+ Post New Thread
Results 1 to 14 of 14
Mac Thread, Slow Login/Logout on AD/OD Network + Intermittent Login Errors.. in Technical; I've recently installed a mac mini server into a secondary school as an open directory server for the management of ...
  1. #1

    Join Date
    Jan 2011
    Location
    Brighton
    Posts
    36
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    9

    Slow Login/Logout on AD/OD Network + Intermittent Login Errors..

    I've recently installed a mac mini server into a secondary school as an open directory server for the management of around 60 macs that are authenticating through a windows AD server.

    I have set the clients up to Not force a local home directory on the startup disk so they all have Network Home folders.

    The first issue I ran into was with imovie 09, it wouldn't write to their network homes. I solved this by creating a symbolic link through the MCXRedirector in WGM and pointed their Movies folder to the local hard drive /tmp/%@/Movies and told the teachers that the students will need to use the same imac each lesson when using imovie.

    These are my remaining issues;

    1 - The log in and log out time on the macs has at least tripled (between 1 and 2 minutes) since the open directory server has been installed and since they were not using network home folders (old setup). I have created more symbolic links to store cache files, log files, the application support folder locally but this seems to of made no difference to the speed.


    2 - Students are occasionally and intermittently getting this error on login (never seen before on old set up)

    "You are unable to log in to the user account *username* at this time.
    Loggin into the account failed because an error occurred."

    I fixed this by restarting the clients but it's happening to 1-3 students in each class. I could also log in as a network admin even before restarting the client so seems like it could be a user problem rather than computer however restarting resolved the problem..

    I've seen some really helpful posts on this forum regarding this particular setup but despite having a good search through I couldn't find any concrete answers for these problems..

    Help is always appreciated,


    Many thanks,

    Martin

  2. #2

    Join Date
    Jan 2011
    Location
    Brighton
    Posts
    36
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    9
    Additional info;

    Mac Mini running 10.6 server, clients all on 10.6. Server on seperate VLAN (read that this can cause issues, don't have an awful lot of control over this as they are cisco managed switches, all windows servers are also on that VLAN). Domain is .local DNS is set up and working forward and reverse lookup no problems.

    Cheers,

    Martin

  3. #3
    User3204's Avatar
    Join Date
    Aug 2006
    Location
    Wirral
    Posts
    769
    Thank Post
    55
    Thanked 66 Times in 62 Posts
    Rep Power
    34
    Right, well I'm not the Apple guy at our school, but I have picked up some things...
    [1] Dunno, not sure what are logon times are, they seem fast enough.

    [2] The students being unable to log on are because the apple desktop seems to trawl through the active directory at boot, for a list of users and share locations.
    If you click on the IP address it changes and one of the settings shows a Red/Yellow/Green traffic light set, signifying how many accounts are available.

    We also found we had to change the way we shared out user homes, we used to share each user to their own share \\server\username, but the Apples (apparently) don't like there being too many shares on one server..... so we changed to \\server\group and then a subfolder of their username, this improved things.


    What we have also just done recently to solve a problem with imaging then, is create a brand new VLAN for them separate from the rest of the network - although it does route through. We're waiting to see if this solves the issue.

  4. #4

    Join Date
    Jan 2011
    Location
    Brighton
    Posts
    36
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    9
    Yea I have a feeling they might just have to get used to the speed, I just didn't want to give up straight away.. If only they had some kind of visual feedback on what they're doing on login/out I might be able to figure out whats slowing them up.

    I had found the directory status feature handy in the past so I used WGM to push out a policy to always display that on the login window. Staff have been told to wait till that's green before trying to login as I can take up 15/20 seconds to change. All the problematic clients have had network accounts available.

    Unfortunately the network home shares will be difficult to change as all of the students and teachers in AD are managed by another company and synced to their server, but i'll take it into consideration and maybe test it out with some dummy accounts and see if it makes a difference. Don't suppose you've got any links you could throw my way on this issue?

    Yea I never got imaging working over the network.. - 2 clients wouldn't bind to od and needed setting up from scratch, ended up just throwing in an OS disc.

    I will look into potential VLAN issues tomorrow but won't be able to do to much really as I can't config any of the switches.. I might try patching a client into the same VLAN as the server and see what happens.

    Many thanks,

    Martin

  5. #5

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    One thing I picked up on straight away is the .local domain. Although apple says this isn't an issue anymore, in some cases I believe it can still cause issues. The log in problems you are seeing may be due to the shares themselves or permissions related. Take a look in the post I made with apples best practices guide for ad-od integration.

    The best thing to do to narrow things down is tail the logs using a second machine over ssh. You can use a local admin account on the machine next to it if you want. You will then be able to view the log entries as they are generated. You can also run a tcpdump on the client to see what is happening in regards to thenetwork traffic. You may find that dns may be the issue which brings me right back to the .local thing.

    Hope this helps a little.

  6. #6

    Join Date
    May 2009
    Location
    UK
    Posts
    107
    Thank Post
    3
    Thanked 10 Times in 10 Posts
    Rep Power
    12
    we had this kind of issue with login and it's mostly to do with time, the Apples dont like to be out to much from the servers etc

  7. #7

    Join Date
    Jan 2008
    Location
    Cheshire, UK
    Posts
    340
    Thank Post
    68
    Thanked 60 Times in 42 Posts
    Rep Power
    48
    I'm having similar problems as part of my research into a solution and was told that DNS is critical to OSX & AD working properly.

    1. Ensure all macs have YourDomain.local & .local in as the DNS search domains, without it OSX tends to try to use bonjour to resolve hostnames rather than DNS.
    2. Ensure that a DNS lookup on YourDomain.local returns IP addresses for all your domain controllers (mine was returning an additional address for some reason).
    3. All OSX machines must have forward and reverse DNS lookups working.

    At the moment I am not sure if the problem has been resolved. I will need to wait a couple of days to be sure the problem has gone away.

  8. #8

    Join Date
    Jan 2011
    Location
    Brighton
    Posts
    36
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    9
    HodgeHi - The best thing to do to narrow things down is tail the logs using a second machine over ssh. You can use a local admin account on the machine next to it if you want. You will then be able to view the log entries as they are generated. You can also run a tcpdump on the client to see what is happening in regards to thenetwork traffic. You may find that dns may be the issue which brings me right back to the .local thing.
    I'll need a bit of educating in this level of troubleshooting on the macs, think you could break the processes down for me? Would be really helpful, it's like i'm feeling my way around in the dark at the moment... I've tried using dig and nslookup commands on the domain controller before and everything comes back okay..

    Boon72
    we had this kind of issue with login and it's mostly to do with time, the Apples dont like to be out to much from the servers etc
    Yea I came across this issue before when binding them to AD, had to manually change their time so it was within a couple of minutes of the AD server. Is it best to use the mac OD server (pointing to the same upstream time server as the windows servers) as an NTP and point all of the clients macs to that? If so, how does one set that up? I don't have ARD so i'm hoping there's a WGM preference I can push out..

    sjatkn - 1. Ensure all macs have YourDomain.local & .local in as the DNS search domains, without it OSX tends to try to use bonjour to resolve hostnames rather than DNS.
    Wasn't this sorted in 10.6? I've tried adding .local to the search domains but it didn't make a different.. I haven't tried mydomain.local, i'll give this a go on my next visit.

    Forward and reverse lookups are all coming back fine, I'll post up my nslookup and dig results next time i'm there.

    Thanks for all the replies, i'm the only (kinda) mac guy at this school so I don't really have anyone on site to discuss these issues with..

    Martin

  9. #9

    Join Date
    Jan 2008
    Location
    Cheshire, UK
    Posts
    340
    Thank Post
    68
    Thanked 60 Times in 42 Posts
    Rep Power
    48
    Quote Originally Posted by sjatkn View Post
    I'm having similar problems as part of my research into a solution and was told that DNS is critical to OSX & AD working properly.

    1. Ensure all macs have YourDomain.local & .local in as the DNS search domains, without it OSX tends to try to use bonjour to resolve hostnames rather than DNS.
    2. Ensure that a DNS lookup on YourDomain.local returns IP addresses for all your domain controllers (mine was returning an additional address for some reason).
    3. All OSX machines must have forward and reverse DNS lookups working.

    At the moment I am not sure if the problem has been resolved. I will need to wait a couple of days to be sure the problem has gone away.
    I have not had reports of further problems on these machines. That could be because it is now fixed or because the expect us to telepathically know there is a problem, either way I am closing the call on my logs. In my case I had already 1 & 3 in place, I just fixed 2.

  10. #10

    Join Date
    Jan 2008
    Location
    Cheshire, UK
    Posts
    340
    Thank Post
    68
    Thanked 60 Times in 42 Posts
    Rep Power
    48
    Quote Originally Posted by martin_hannah View Post
    Wasn't this sorted in 10.6? I've tried adding .local to the search domains but it didn't make a different.. I haven't tried mydomain.local, i'll give this a go on my next visit.
    So I believe, however I only found that out whilst investigating this problem. As I already had .local & domain.local added to the search domain I did not want to remove it just in case!

  11. #11

    Join Date
    Jan 2011
    Location
    Brighton
    Posts
    36
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    9
    Still haven't got to the bottom of this one.. Still takes a long time to log in/out, i've also noticed that the classroom macs will occasionally freeze and beach ball for a couple of minutes before coming back to life. Even when just trying to open finder..

    Thought i'd post up some more details;

    172.22.8.11 is the primary DNS server, Domain Controller and AD server,
    172.22.8.12 is the backup Domain Controller
    172.22.8.14 is the backup DNS server
    172.22.8.18 is the OD osxserver.

    Here's the responses from theses terminal commands on a client machine;


    nslookup osxserver.brcc.local

    Server: 172.22.8.11
    Address: 172.22.8.11#53

    Name: osxserver.brcc.local
    Address: 172.22.8.18



    nslookup brcc.local

    Server: 172.22.8.11
    Address: 172.22.8.11#53

    Name: brcc.local
    Address: 172.22.8.12
    Name: brcc.local
    Address: 172.22.8.14
    Name: brcc.local
    Address: 172.22.8.11


    dig brcc.local

    ; <<>> DiG 9.6.0-APPLE-P2 <<>> brcc.local
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15792
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;brcc.local. IN A

    ;; ANSWER SECTION:
    brcc.local. 600 IN A 172.22.8.14
    brcc.local. 600 IN A 172.22.8.11
    brcc.local. 600 IN A 172.22.8.12

    ;; Query time: 1 msec
    ;; SERVER: 172.22.8.11#53(172.22.8.11)
    ;; WHEN: Tue Jan 18 10:24:10 2011
    ;; MSG SIZE rcvd: 76


    dig osxserver.brcc.local

    ; <<>> DiG 9.6.0-APPLE-P2 <<>> osxserver.brcc.local
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 525
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;osxserver.brcc.local. IN A

    ;; ANSWER SECTION:
    osxserver.brcc.local. 3600 IN A 172.22.8.18

    ;; Query time: 1 msec
    ;; SERVER: 172.22.8.11#53(172.22.8.11)
    ;; WHEN: Tue Jan 18 10:25:19 2011
    ;; MSG SIZE rcvd: 54



    Another thing I am trying to get set up is the software update service from the mac server, i've downloaded all of the updates (342) and they are all enabled. Software updates is providing updates on port 8088.

    In WGM I have told the clients to point to;

    "http://osxserver.brcc.local:8088/index-leopard-snowleopard.merged1.sucatalog"

    Once the clients refresh their preferences and try to update they get the error message;

    "The Software Update Server (osxserver.brcc.local) is not responding. Check to make sure your network connection is operating normally. If there are no issues with your connection, contact your network administrator for assistance."

    I've tried changing the port to 80, and 8888 and I still have the same problem. The clients are using a proxy but they are set up to bypass 172.* and *.local.

    In network utility these ports are open on the osxserver;

    Port Scanning host: 172.22.8.18

    Open TCP Port: 22 ssh
    Open TCP Port: 88 kerberos
    Open TCP Port: 106 3com-tsmux
    Open TCP Port: 311 asip-webadmin
    Open TCP Port: 389 ldap
    Open TCP Port: 625 dec_dlm
    Open TCP Port: 3659 apple-sasl
    Open TCP Port: 4940
    Open TCP Port: 5800
    Open TCP Port: 5900 vnc-server
    Open TCP Port: 8088 radan-http

    It would be great if someone could some light on what might be stopping software update from connecting to the server?

    Thanks for all the replies,

    Martin

  12. #12

    Join Date
    Jan 2011
    Location
    Brighton
    Posts
    36
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    9
    Okay software update problem sorted! For some reason the osxserver had been taken out of the reverse lookup list on the DNS server?? Not sure how this happened but sorted now, all works a treat.

    Now I just need to figure out how I can instigate the updates automatically... And get to the bottom of the slowness issue.. still not sorted even after fixing the reverse lookup.

    Thanks,

    Martin

  13. #13

    Join Date
    Jan 2008
    Location
    Cheshire, UK
    Posts
    340
    Thank Post
    68
    Thanked 60 Times in 42 Posts
    Rep Power
    48
    Quote Originally Posted by martin_hannah View Post
    Now I just need to figure out how I can instigate the updates automatically...
    I've not even started looking at this properly yet, but according to osx - Automatic updates on OS X Leopard - Super User the place to look is the softwareupdate command.

    Looking briefly at the man page it may well be the way to go.

    NAME

    softwareupdate -- system software update tool



    SYNOPSIS

    softwareupdate command [args ...]



    DESCRIPTION

    Software Update checks for new and updated versions of your software
    based on information about your computer and current software.

    Invoke softwareupdate by specifying a command followed by zero or more
    args.

    The following modes are available:

    -l | --list
    List all available updates.

    -d | --download

    -i | --install
    Each update specified by args is downloaded and unarchived,
    and also installed. The install flag requires root. args
    can be one of the following:

    item ... One or more update names.

    -a | --all All appropriate updates.

    -r | --req All required updates.

    --ignore ...
    Manages the per-user list of ignored updates.

    --reset-ignored
    Clears the list of all ignored updates.

    --schedule Manages the per-user scheduler preferences. args should be
    one of the following words:

    on | off Enable or disable automatic checking.

    -h | --help
    Print command usage.



    EXAMPLES

    The following examples are shown as given to the shell:

    softwareupdate --list

    * iPhoto-2.0
    iPhoto, 2.0, 34100K [recommended]
    * iSync-1.0
    iSync, 1.0, 4840K [recommended]
    * StuffItExpander7-7.0
    StuffIt Expander Security Update, 7.0, 4420K [recommended]
    - iCal-1.0.2
    iCal, 1.0.2, 6520K
    * AirPortSW-4.1
    AirPort Software, 4.1, 13880K [recommended] [restart]

    softwareupdate --install iCal-1.0.2

    Software Update Tool
    Copyright 2002-2003 Apple Computer, Inc.

    Installing iCal:
    0...10...20...30...40...50...60...70...80...90...1 00 Done.

    softwareupdate --ignore iCal iPhoto

    Ignored updates:
    (iPod, SafariUpdate)

    softwareupdate --schedule

    Automatic check is on



    ENVIRONMENT

    COMMAND_LINE_INSTALL Set when downloading or installing using the
    softwareupdate command. Scripts can check for the
    existence of this variable to determine if they are
    executing in a command line environment (i.e. there
    may be no WindowServer available).



    FILES

    /usr/sbin/softwareupdate Software Update tool

  14. #14

    Join Date
    Jan 2008
    Location
    Cheshire, UK
    Posts
    340
    Thank Post
    68
    Thanked 60 Times in 42 Posts
    Rep Power
    48
    Your DNS results match mine, assuming your backup DNS is also a domain controller.

    I do get a slightly different set of port results from nmap:

    Starting Nmap 5.21 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2011-01-19 14:20 GMT
    Nmap scan report for macxserver1.knutsford.local (172.16.0.6)
    Host is up (0.0034s latency).
    Not shown: 906 closed ports, 78 filtered ports
    PORT STATE SERVICE
    22/tcp open ssh
    88/tcp open kerberos-sec
    106/tcp open pop3pw
    111/tcp open rpcbind
    311/tcp open asip-webadmin
    389/tcp open ldap
    515/tcp open printer
    548/tcp open afp
    625/tcp open apple-xsrvr-admin
    1021/tcp open unknown
    1022/tcp open unknown
    1023/tcp open netvenuechat
    2049/tcp open nfs
    3659/tcp open unknown
    5900/tcp open vnc
    8088/tcp open unknown

    Nmap done: 1 IP address (1 host up) scanned in 6.07 seconds


    Are there any errors / timeouts in the logs of the client machines?

SHARE:
+ Post New Thread

Similar Threads

  1. Folder Synchronisation no sync at login/logout
    By ravenadsl in forum Windows 7
    Replies: 3
    Last Post: 22nd June 2010, 11:06 AM
  2. Long delays on Login and logout
    By GoldenWonder in forum Windows 7
    Replies: 7
    Last Post: 13th June 2010, 03:09 PM
  3. Replies: 1
    Last Post: 13th April 2010, 07:05 AM
  4. Moodle Login Errors - Strange
    By ICTNUT in forum Virtual Learning Platforms
    Replies: 5
    Last Post: 28th November 2007, 09:35 PM
  5. Login very slow
    By localzuk in forum Windows
    Replies: 7
    Last Post: 23rd April 2007, 03:09 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •