Hardware & OS X Verion
I have a few hundred Macs that are running anywhere between Mac OS X Leopard 10.5.6 - 10.5.8 (Most are 10.5.8 but there are a few labs that require a lower OS version due to software). The computers range from iMac G5's, Mac Pro's & iMac Intel Core 2 Duo's.
Our AD (Active Directory) has been setup using Windows Server 2003 & Windows Server 208
All Macs are setup to log into the clients via the AD plug'n. Binding is smooth and we never have an error with binding. All computers are sorted and placed into the proper bins. When a user goes to login they put in their user ID/Password as if they were at a PC (Windows) desktop and the user is granted access to login.
We can have the entire building imaged, up & running with a working AD login without any issues but after so many weeks AD login stops working. The clients almost all drop the ability to allow an AD user to login. It's totally random when this happens. When we look at the Directory Utility everything still looks good. It's green stating that it can reach the AD server but just does not allow users to login.
When this happens it's not just random clients but whole labs. If I have two labs I imaged one day they usually both stop working the same day. What's more odd is that a lab I imaged just a couple days after the ones that stopped working has no issues at all and allows users to login ..... but with that being said I'm almost guaranteed that within a couple days that lab will stop working as well.
The Quick Fix
The fix to resolve this as quick as possible is to basically unbind each client or dump the directory prefs. and rebind to AD. With a few hundred Macs this is a problem especially where it really only works for a few weeks.
Currently I have changed the campus over to a single OD user to allow students to login when AD breaks but this is not our solution that we want. We use AD because this allows for tracking of which users log into each machine, who's in what lab, print accounting and more. The OD user is just a backup but it's pretty much in full use as we can not find or resolve the AD dropping issue.
From what I have read online the issue should have been resolved with the OS X Leopard 10.5.7 update but this is in the case here. Again, we are running Mac OS X Leopard 10.5.6 - 10.5.8 and this issue exists on each version of the OS.
We are running out of ideas on how to fix this and what could be causing this. We though it may have been DNS due to having some duplicates in the system but this issue was cleared up a few months ago and we have not had any more issues with DNS when it comes to that.
I'm in the middle of building a Mac OS X Snow Leopard 10..6.2 image to see if this will help but as we have a few hundred machines and 14 campus's in total we do not have the aprox. $15K+ that is required to upgrade all intel machines to Snow Leopard.
I'm going to continue searching the net for fix, cause and whatever else I can find on this but so far nothing has helped.
If you have a suggestion or any ideas I would be happy to try.
Below are links to articles that in some way talk about this issue or similar incidents to what we are having that I have look at:
Leopard problems: Active Directory Integration – Now Definitely Fixed in 10.5.2! Ť Random Transmissions
Leopard and Active Directory - The macosxhints Forums
Mac OS X v10.5: Binding to Active Directory stops working
Mac OS X 10.5: Verifying DNS consistency for Active Directory binding
Special Report: Mac OS X Leopard Cross-Platform Issues