+ Post New Thread
Page 2 of 4 FirstFirst 1234 LastLast
Results 16 to 30 of 50
Mac Thread, mac will not log on in Technical; Originally Posted by mac_shinobi The script section does not exist anymore If you click on that link I posted, it ...
  1. #16

    Join Date
    Nov 2009
    Posts
    63
    Thank Post
    14
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    Quote Originally Posted by mac_shinobi View Post
    The script section does not exist anymore
    If you click on that link I posted, it should say "ad-bind-login.sh" about halfway down the page. In case anyone has trouble getting to it, I'll post the contents of the Leopard (and SL) AD Bind script here. Note that it looks like this one is meant to be used as a login hook, so it will probably be necessary to alter it a little to fit an individual's needs.

    ----

    #!/bin/sh

    # This script binds to AD and configures advanced options of the AD plugin
    # As this scripts contains a password, be sure to take appropriate security
    # precautions
    #
    # A good way to run this script is to set it as a login hook on your master machine
    # Because it only needs to be run once, the last thing this script does is to delete
    # itself. If you have another login script that you typically run, include the
    # script on your master machine, and indicate its path in the "newLoginScript"
    # variable.
    #
    # If running this as a one-time login hook to bind to AD after imaging,
    # be sure to enable auto-login (for any local user) before creating your master image


    # Host-specific parameters
    # computerid should be set dynamically, this value must be machine-specific
    # This value may be restricted to 19 characters! The only error you'll receive upon entering
    # an invalid computer id is to the effect of not having appropriate privileges to perform the requested operation
    #computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'` # MAC Address
    #computerid=`hostname`
    #computerid=`/usr/sbin/scutil --get LocalHostName | cut -c 1-19` # Assure that this will produce unique names!
    computerid=`/usr/sbin/scutil --get LocalHostName`

    # Standard parameters
    domain="apple.edu" # fully qualified DNS name of Active Directory Domain
    udn="bind_account" # username of a privileged network user
    password="" # password of a privileged network user
    ou="CN=Computers,DC=apple,DC=edu" # Distinguished name of container for the computer

    # Advanced options
    alldomains="enable" # 'enable' or 'disable' automatic multi-domain authentication
    localhome="disable" # 'enable' or 'disable' force home directory to local drive
    protocol="afp" # 'afp' or 'smb' change how home is mounted from server
    mobile="disable" # 'enable' or 'disable' mobile account support for offline logon
    mobileconfirm="disable" # 'enable' or 'disable' warn the user that a mobile acct will be created
    useuncpath="enable" # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
    user_shell="/bin/bash" # e.g., /bin/bash or "none"
    preferred="-nopreferred" # Use the specified server for all Directory lookups and authentication
    # (e.g. "-nopreferred" or "-preferred ad.server.edu")
    admingroups="" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\mac admins")
    packetsign="allow" # allow | disable | require
    packetencrypt="allow" # allow | disable | require
    passinterval="14" # number of days
    namespace="domain" # forest | domain

    # Login hook setting -- specify the path to a login hook that you want to run instead of this script
    newLoginHook="" # e.g., "/Library/Management/login.sh"


    ### End of configuration

    # Activate the AD plugin
    defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
    plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist

    # Bind to AD
    dsconfigad -f -a $computerid -domain $domain -u $udn -p "$password" -ou "$ou"

    # Configure advanced AD plugin options
    if [ "$admingroups" = "" ]; then
    dsconfigad -nogroups
    else
    dsconfigad -groups "$admingroups"
    fi

    dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol \
    -mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath \
    -shell $user_shell $preferred -packetsign $packetsign -packetencrypt $packetencrypt \
    -passinterval $passinterval -namespace $namespace

    # Restart DirectoryService (necessary to reload AD plugin activation settings)
    killall DirectoryService

    # Add the AD node to the search path
    if [ "$alldomains" = "enable" ]; then
    csp="/Active Directory/All Domains"
    else
    csp="/Active Directory/$domain"
    fi

    dscl /Search -append / CSPSearchPath "$csp"
    dscl /Search -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath
    dscl /Search/Contacts -append / CSPSearchPath "$csp"
    dscl /Search/Contacts -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath

    # This works in a pinch if the above code does not
    #defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
    #defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
    #plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
    #killall DirectoryService


    # Destroy the login hook (or change it)
    if [ "${newLoginHook}" == "" ]; then
    defaults delete /var/root/Library/Preferences/com.apple.loginwindow LoginHook
    else
    defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook $newLoginHook
    fi


    # Disable autologin
    defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
    srm /etc/kcpassword

    # Kill loginwindow to return to the login screen
    killall loginwindow

    # Destroy this script!
    srm "$0"

  2. #17
    PEO
    PEO is offline
    PEO's Avatar
    Join Date
    Oct 2007
    Posts
    2,088
    Thank Post
    437
    Thanked 149 Times in 94 Posts
    Rep Power
    71
    if the macs time are out of sync that can cause failed login atempts. are they picking up time from dc?

  3. #18
    TomH's Avatar
    Join Date
    Jan 2010
    Location
    Nottingham
    Posts
    47
    Thank Post
    0
    Thanked 5 Times in 5 Posts
    Rep Power
    10
    Guys,

    dsconfigad -passinterval 0 need to be ran BEFORE binding to AD.. and i agree all the symptoms above sound like a bad machine password if there is no output from DSCL.

    You have to remember that a Mac queries AD as a machine and not as a user, and uses a old and unreliable kpasswd method to change it.

    cat /Library/Preferences/DirectoryService/ActiveDirectory.plist

    and look for:

    <key>Password Change Interval</key>
    <integer>0</integer>

    If you wish to prove the theory you can convert the machine password from ActiveDirectory.plist into a plain text password and then try and authenticate against kerberos as that machine.

    I would also review your DNS service records that should be created when you run dcpromo the following article should help :

    Mac OS X 10.5: Verifying DNS consistency for Active Directory binding

    also if anyone runs anti virus make sure it doesn't scan /var/db/dslocal/

    Quote Originally Posted by BootManager View Post
    you can logon as a local administrator and inspect everything on the mac client, everything looks fine, green lights on directory utility entries, time-synced ok.
    Do you query DSCL to see if you can read AD ? Also at this point i would pull the machine password from ActiveDirectory.plist and try and authenticate against kerberos using it.

    Quote Originally Posted by BootManager View Post
    going back to the weird computer-name-change thing, this was something I stumbled across completely by chance, after all you dont expect it to happen so you diont look in that area.
    If you wish to prevent this then, either set static IP's or as part of your post deployment script configure HOSTNAME=DesiredName in the host config this should prevent any host name changes.

    On another note you can also edit smb.conf to prevent DDNS entries if required.

    Quote Originally Posted by PEO View Post
    if the macs time are out of sync that can cause failed login atempts. are they picking up time from dc?
    Yes they have to be within 5 minutes.

    If you do disable password changes make sure your AD guys know.. as allot of people cull old accounts which is what they will appear as.
    Last edited by TomH; 28th March 2010 at 01:33 PM.

  4. #19
    Hacksawbob's Avatar
    Join Date
    Apr 2008
    Location
    North West UK
    Posts
    192
    Thank Post
    13
    Thanked 20 Times in 16 Posts
    Blog Entries
    2
    Rep Power
    17
    Cant offer any help but watching this thread with interest, when I get back in I have at least got a few things to try now, rather than reading over and over about "how to bind mac clients to AD". It seems to be an elephant in the corner with apple that actually for all their confidence about getting MAC-AD "working out of the box" actually it is pretty flakey. I have done it before in a separate environment and it worked a treat, I would dearly love to get to the bottom why it doesn't work where I am now.

  5. #20
    AntonioRocco's Avatar
    Join Date
    Oct 2008
    Location
    South Yorkshire
    Posts
    254
    Thank Post
    9
    Thanked 106 Times in 90 Posts
    Rep Power
    38
    Hi

    @ TomH

    A lot of good knowledgeable advice however this statement:

    "if the macs time are out of sync that can cause failed login atempts. are they picking up time from dc?"

    "Yes they have to be within 5 minutes"

    Is not strictly true. The default time sync interval when promoting to DC is indeed 5 minutes but can be easily expanded to 10. Simply changing the relevant Kerberos Policy setting in the Local or Group or Domain Security Policies is enough. Unbinding and rebinding afterwards is a good idea as that way clients will get a fresh TGT based on the expanded time sync interval. You could also do this via the command line. IMO it's still a good idea to disable the requirement for SMB Digital Signing (if Server/Client agrees). Not the 'deal breaker' it used to be in 10.4 and earlier it can still introduce an unnecessary 'lag' which might make it possible for workstations to 'lose contact' with the DC. Add this to the usual mix of a 5 minute time sync interval; slightly iffy DNS; TLDs based around .local; stale reverse DNS records resolving to hostnames previously assigned to PCs and even (depending on switches used) an inability to query ntp on port 119 can easily add up to the problems being reported.

    It should also be noted that PCs (no integrated macs at all) can also 'lose sight' (admittedly not as often) of the DC and present similar problems. If this happens at your location look at the network itself. A lot of school networks still have the odd hub hidden away somewhere probably up-linking something to something. Duplex mismatching is another thing to look at as well as Port Fasting and even Spanning Tree. Just because a switch is new does not mean it's not faulty.

    One thing is certain: Introducing macs into a mature AD environment will find every flaw and weakness like nothing else. The platform in many ways is a little like Goldilocks looking for the bowl of porridge that "tastes just right."

    However not all sites have problems. There are many many sites where macs don't have problems logging in or losing sight of AD. Admittedly they may have or do have other problems. There are also sites in my experience (and probably TomH's?) that have had and still have no problems at all. Generally these tend to be sites where the AD environment was built to accommodate macs to begin with.

    It should also be noted, in some cases, integration may not the best option? Especially true if the AD environment is an RM build. CC3 certainly although, strangely, not all of them. As for CC4? Don't even go there. It's bad enough for PCs alone. If this is true for your site it might be best to consider a different strategy instead. A separate OD environment completely divorced from AD yet still interacting it with on many levels is more than doable and possibly even desirable.

    HTH?

    Antonio Rocco (ACSA)
    Last edited by AntonioRocco; 28th March 2010 at 08:39 PM.

  6. #21
    TomH's Avatar
    Join Date
    Jan 2010
    Location
    Nottingham
    Posts
    47
    Thank Post
    0
    Thanked 5 Times in 5 Posts
    Rep Power
    10
    Quote Originally Posted by AntonioRocco View Post

    Is not strictly true. The default time sync interval when promoting to DC is indeed 5 minutes but can be easily expanded to 10.
    True... as with all these things were talking 'out the box' rather than 5 generations of various IT Technicians tweaks

    Have you ever seen a environment with a larger than default Clock Skew?

    As im sure AntonioRocco will agree, most things can be resolved and generally its just a case of proving what the problem is before applying 'random' fixes from google that may or may not improve the situation.. i have seen some really weird fix's that just havent helped the situation at all.

  7. #22
    AntonioRocco's Avatar
    Join Date
    Oct 2008
    Location
    South Yorkshire
    Posts
    254
    Thank Post
    9
    Thanked 106 Times in 90 Posts
    Rep Power
    38
    Hi TomH

    as with all these things were talking 'out the box' rather than 5 generations of various IT Technicians tweaks

    Absolutely!! Can't say that about OD can we? As we know mature, 'Legacy' AD environments have the most imponderables to deal with. Generally because the current admins have no notion of what was done before. Why would they? Besides previous admins have a tendency to not tell successors anything anyway. "Must keep hold of knowledge - Bad to share" attitude which ultimately helps no-one. For current admins, as far as they're concerned it works. There's no need to do anything to upset it.

    Does not make it right though does it?

    Some IT Admins facing mac integration don't know what Kerberos (along with DNS, sadly) really is; how it's implemented in their environment or how it truly works. Let alone that the time sync interval can be expanded. This is standard MIT Kerberos stuff as you know.

    This is not a criticism guys just an observation. I have nothing but respect for all of you as it's not easy doing what you do. Especially when someone takes an arbitrary decision not involving you in any way regarding equipment you know nothing about yet are expected to fully support. Gets your back up doesn't it? Sometimes this develops (quickly) into an 'unwilling attitude' which can add to the general 'mix'.

    "Have you ever seen a environment with a larger than default Clock Skew?"

    Yes as I always make that recommendation. Sadly only a few listen or understand its implication. Coupled with the 'passinterval' setting (sometimes) it can 'cure' all sorts of problems. Assuming everything else is perfect of course.

    "most things can be resolved and generally its just a case of proving what the problem is before applying 'random' fixes from google that may or may not improve the situation"

    I'm with you there Tom. We're talking the same language.

    "I have seen some really weird fix's that just hasn't helped the situation at all"

    Absolutely.

    Tony
    Last edited by AntonioRocco; 28th March 2010 at 10:09 PM.

  8. #23

    Join Date
    Jan 2008
    Location
    London
    Posts
    21
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    more regarding dns

    just been reading this thread which has expands on my dns hunch...
    DNS reverse lookup Server 2003

  9. #24

    Join Date
    Jan 2008
    Location
    London
    Posts
    21
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    another (old) thread on AD binding problems...
    Snow Leopard AD Integration woes

    today I rebuilt my Windows DNS and also played around with some DHCP settings. Also in Active directory I found that our domain it was flagged/running as "Windows 2000 Mixed" so I upgraded to "Windows 2003" (a simple click of a button - but one where there is no going back). Obviously quite a few changes and I'm currently monitoring the situation.

    I'll let you know what the outcome was in due course.

  10. #25

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,184
    Thank Post
    299
    Thanked 211 Times in 181 Posts
    Rep Power
    55
    I've been having this problem since we moved schools on some new edu intel alu imacs. it seems to be a select few machines which have the issue recur now and again. Each time i check the logs it's a pre-auth failure causing the issue. A quick unbind of the ad and rebind sorts the issue. I'm not entirely sure whats causes this and would be willing to try anything. What is really funny though is i have a couple of standard macs with intel, networking and ATI cards and the old edu white intel imacs. I have 25 of these types and these have never had the problem. Still don't. These too have the intel networking chipsets.

    I still think the nvidia networking chipsets are to blame for some things. Just can't prove it I doubt Apple will change their manufacturing because of me though. Do you ?

  11. #26

    Join Date
    Jan 2008
    Location
    London
    Posts
    21
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Regarding my DNS rebuild (part1)

    Regarding my DNS rebuild.
    I am writing these notes down now so that I dont forget what I did when I post an update on how my network is behaving (probably in a few weeks time).

    My feeling is that our windows network was fine for PC clients but macs, being extremely fussy, didnt like it. I rather suspect the apple have just done some minimal testing as far as integrating into windows environments is concerned and therefor if your network isnt 'just so' then your macs are going to go into a huff, ......did I mention about the hassle with using macs on our expensive and sophisticated network environment - the upshot was that we had to 'dumb-down' our switches in order to accommodate the picky macs with network card drivers that dont conform to internationally recognised networking standards [and Apple think its not their problem].

    Anyway this is what I've done to our servers and I am still monitoring the situation, so dont take it as gospel....

    Most of the client computers had been switched off over easter so the DNS records would have mostly been stale - the DNS was going to be flushed and rebuilt so it was to our advantage too.

    First step make sure all the servers (windows and OS X) are updated with patches, and BACKUP system state.
    Second step, refresh my brain on how to configure DNS & DHCP, I'm a great believer on setting things up with the instructions in front of me, then hopefully I wont need to look at for at least a few years.
    Third step clear down DNS and de-integrate it from active directory. Then stop the service and delete all traces of DNS in AD or text file.
    Fourth, check DHCP, reconfigure if neccessary
    Fifth, configure the servers and get them all talking and behaving nicely with one another.
    Next, rebuild DNS and replicate across servers, check DNS contains correct records and register any machines with static IPs.
    Next get the windows client PCs back onto the network, well logon to an AD account cos you just know they are gonna work
    Finally reconfigure each mac client (our machines are dual boot), this is the tedious bit involving coming off the domain, clearing down plists, renaming, rebooting, rejoining domains etc, hoping that things get finally sorted.

    some reading (do read them):
    How to clear bad information in Active Directory-integrated DNS
    How to reinstall a dynamic DNS Active Directory-integrated zone
    How to configure DNS dynamic updates in Windows Server 2003
    How To Install and Configure a DHCP Server in a Workgroup in Windows Server 2003
    there are other articles, you can take days to read, but I'd decided that I was going to rebuild DNS so they were irrelevant to me.

    oh I'm too long on my text, read my next post....

  12. #27

    Join Date
    Jan 2008
    Location
    London
    Posts
    21
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    (continued)....
    what I found after doing some reading was that our DNS was probably in a bit of a mess from upgrading the server from win 2000 to win 2003 some years back and also from having various experts come in and allowing them to hack about, particularly when they manually add records to windows DNS from their client machines (eg a mac server). The DHCP settings were also messed about with, probably by external 'experts' like half-setting-up range policies when in fact the top level server policy had all the relevant settings already set up. But I also found that our Active Directory was 'old' and needed to upgrade to Win 2003 (a single mouse click operation).

    The articles on DNS are fairly straightforward though I found that some things didnt apply to our setup here and there were a couple of minor panics when I thought I'd done some damage, but as it turned out everything was really quite easy, you just have to plan it out.
    I'm not going to go into massive detail, most of the actions are performed from menu options or right mouse clicks, you do need to feel your way around the DNS structure but most actions are performed on the 'server' container and not the zones (which were getting deleted). I think that the steps that I took [on each DC server] were to:
    1) break the replication across the servers by setting DNS to standard primary on each server and make sure there is no cross referencing of servers.
    2) from the dos prompt use command "ipconfig /flushdns" to flush cache, then after a couple of minutes to go into DNS console and just delete all the A and PTR records for each zone, then note down all the C records (because you will need to recreate them), before deleting each zone in the forward and reverse containers (I also found/deleted a top level _msdcs_ zone that I think was supposed to be a child of a named zone - can these things be moved?!?)
    3) clear out the DNS events log, then come out of DNS console. another flush of the dns from the dos prompt, and then stop the DNS service (net stop dns).
    4) The microsoft documentation talks about deleting zones from within Active Directory but I couldnt see where any old records were kept, however I did find that there were some old files in the folder c:\windows\system32\dns, (these have the extension .dns) so I moved the ones that obviously belonged to us out of the way to a new folder [ I left behind cache.dns and dns.log and the folders Samples and Backup ].
    5) Network Connection Settings. I had some conflicting info on this change but what I opted for was for each network connection on our nominated DNS servers to make sure that if its a static IP then the network settings has preferred DNS pointing to itself, ie a server with replicated DNS doesnt point to the primary DNS server instead, the alternate DNS was set to point to the internet service providers DNS. In case you are interested conflicting arguement was pretty much the exact opposite ie to point to the primary DNS and the alternate DNS to point to a secondary internal DNS - but I'll monitor what happens as I can always change these settings at a later date.
    6) configure DHCP service on the machine where it resides. I didnt have to do much to ours but I changed a couple of settings out of interest, on the general tab "enable DHCP audit logging" ticked, on the advanced tab "conflict detection attempts" set to 1, and on the DNS tab everything ticked (I selected "always dynamically update DNS A and PTR records" on the option) . Although I didnt delete any records, you may want to tidy things up if you know some leases have expired, you can select the Reconcile action to give a little peace of mind afterwards. One thing which I did do was delete the scope options that someone had half-heartedly set up on the main scope - on our DHCP server these options are correctly set up in the global options and therefore do not need any overriding (or messing up).
    7) when all servers are stripped of dns operations then reboot each server, except for the mac servers - which got taken off the windows AD domain and then shut down.
    8) The DC servers get booted first, the other servers get booted after you set up DNS.
    9) IMPORTANT NOTE: On the Primary DC in Active Directory a right click >properties, on the domain name revealed that our Domain Functional Level was set to Windows 2000, but a simple mouse click allowed this to be upgraded to Windows 2003 (an upgrade that cannot be reversed). I feel this is an important issue because it shows that the AD is being made overly complicated by trying to retain compatibility with Windows 2000 or whatever, but since we no longer have Windows 2000 servers I decided to ditch the functionality and upgrade.
    10) On the primary DC I setup DNS pretty much using default settings of the DNS wizard (from "Configure Your Server"), there is an option to replicate to all the DCs and you should do that. Give it a few minutes to replicate across your servers. You can also run some tests to check DNS is behaving correctly.
    11) On each server with a static IP you should then go to the dos prompt and issue the command "Ipconfig /registerdns", note on the mac servers there isnt really a command to do this but on the macs you can configure IPv4 with the option "using DHCP with manual address" which will register the static IP address in DNS.
    12) You can use directory utility to get your mac servers rejoined onto AD; note I did put a tweak on my mac servers (dsconfigad -passinterval 0) as per some earlier recommendation.
    13) remember to manually enter any C (alias) records in your DNS, things like which server hosts your website are fairly important.

    Hopefully thats everything to configure the servers. Thats all I can remember. I wanted a situation where the DNS entries are controlled by windows and tied in with active directory. If you read the microsoft notes it talks about records remaining in DNS if they were manually inserted, ie the owner of the record is not the system, something that I would consider bad news if you want a to go for dynamic updates, and could potentially lead to conflict/duplicates on addresses I think.
    I'm sure that there is going to be a whole lot of people out there who are going to criticise my actions, telling me that I cant possible be right, well OK you have your opinions, but solutions like "have you synchronised time" or putting techie tweaks on mac variables are not exactly 'out of the box' and one fact that I think you should chew over before you rush ahead anyway is to consider this:
    Some sites that I know of do not have any problems with mac integration. The people who set those sites up didnt go off performing techie tweaks, they just had a bog-standard windows network, freshly built, which they then connected their brand new apple macs to using Directly Utility. AND IT WORKED AND CONTINUES TO WORK.
    So all I'm trying to do here is to take away some of the complexity which potentially has been caused through upgrading, upgrading is a nice convenient thing but sometimes its messy. So I've rebuilt my DNS and made some slight changes to DHCP and Active Directory, as far as I'm concerned I'm trying to simplify the network, thats all.

    Finishing Off
    Well this is the moment of truth, which unfortunately I wont find out if its worked until probably a few weeks time.

    First step, just boot all the windows machines and logon to an AD account, you can probably guess that nothing went wrong with this step. (dual boot macs were booted onto the windows side before even thinking about booting onto the OS X side).

    On the macs, (dual boot macs were booted onto the windows side before even thinking about booting onto the OS X side), I booted into the local admin account, then did the tedious setup:
    1) followed the procedure to get the macs off the AD and OD, deleting directory utility plists afterwards.
    2) check the computer name is correct, then check/correct the name of each network connection, the TCP/IP tab should state "Configure IPv4 using DHCP"
    3) check for software updates, then reboot. Back into mac (on dual boot machines)
    4) rejoin AD and OD, this time I joined OD first of all. Shut down.
    5) hope and pray that your mac woes have gone away

    have I forgotten something - well probably - but do your research. reconfiguring your server can be a bit scary but some times its got to be done.

  13. Thanks to BootManager from:

    PeterH (27th April 2010)

  14. #28

    Join Date
    Jan 2008
    Location
    London
    Posts
    21
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    An update....

    well I found out that some of my dual boot macs that got reconfigured now wont log onto windows, it says the domain is not available, fixed this by logging into a local windows admin account, deleting all the local profiles for domain accounts (they all were marked as unknown account anyway), then coming off the domain and finally back on domain.
    It seems that although the dual boot win side was originally happy, problems occurred after the dual boot OS X side was taken off the domain (and re-added).
    Generally it doesnt bode well. Oh and yet another mac has gone faulty, is there anything more unreliable than an apple-built computer?

  15. #29

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,184
    Thank Post
    299
    Thanked 211 Times in 181 Posts
    Rep Power
    55
    Of note, not sure if this is the reason for your machines not finding domain afterwards. You can't have the OS X side client named the same as it's Windows counterpart. When you bind on the OS X side it removes the account from the AD. Then windows cannot join. IIRC that is. I tried this myself only to find it messes up. In the end i decided to use OSX- and XP- prefixes for the names.

    Also what machines are these? are they the new education alu iMac machines? If so these have the nvidia nforce network chipsets. GPO will not deploy software until you update the nforce chipset drivers. When i get back to work on Monday i will post a link if you like. I say this since this also may be the reason domain is unavailable as they tend to be flippin slow connecting to the domain sometimes. I thought it may have something to do with my network config but the old white Intel ones are as quick as they have always been.

    Interesting to see what you have tried though to get Macs working as they should.

    But all of this may just be blah and not related in any way. If this is the case. Sorry

  16. #30

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,184
    Thank Post
    299
    Thanked 211 Times in 181 Posts
    Rep Power
    55
    I just found this:

    Windows 2003 DHCP/DNS server and non-Windows clients

    May be useful for the DNS issue. Maybe not so much for the problem of not being able to log in. Usually i find this to be due to pre-auth failure. I may look into the passinterval=0 thing myself.

SHARE:
+ Post New Thread
Page 2 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. Mac will not log onto network
    By training_needed in forum Mac
    Replies: 8
    Last Post: 29th March 2010, 02:01 PM
  2. Replies: 15
    Last Post: 24th November 2009, 11:17 AM
  3. Replies: 7
    Last Post: 27th August 2009, 11:20 PM
  4. clear old cookies on log off (or log on)
    By ZeroHour in forum Scripts
    Replies: 0
    Last Post: 4th November 2008, 09:32 AM
  5. Can log on Local can't log on to domain
    By speckytecky in forum Network and Classroom Management
    Replies: 16
    Last Post: 25th April 2008, 12:05 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •