Posted: 4/29/2008 3:05:29 PM EDT
|
A client of ours decided (against our better judgement) to lease 40 macbooks and an Xserve server to replace some aging Windows machines. The existing infrastructure was entirely Windows. We have kept the 5 Windows 2003 servers in place, along with roughly 20-25 Windows boxes. The Apple rep that was in charge of this deployment of Macbooks told us that by using the Xserver and using "Open Directory" (apparently Apple's version of AD), we could bind the Xserver to the Domain Controller (Windows) and then the Macbooks would then authenticate through the Xserver to AD. Great theory I suppose, but it has been nothing but problems since. We've been on this project for 3 weeks now and Apple has no answer whatsoever on the issue. When the Apple tech was onsite helping us prep the Macbooks, they created a master image of a Macbook we setup. It was unbinded from the domain, with just the software we needed installed, the dock setup and the proxy info added to the wired and wireless connections. From here we did a netboot on each Macbook and restored the master image to each one. We then bind it to the domain (again, Xserver to AD). Each machine boots up just fine, and users can log in... but only one at a time! Before we started this deployment I ran through a bunch of questions that I had, including asking if the Macbooks had an SID to them, and how we'd go about changing that after the master image restore. Both Apple techs and the account manager told me "it does that automatically on its own. We don't need to do little things like that on Macbooks like you do on a Windows laptop." Call me silly, but now only one Macbook out of 40 can be logged into the domain at a time... it isnt' throwing an error like a duplicate computer exists on the network or anything, it just fails to authenticate. To make matters worse, the guy in charge of this at the school didn't think about the fact that all of the software they use day in and day out is Windows based... with no Mac versions available. So now each Macbook is setup to use terminal services to log into a Terminal Server that has the apps running on it. So in essence, everything being used is Windows based... except these dumb terminal Macbooks. Any ideas on this?? I'm stumped, the other techs are stumped, and the Apple reps told us "we've never seen this before." -d |
|
Really no one has a clue? We met with the apple "techs" today on-site... they said "it is your network, can't help that." So we asked them what about our network was the problem... first they said it was DHCP... so we set a static IP... still had problem. Next they said it was the DNS... so we made a DNS entry for the Macbook... still had problem. Finally they ran out of excuses and said they'd take the logs back to the "enterprise" people since only "Enterprise clients would think about mixing the two environments.. and even then they go Apple completely." They talk the talk, but can't walk the walk. -d |
|
you may want to post this to the macenterprise list. http://lists.psu.edu/archives/macenterprise.html there are known issues with ad binding and os x. and unfortunately, there are far too many installation specific variables to make it an easy thing to troubleshoot. your best shot is to find someone who has had this problem. you may also want to look through the archives at afp548.com. in my experience even advanced apple techs are not windows savvy and it sounds is if there is no one in this scenario to identify and translate possible problem areas between the two installations. even though the k-12 rep and his systems engineer should be able to access other engineers and the core open directory engineers at apple to help, that may still be a problem. how important is this client? |
|
I'll have to try that. Thanks! Not sure why they can't figure this stuff out.. they are blaming it on the network again. "Your Cisco switch is the cause of these problems.. replace those and you won't have these delays" There is one Cisco switch, while the other 8 switches are HP Procurve's. We unplugged the Cisco switch, and used one of their own Apple Airport routers... and the Macbooks still had a problem. Being inept, doesn't mean you should blame everything other than your own product. We've pointed out to the administration that if they had gone with the Dell's that we suggested back 3 months ago, this whole issue would be moot and the teachers and staff would be happy and content. -d |
Just an FYI: I tried to do the EXACT same thing about 3 years ago. Apple "tech" support is a joke for anything more than your iPod or clicking on icons. I spent 4 months trying to get it to work RELIABLY, no dice. I had the same issue with SID's, they didn't even know what the fuck that was. "That's a XXX problem" was their default response. (replace XXX with MS, Cisco, HP, DNS, Adobe, Jesus etc) THEY could not even get it to work. When they could not get it to work they got mean and basically started insulting me for "contaminating" (their words) a Mac network with windows servers.  Only an "idiot uses Cisco crap" was my final straw. My solution? I finally quit.In the minds of Apple "Techs" their product can only fail in the hands of non-believers. If you EVER get it to work properly for more than a week, let the world know. |
|
Little background on the story of events here. This school has 4 servers, 1 terminal server, about 50-60 work stations and about 14 printers. About half of their computers were 800 Mhz P3's running Win2000. It was time to get rid of these and get something better. We provide the IT support for the school. There is one full time guy that is there and occasionally I or another guy will drive up to the school to help out on projects or just to be a second man on duty type of thing. Here is the kicker... the school has it's own "technology board"...which consisted of two regular school board members, a computer teacher, the principal and vice principle. None of them know computers that well, including the computer teacher, like we do as the "experts." But we aren't asked for our opinions on this technology upgrade. One of the guys is a Mac fanatic. The guy would drive a iCar if one was available. He's the guy that got us into this mess. He pushed and pushed, and then pushed some more to lease a bunch of Macbooks and a Xserve because "windows machines just have so many problems" according to him. The board went with the Macs, because this guy told the board that Dell's would be too expensive and too hard to deploy to the teachers. Again, we were not consulted at all. The Macbooks arrive and he just wants things to just be plugged in and working out of the box. We've been on this project for close to 3 months now. Honestly I could care less if we lost this client as long as their "Technology" board is run by a bunch of hobbyist at best. Bad choice after bad choice was made in this project, and now we as the IT company are having to figure out stuff on our own because the vendor doesn't have the answers. If you can't tell, this whole thing has gotten me worked up... and I'm not the primary guy on it. I'm just trying to keep his head in the game and be supporting where I can. Operation Applesauce is a bust. -d |
|
Did you try the fix in that link I sent you above? It's basically the equivalent of regenerating the SID, based on your symptoms and the the symptoms described in the article that should take care of it. I'm the IT Manager for a hospital and I use a macbook pro but I know that Windows has it's place. I am a mac fan but would NEVER try to push Mac's out into a production network, unless of course they were doing some hardcore multimedia or video editing. |
Bingo. I feel for you dizza. This is a rat fuck from the beginning. When I saw "Technology Board" in your post I went "ah, well, there it is". I'm curious how the board will review the cost/downtime factors involved in following the Mac guy's plan. |
|
Email me. I have a 40 server win 2003 AD servers (1 at each site) with 80 Xservers (2 at each site) bound to AD for authentication, cisco switches, as well as client machines set up bound to AD for authentication. I might be able to give you some suggestions. Also, if you are binding and unbinding the same workstation trying to get it to work, it can lead to problems if you bind/unbind too quickly (before AD can sync DC's) and can lead to problems. First off, on your cisco switches, you MUST turn on port fast on all mac attached ports (I make it the default). Once of the main authentication problems I had was that. I set up a machine and it worked once, like you said. I left and the next morning, the user could not log in. I traced it down to the mac booting up quick enough (faster than the Cisco spanning tree checks) and that initial log in dialog box failing to connect to the AD servers for authentication (DNS lookups would fail and the initial bind would fail) If you wait long enough, the mac will eventually authenticate. Turn on port fast and it will work immediately. If an Apple rep/SE told me to replace my cisco switches, I'd laugh at him and get a new SE. Chances are, this is caused by port fast, but I can suggest some other things, so just shoot me an email. ETA: "port fast" in non-cisco speak is turning off spanning tree checks on ports that will not be uplink ports. Cisco/HP/etc. used to that spanning tree either on or off, "port fast" turns up the port while it checks for loops rather than segmenting it off from the network (i.e. standard spanning tree checking) So, for the HP's look up how to turn off spanning tree and see if that helps. As for the duplicate SIDs/names in AD, for image machines, once we image a machine, we change the client name before we bind. Mac OS X doesn't have a "SID" like windows XP, it's more based off a unique hostname from what I'd seen. Chris |
The technology board is now one guy... yep, everyone else dropped out of it because of various reasons. We are asking that any future IT related purchases or reviews go through us at some point, just so we are aware of what is being done and we can give our opinion. Whether it is listened to or not, is a totally different story. -d |
|
I haven't read everything yet, but what's the internal DNS name you're trying to bind to? I found out the hard way not to use a ".local" domain when trying for interoperability between Windows and Mac. that's waaaay back when I was a Mac n00b, like seven months ago. 
|