Thanks for the reply, hum, I've not found any useful info on the web about this as yet either.
I've searched for some stuff I found in the console logs, but I think it's unrelated, it's quite hard to pin it down to when it's happening.
I'm running 10.6 Server and Clients, and I'm not using Deploy Studio, in fact this is my first test client that I'm having the problem with.
I've now tried a number of other things:
I stopped the clients from sleeping and it didn't drop the connection to AD for over 24hr, but then I tried a reboot and it didn't reconnect.
I've restarted a number of times today and sometimes it comes back up with both AD and OD connected, sometimes without OD.
It always looks bound in Directory Utility and it's always in the search path though
I've rebound to OD using the command line and this has changed nothing.
I'm getting to the point where I might try to run a script to "killall DirectoryService" as a startup item in order to kick it back into life, but I'm not too sure how to get this working and it would certainly be bodging it.
I have noticed this in my DirectoryService.error.log
2010-06-21 00:08:56 BST - T[0x00007FFF705F6BE0] - DNSServiceProcessResult returned -65563
2010-06-21 00:10:24 BST - T[0x00007FFF705F6BE0] - DNSServiceProcessResult returned -65563
2010-06-21 00:11:41 BST - T[0x00007FFF705F6BE0] - DNSServiceProcessResult returned -65563
2010-06-21 00:21:12 BST - T[0x00007FFF705F6BE0] - DNSServiceProcessResult returned -65563
I'm also seeing
21/06/2010 00:23:34 ServerScanner Not scanning because node /LDAPv3/Mac0.oakwood.local is in searchPath
Sometime this refers to OD and sometimes AD?
Any ideas please?
Here's a System log where the client fails to reconnect to AD:
Jun 21 01:04:46 macosx1 com.apple.launchd.peruser.501 (com.apple.AirPortBaseStationAgent): Exited: Killed
Jun 21 01:04:46 macosx1 SecurityAgent: NSDocumentController's invocation of -[NSFileManager URLForDirectory:inDomain:appropriateForURL:create: error:] returned nil for NSAutosavedInformationDirectory. Here's the error:\nError Domain=NSCocoaErrorDomain Code=513 UserInfo=0x100140a40 "You don’t have permission to save the file “Library” in the folder “empty”." Underlying Error=(Error Domain=NSPOSIXErrorDomain Code=13 "The operation couldn’t be completed. Permission denied")
Jun 21 01:04:47 macosx1 loginwindow: DEAD_PROCESS: 42 console
Jun 21 01:04:47 macosx1 com.apple.loginwindow: LogoutHook: Executing /etc/hooks/LOcleanupclean.hook...
Jun 21 01:04:47 macosx1 macadmin: LogoutHook: Starting for macadmin
Jun 21 01:04:47 macosx1 shutdown: reboot by macadmin:
Jun 21 01:04:47 macosx1 shutdown: SHUTDOWN_TIME: 1277078687 279376
Jun 21 01:04:47 macosx1 mDNSResponder: mDNSResponder mDNSResponder-214.3 (Feb 11 2010 04:49:16) stopping
Jun 21 01:04:47 macosx1 mDNSResponder: mDNS_Deregister_internal: 51 _kerberos.macosx1.local. TXT LKDC:SHA1.4DC7A1D1C03651E88DAFDF1E20B08E8FAE91136B already marked kDNSRecordTypeDeregistering
Jun 21 01:04:47 macosx1 WindowServer: hidd died. Reestablishing connection.
Jun 21 01:04:47 macosx1 DirectoryService: dnssd_clientstub read_all(18) failed 0/28 0
Jun 21 01:04:47 macosx1 WindowServer: bootstrap_look_ip failed: Unknown service name
Jun 21 01:04:47 macosx1 DirectoryService: BUG in libdispatch: 10D578 - 1960 - 0x10004004
Jun 21 01:05:26 localhost com.apple.launchd: *** launchd has started up. ***
Jun 21 01:05:26 localhost com.apple.launchd: *** Verbose boot, will log to /dev/console. ***
Jun 21 01:05:31 localhost blued: Apple Bluetooth daemon started
Jun 21 01:05:31 localhost mDNSResponder: mDNSResponder mDNSResponder-214.3 (Feb 11 2010 04:49:16) starting
Jun 21 01:05:32 macosx1 configd: setting hostname to "macosx1.oakwood.local"
Jun 21 01:05:32 macosx1 configd: network configuration changed.
Jun 21 01:05:34 macosx1 bootlog: BOOT_TIME: 1277078726 0
Jun 21 01:05:35 macosx1 com.apple.usbmuxd: usbmuxd-190 built for iTunesNineOne on Mar 8 2010 at 20:25:36, running 32 bit
Jun 21 01:05:35 macosx1 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow: Login Window Application Started
Jun 21 01:05:36 macosx1 configd: network configuration changed.
Jun 21 01:05:38 macosx1 loginwindow: Login Window Started Security Agent
Jun 21 01:05:38 macosx1 WindowServer: kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.
Jun 21 01:05:38 macosx1 com.apple.WindowServer: Mon Jun 21 01:05:38 macosx1.oakwood.local WindowServer <Error>: kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.
Jun 21 01:06:08 macosx1 com.apple.DirectoryServices: Enter machine password:
Jun 21 01:06:09 macosx1 com.apple.DirectoryServices: DNS update failed!
Jun 21 01:06:56 macosx1 /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer: CGSKeyTranslateInitialize: KLGetCurrentKeyboardLayout or KLGetKeyboardLayoutProperty is not available, fall back to USA keymap
Jun 21 01:07:02 macosx1 SecurityAgent: NSSecureTextFieldCell detected a field editor ((null)) that is not a NSTextView subclass designed to work with the cell. Ignoring...
Jun 21 01:07:03 macosx1 loginwindow: Login Window - Returned from Security Agent
Jun 21 01:07:03 macosx1 com.apple.loginwindow: LoginHook: Executing /etc/hooks/LIclean.hook...
Jun 21 01:07:04 macosx1 _mdnsresponder: LoginHook: Starting for macadmin
Jun 21 01:07:04 macosx1 loginwindow: USER_PROCESS: 42 console
Jun 21 01:07:04 macosx1 com.apple.launchd.peruser.501 (com.apple.ReportCrash): Falling back to default Mach exception handler. Could not find: com.apple.ReportCrash.Self
Jun 21 01:07:07 macosx1 ServerScanner: Not scanning because node /LDAPv3/Mac0.oakwood.local is in searchPath
Jun 21 01:07:08 macosx1 com.apple.launchd.peruser.501 (com.apple.Kerberos.renew.plist): Exited with exit code: 1
Jun 21 01:07:10 macosx1 com.apple.launchd.peruser.501 (com.apple.CSConfigDotMacCertfirstname.lastname@example.org-SharedServices): Exited with exit code: 1
And Here's the console messages from the same reboot:
21/06/2010 01:05:26 com.apple.launchd *** launchd has started up. ***
21/06/2010 01:05:26 com.apple.launchd *** Verbose boot, will log to /dev/console. ***
21/06/2010 01:05:38 com.apple.WindowServer Mon Jun 21 01:05:38 macosx1.oakwood.local WindowServer <Error>: kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.
21/06/2010 01:06:08 com.apple.DirectoryServices Enter machine password:
21/06/2010 01:06:09 com.apple.DirectoryServices DNS update failed!
21/06/2010 01:07:03 com.apple.loginwindow LoginHook: Executing /etc/hooks/LIclean.hook...
21/06/2010 01:07:04 com.apple.launchd.peruser.501 (com.apple.ReportCrash) Falling back to default Mach exception handler. Could not find: com.apple.ReportCrash.Self
21/06/2010 01:07:07 ServerScanner Not scanning because node /LDAPv3/Mac0.oakwood.local is in searchPath
21/06/2010 01:07:08 com.apple.launchd.peruser.501 (com.apple.Kerberos.renew.plist) Exited with exit code: 1
21/06/2010 01:07:10 com.apple.launchd.peruser.501 (com.apple.CSConfigDotMacCertemail@example.com-SharedServices) Exited with exit code: 1
21/06/2010 01:09:23 com.apple.WebKit.PluginAgent Debugger() was called!
21/06/2010 01:09:39 com.apple.WebKit.PluginAgent Debugger() was called!
21/06/2010 01:09:45 com.apple.WebKit.PluginAgent Debugger() was called!
21/06/2010 01:09:46 com.apple.WebKit.PluginAgent Debugger() was called!
Don't know if I'm looking in the right place here, but clutching at straws now!
Your problem is DNS. I'm surprised you could not find anything as this forum (as well as others) is full of threads such as yours. The platform will struggle and more than likely display the behaviour you're seeing if you're basing your domain around .local. Why? Because it reserves .local for Bonjour/Rendezvous Services. All macs will broadcast and discover themselves using it. It's not a good idea to switch it off either. How you name your macs could also display similar behaviour. Don't use hyphens or any other non letter/number character. Using .local can be made to work but don't be surprised if you see problems. Having said that other AD environments that don't use .local can also display similar or even different problems which could be due to something else.
The most successful integrations of my experience are invariably with environments that have (a) been built to accommodate macs in the first place (b) the AD structure/organisation is fairly flat/simple (c) don't base the internal domain around .local (d) are not using RM.
Antonio Rocco (ACSA)
Thanks for your feedback, I have been wondering if it could be the .local domain name that I'm using for windows that's cauing me problems.
My Mac's are being added to an OU in the Root of the domain so I guess I have a fairly flat structure from that point of view and I'm not using any of that RM rubbish as we scrapped that years ago.
Could you tell me what you mean when you say "an enviroment that has been built to accomodate macs in the first place?
If in the future when I replace the DC and have the time to create a new domain in order to get rid of the .local issue what else must I do to ensure that it as easy for the Macs to integrate as possible?
I mean building an environment that takes account of the platform rather than adding them to a mature/legacy environment that was only ever built to accommodate the Windows platform.
In no particular order I would say it would mean:
Correctly resolving DNS on both pointers
Making sure there are no malformed SRV Records
Not using .local for your TLD
Making sure the PDC Resolve itself to itself on both pointers
Not having a folder structure that nests folders within folders within folders etc
Making sure time synchronization is the same for all principals in the Realm
Removing 'ghost/dead' users and/or groups from Network Home Parent Container as these permissions will be honoured by the platform
Star Topology rather than a Cascading One
Gigabit to Desktop
WAPs that are N rated
The list is not exhaustive by any means. Basically all the things your PCs don't care really care about. If you build the environment 'properly' and along Microsoft's Best Practices you should not see too many problems.
If all of the above seems like too much hard work you could consider using a 3rd-Party Solution such as Likewise or Centrify. Or modify the Schema yourself. Any of these methods would not necessarily involve OSX Server.
Perhaps you should re-post in the main forum?That way others who've been a similar position to you will get a chance to offer some of the things they've tried that may or may not have worked.
Antonio Rocco (ACSA)
Thanks for all those surggestions, if I ever get the time I might set up a fresh domain.
What does seem a little odd is that my 10.6 server doesn't seem to drop the connection to AD in the same way as the clients? Can't really see how this is any differant?
I don't know why you would assume this because the Server should not configured the same as the clients. Perhaps you've forgotten? What I do is bind the Server to AD first, verify I can access and 'read' User and Group information from Active Directory and then promote to Open Directory Master with Kerberos stopped. This is 'classic' AD-OD Integration or - if you like - Magic Triangle Deployment. Once the Server has been promoted to OD Master it places itself automatically and by default above the Active Directory/All Domains entry in the Directory Utility's Search Policy field.
On the Server in a classic AD-OD Integration this is how it should be.
Clearly on the client this does not happen. Clients are generally bound to AD first and then joined to OD with no requirement for any authentication or contact information when configuring the LDAP plug-in.
Perhaps this is contributing to the problems you're seeing?
Antonio Rocco (ACSA)
Hi guys, I'm not sure if I should be replying in here or creating a new thread, it's regarding some issues we're having connecting 12 iMacs to our Active Directory domain.
I've successfully bound them to the Domain, however, only 8 of the 12 are able to log on at any one time.
The 8 that are able to connect are also random, so it's never the same 8.
Any suggestions would be greatly appreciated!
Those of you who maybe interested I have made a new article on AD integration for 10.7
| Active Directory integration 10.7