# Active Directory Binding Startup and Shutdown items



## kalantna (Feb 10, 2005)

Ok. I'm a Mac IT/Admin at a university. I have about 150 lab machines running OS 10.3.x that are bound to a Windows Active Directory server.

1. A good many of these machines are becoming "unbound" from the server and as a result students are unable to authenticate against Active Directory (AD). I then have to login, launch Directory Access, remove the AD authentication node in the Authentication tab. Then I have to the services tag, open the Active Directory configuration, unbind the machine. Click Ok. Then disable the Active Directory service, Apply the changes and restart.

2. After the restart I have to open Directory Access, open the Active Directory configuration, rebind the computer, click Apply. Then I have to go to the Authentication tag, add the resulting AD authentication node back and click apply.

Log out and everything is fine for further authentication.

The machine loose this binding quite frequently so I do this probably 5-10 times a day.

What I want is help making a shutdown item that will do item 1 and a startup item that will do item 2.

I know how to use the terminal to add a computer via the dsconfigad command, but I can't figure out how to clear out the authentication node and disable the Active Directory service and apply it all.

That and add in the fact that I have never created a startup or shutdown item for OS X.

Any help would be appreciated.


----------



## StarBuck (Feb 10, 2005)

Have you made sure all the machines are pointing to a time server, as i found I would lose my bindings if my time was more then 5 mins out.


----------



## kalantna (Feb 10, 2005)

They are all set up to use the Apple time server.


----------



## Go3iverson (Feb 10, 2005)

Do a search for ADHook.sh over at www.afp548.com.  Josh Wisenbaker wrote the hook that will bind a machine on login for you.  The property lists your looking for are in /Library/Preferences/DirectoryService.

DirectoryService.plist indicates which DS's you have active, pretty much the check box properties.

SearchNodeConfig.plist is what keeps all of your specific node information.  Technically, if you want to use the same AD server for all of your clients, you could always keep copies of this file on /Users/Shared and create a startup item that does a check to be sure that proper info is in these files and if its not, copies the 'backup' files into the live system.  

Ideally, though, you should be searching those logs to see what conditions are causing the machine to become detached from the AD.  Try to pinpoint if its the AD removing the Mac OS X machines in some sort of cleanup, or if its the OS X machines just blowing out their DS config files.


----------



## Go3iverson (Feb 10, 2005)

You shouldn't really lose your bindings if your times aren't set right, though it will cause Kerberos to fail.  Secondly, since the AD plugin relies on this, it will cause the login, in general, to fail.  

I have a feeling that your machines weren't becoming disconnected from the AD, they simply weren't being recognized by the DS properly because of the time restrictions AD/AD plugin/Kerberos has on it. 

Rule of thumb, in kerberos/AD environments, always be sure to use network time.


----------



## kalantna (Feb 13, 2005)

I don't believe it's a time issue. All the machines are set up to use the Apple Time server, EST time.

I'll look into your suggestions. I do have one question though, isn't binding to AD via a login hook like putting the cart before the horse?

How would the machine get the info it needs for the user logging in if it's telling itself to bind upon login. Seems a bit backward to me. Of course I am wrong frequently.


----------



## Go3iverson (Feb 13, 2005)

Personally, you really should be finding out why your machines are dropping out of AD.  Check logs on both ends.  Are there other admins in your environment?


----------



## kalantna (Feb 15, 2005)

We're on that as of this week. I believe in covering all bases so that if we couldn't track down the problem I could at least have this system set up to assist me. This way if a machine becomes "unbound" the user only has to restart the machine and I don't have to get off my lazy duff and go do it ;-)


----------



## Go3iverson (Feb 15, 2005)

Out of curiosity, when you rebind the machines, are you asked if you want to join the pre-existing account?  I'm asking so that we can decipher if AD keeps the computer account.  If the Mac truly unbinds, in a full process, the AD plugin will remove the computer account from AD as well.  Check on the Macs to see if the properties are intact.  Get your inspector's cap out.  You'll get to the bottom of it!


----------



## kalantna (Mar 8, 2005)

Actually come to think of it I don't get the "join existing account" message anymore.


----------



## Go3iverson (Mar 8, 2005)

Ok, that's narrowing your scope down!

Either AD is deleting the Mac computer records, or the Mac is actually performing the un-bind process, on its own, which is far less likely.

If your property list files were simply being deleted from the client, the computer account would still reside in AD, as the AD plugin will remove its computer account when you un-bind.  

I see you use 10.3.3, what version of the OS are you running on your machines at the school?  Everything pre-10.3.4 was very buggy in AD environments.  Personally, 10.3.5 seems to be the really nice, stable, sweet spot for most users.  If you have OS X Server involved, you really want to stay at 10.3.5 as the newer versions have a different Samba build which can cause some issues with Win clients, though that can be fixed, in some cases, by editing your smb.conf file with a new attribute.


----------

