As long as our server guys refuse to roll back those server patches, this is my only option. This issue is still on going for us too!. We are a new customer to JamF Pro Dec As it takes quite sometime to discover everything Jamf Pro can do, we are just getting around to this issue now as it started to really affect our environemnt. OS X devices seem to be dropping off more and more. I have not tried anything else other than your workflow you described above.
It works and we are happy with the result. Hopefully a real fix will appear one day. Thanks everyone for their input. After a LOT of troubleshooting and observation, I noticed something odd that is a factor in this for us. For the computer this happened to the most frequently - at least once every other week for several weeks - I talked with the user about something unrelated and I found out that he always turned his WiFi before shutting his MBP off at the end of the day. I asked him why he did that and he said "it's just a habit of mine.
Lo and behold, the problem went away! His computer went 2 full months without dropping off AD. Now it did eventually happen again but it definitely wasn't as frequent as before. Another thing I did after that was to add dsconfigad -passinterval 0 to my workflow and that also seems to help reduce repeat occurrences. Why would disabling WiFi have any effect on the AD binding? We are using The problem still exists but at least now it's so infrequent that it doesn't keep me up at nights pondering the situation.
Does anyone have any further updates to this issue? The AD drop off is occurring on most of our Macs at some point. Some more than others. So i thought I would try the 'dsconfigad -passinterval 0' on our Mac Lab to test.
- french punctuation on mac keyboard.
- amys gluten free dairy free mac and cheese recipe.
- Macworld Categories.
- mac fantasy of flowers dreaming dahlia.
- ITTree Solutions?
- screen capture key command mac.
Didn't do much to resolve the issue. The Mac's are still dropping off the domain. Its never all of them only a handful. I must admit this issue has increased over the past 10 months. Maybe the AD drop off issue was occurring as much as it did prior to us implementing Jamf Pro, but with out Jamf Pro and the awesome script from mm one would never know other than users reporting they cannot see Domain printers or file shares.
The defaults dont work for everyone, and it was because the computers that had the issue were not updating their DNS record on the server, so after trial and error I set my scavenge settings to be: No-Refresh Interval: 6 hours Refresh-Interval: 15 days. We had two labs drop AD twice in the last two weeks The other two are fine, go figure It'd be nice to be able to resolve this. Was this setting changed on the domain server or on the machines themselves? These devices are all running Sierra This has NOT resolved the issue but so far it has slowed it down considerably.
All of our Payloads are managed by Jamf Pro. Learning Common Macs setup - Took many days especially the machines with no SSD's. This issue is also occurring on our Ethernet Connected Labs all running Over the weekend pretty much all of our Mac Pro's fell of the Domain.
Only when they need to add a Network Printer as the Printer list does not show up. We have this issue often, too. It's not as much now because we added the AD bind to a configuration profile rather than policy, so the profile is "installed" rather than just deployed. The issue I keep seeing, however, is that after I've imaged the MacBook's and confirmed it'll log in to an AD account, over time if the Mac hasn't been used, it's like it'll never see AD again once turned back on.
Before I continue, I just want to tell you that for all those that dont believe this has to do with DNS specifically, you can contact a level 2 apple engineer and if he has any networking experience, he can confirm this to be the case. The most probable cause if computer was already bound and working fine for Network Accounts unavailable has to do with DNS between the client computer and DNS server, in most cases the Active Directory server which is running the DNS as well. Ok, so if you right click the DNS server and you change those settings to what I wrote, I can almost guarantee you will resolve your issue.
Which part of the process you dont understand so I can be more specific? I edited post to include image of the scavenging settings I have. Thanks, almonte32! Unfortunately, I have no control over our DNS server as I am at a large university and that's handled by other techs I have no real contact with. I'll see if I can contact those folks and ask if it's possible to investigate making the changes we have thousands of machines, so asking to make a change for a small section of machines that are having issues just may not happen.
It's funny, I actually was working on this problem again as I had a large group drop off the last couple of days after a month of playing nice. This thread was the top result, and I had forgotten I had commented here. I was able to get mm script to work in our environment by adding a -F to the grep flag in line This was causing a machine joined to the domain to report "No - AD Lookup Failed" from line 27 when it was indeed joined. Sharing this in case anyone else is seeing similar issues. I'm just now starting to apply this to our environment to try and understand the scope of our hosts that have lost connection to the domain.
We have about 60 hosts bound and are finding issues here and there with AD password changes from intranet site being out of sync with macOS. When the AD binding breaks they never get the update your keychain prompt and are effectively logging in to mobile profiles while on the network. Can anyone else who attempted the "fix" almonte32 posted above verify this has helped you with your AD connection failures on the Macs? I figured if they are poking around, now might be a good time to ask them to look at this too. Hello lmeinecke I am also working on modifying the script for our environment.
We are running into a small issue with finding no keychain for the AD. Did you find a workaround for this considering the script is quite old? I was going to comment out the keychain echo piece but without being much of a scripter, I didn't know if this would throw out false positives. I did not have to modify the security find-generic-password line.
Make sure you're specifying your domain name in all CAPS as I found that was the case with mine and mentioned in other threads. It wasn't FQDN either. If you're core. I was failing on that line last Friday and couldn't get this to work for anything but then I slept on it and came back. Sure enough it was working. It could of been VPN I don't know. If I run the script manually after the tunnel comes up it does take sec before the AD state results transitions from remote to yes. I've got this deployed in our environment now and I'm waiting on recon to run on all hosts to get data updates.
I've already got smart groups starting to update showing healthy AD accounts that can lookup their own hostname and some that are showing remote because they are offsite without VPN nailed up. Hi, This document discusses what I was suspecting from a read of the topic. The computer account password is not getting updated. Computers running Deep Freeze lose connection or fall off domain. I'm not saying the document has a solution that will work for you, but it does seem like they are describing the issue.
An auto-rebind script seems like a good plan. Not tested, but you could include a boot launchd that spits out all DNS and related traffic using tcpdump. Then just eview logs during your outage.
- Posts navigation.
- gnuplot mac os x mavericks?
- Importing Groups from Active Directory?
- System Requirements:.
- lync web app not working on mac.
Lock ticket viewer to the dock and train the users to use it, etc. This issue can be a downright plague. We have over DC in our global environment and a lot of them are unreachable. I just rediscovered this thread and it made me think I have had maybe 2 Macs randomly lose their AD binding in the past 2 years. I've done nothing toward fixing this other than the detection via an EA that sends me an email and the automated script that fixes it as it happens. The only things I have done are upgrades to High Sierra and Mojave.
However with the initial manifestation being triggered by a Windows Server patch, I might have to think that something on the Windows Server side fixed it for me too. It just happened so long ago, and I had an automated system in place that didn't require my constant attention, I basically forgot about this issue. It still bothers me that no one can put their finger on the definitive cause. There's no telling if this kind of thing could happen again. AVmcclint would be able to share your rebind script? Build a Policy that runs at recurring check in and is scoped to a smart group with the following criteria:.
The Script is the one above. Directory Binding is whatever you have configured for Directory Binding. Maintenance is to run Inventory -Ignore Files and Processes in this screenshot. I run an extra command for our internal purposes that has no bearing on the fix. Thanks so much!
MacOS High Sierra on AD domain - Spiceworks
It turns out my error was due to incorrect permissions on the service account we were using to bind as well as our computers being spread across different OU's in AD. Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Learn more about JNUC. Many thanks Zahid :. Like Comment. Order by: Most Likes Oldest Newest. Thanks Tammi, Davidacland, I like your suggestion of rejoining the domain automatically.
Sorry I don't have an up to date script to hand otherwise I would just post that! Thanks everybody for your advice. Select "Script" as the input type. However, I have overode this as mentioned in my original post point number 2 under "Now the problem" I've turned Deepfreeze for several days no difference. Thanks for the help! AVmcclint Or it could be another opportunity to ditch AD. AVmcclint Hello. Cheers a. Hello Does anyone have any further updates to this issue? And yes, this is way more frequent for us in Sierra than it was in ElCap.
Cheers, A. Computers running Deep Freeze lose connection or fall off domain I'm not saying the document has a solution that will work for you, but it does seem like they are describing the issue. COM domainx. COM domainy. Hope this helps. EA for determining AD bound status! Log in to post a response. Spam This is an advertisement—it is not useful or relevant. Inappropriate This is offensive or in violation of our Community Etiquette. Without fail, on a restart, you cannot log in as a domain user.
When you then log back in as an Administrator however, sometimes you have the "Domain not responding" red ball, sometimes you get a green ball for "working normally" and you can then log in successfully as a domain user or sometimes there is no indication you were bound at all, and if you go into Directory Utility you need to force unbind and rebind. What is consistent is that the Mac will always lose the bind on a restart. I have also tried using Thursby's ADmitMac to bind to AD, however, this won't allow you to log-in even before a restart, you only get "Some network accounts available".
This leads me to believe the problem is on the domain controller side, but any hints or tips would be most appreciated! Surely there can't be hundreds of thousands of snow leopard macs that can't stay bound to AD?! Just to add in, our domain IS a. Helpful answers Drop Down menu. Servers Enterprise Speciality level out of ten: 1. If you're using Deep Freeze this can cause a further 30 second delay.
Automount and LDAP on Mac OSX
Apple reserve. They're going to be doing this first before trying to use it to resolve their DNS. Their primary concern is the main windows platform where most of the workstations are. What is clear is if the AD Domain has been configured from the outset to accommodate mac workstations you don't see the problems.
- logitech solar bluetooth keyboard mac.
- Deep Freeze Alternative for Mac.
- line of best fit excel mac?
- zelf app maken op mac.
- Home - Faronics.
- Lab Workstations - Slow Logins | MacRumors Forums.
How the AD is configured clearly plays a large part in how well macs can work in an AD environment. I've yet to see any AD that can be said to be 'out-of-the box. I've not seen two ADs the same either. The AD environments that cause the most problems tend to be mature 'Legacy' ones that have had many 'hands' at the helm. Each one not necessarily telling their successors what they've done.
If it's CC4 give up now and look to run a parallel OD environment instead. Since It's not perfect though. Things you could try: Assign Static IP addresses for mac workstations.
In the Search Domain field leave it blank to begin with and see if it improves matters. Or don't put in the whole domain name just key in 'local'. Avoid using hyphens in the computer names.
Thanks to Carter from:
You could issue this command prior to binding to AD: sudo dsconfigad passinterval 0 Might help? Asking the IT Admin to extend the Time Sync interval from the default 5 minutes to 10 might also help? It's worth a try?