1

We have three MacOS machines, all running 10.4.x, bound to our Active Directory network. The domain has two DCs on a single subnet (192.168.1.0/24). One of the DCs (the secondary one, which does not hold any of the 5 FSMO roles) is currently off-line. It's physically shut-down because its boot volume is hosed.

Since the secondary DC went off-line, two of the three Macs have been unable to do standard Active-Directory authentication. I can't log in to either of them as an AD user, I can't use AD credentials in a UAC prompt, and I can't even run "Directory Access" -- it starts up but then becomes unresponsive and I need to force quit to close it.

I can, however, get a Kerberos ticket for an AD user, with the "Kerberos" GUI utility. And when I run 'dsconfig ad -show' on one of the offending Macs, I see the primary DC (the one that's actually running right now) in the "Preferred domain controller" line.

And all of our Windows machines (running XP Pro) are authenticating just fine against AD -- which would rule out any replication problem, I think.

Just wondering what I can do next to troubleshoot this.

Update on Friday afternoon, August 7
Both machines just stopped having AD trouble. I did restart them both, but I had done that twice before with one of them, to no avail. So I guess the question has become academic at this point. Still interested in hearing how anyone else would troubleshoot this.

drAlberT
  • 10,949
  • 7
  • 39
  • 52
Ben Dunlap
  • 410
  • 5
  • 10

1 Answers1

1

Not being able to run Directory Access is a problem. You definitely shouldn't be seeing that. I've run into many issues with macs and AD over the years and I've never seen that. I'd recommend unbinding and rebinding them. Since you are unable to use Directory Utility you're going to have to use the DSCONFIGAD command in terminal. You can man it or view the following article:(there are many on the net that explain this)

http://www.peachpit.com/articles/article.aspx?p=1246089

Unbind and bind using the instructions in that article and see if that fixes it. In theory, losing a DC should not have affected it's connectivity, however I've seen macs cry when and Open Directory Master goes down even though it should be able to connect to a replica, so I'm not surprised it's pissed. You may also want to check your DNS. If the dead DC can still be resolved by doing an NSLOOKUP on your DOMAIN then I bet the mac might be trying to hit it. It's probably not as resilient as windows clients are when a DC dies.

Tatas
  • 2,081
  • 1
  • 13
  • 19
  • "I've seen macs cry when and Open Directory Master goes down even though it should be able to connect to a replica" -- only in this case it's the replica that's down... but the master was also down briefly this morning, so maybe the Macs just got in a tizzy and never came out. – Ben Dunlap Aug 07 '09 at 23:22
  • There are definitely still live DNS records for the dead DC -- I was also wondering what the best way was to temporarily nix those, but I guess that's a separate question. – Ben Dunlap Aug 07 '09 at 23:23
  • If you had split dns you might be able to do it. Binding might be an issue though as your srv records would probably get delegated down to AD DNS, those would be tought to clean out and I wouldn't recommend doing that ever anyways. It'd be interesting to see though. Luckily(knock on wood) I haven't had a DC failure like that yet to test it out. – Tatas Aug 08 '09 at 06:12