at fault. I removed the updates from both of our Domain Controllers yesterday and it did not help, but have not removed it from our Fileserver yet.

As a temporary fix I have setup a local login on the machines and the students can mount their home folders and the group share via AFP once logged in.
rugby
I think I know it all.
join:2000-09-26
Plainfield, IN

rugby

Member

Were there any changes on the network at this time? Any vlan specific modifications made?
kes601
join:2007-04-14
Virginia Beach, VA

kes601

Member

Nope, haven't touched anything on the network or on the servers.

I do have an Apple rep coming on Nov. 2 w/an OS X server to test out for a couple of weeks (already had been planned). I'm hoping using Open Directory with them will help fix this....
rugby
I think I know it all.
join:2000-09-26
Plainfield, IN

rugby

Member

It shouldn't make a difference, we use OD and WorkGroup Manager to augment AD, not replace it. Basically we do management with OD but use the AD credentials.
kes601
join:2007-04-14
Virginia Beach, VA

kes601

Member

I may have just figured it out. Not 100% convinced yet, but on one machine I just edited the /etc/hosts file and put in the two Domain Controllers and the Filesever, then unbinded and rebinded and now it works as it should. So, seems to be a DNS issue if this works on the other machines.
kes601

kes601 to rugby

Member

to rugby
Well, I've gotten them to login via AD again, but then things get slow. I get this in the console log once logged in:

10/22/10 8:25:33 AM com.apple.loginwindow[40] 2010-10-22 08:25:33.816 ManagedClient[262:903] ODUGetMCXRecordWithCache() Accessing network user record from Active Directory not allowed because no authentication information was supplied.

Really makes NO sense to me as I was obviously logged in and authenticated or it wouldn't have let me past the login window in the first place.