OSX cannot find Domain after removing an old AD server

[the_rug]

Hi Everyone,

It’s my first post, so go easy on me 😀

Here is the scenario:
1. Existing Windows Active Directory domain with one Windows 2003 Server
2. Active Directory Domain name ends with .local (blah.blah.blah.local)
3. Apple XServe running Open Directory – purely for Workgroup Management settings for OSX clients
4. OSX 10.5.3 clients have previously been added to Active Directory (using Directory Utility) and working fine
5. These clients have also been added to the XServe Open Directory (all working fine)
6. Recently purchased some brand new iMacs, runnning OSX 10.5.5
7. Configured the new iMacs for Open Directory and Active Directory – all working fine
8. Installed a new Windows 2008 Server and configured it to be another Active Directory server
9. Transferred all the FSMO roles to the new Windows 2008 Server and ensured it was configured as a Global Catalog
10. Tested all the functionality of all Macs – all working fine
11. Tested the functionality of the Macs with the old Windows 2003 Server turned off (as we want to decomission it) – after 2 days, the Macs no longer communicate with Active Directory.
12. Turn the old Windows 2003 Server back on, and the Macs can communicate with Active Directory almost instantly.

Has anyone seen this problem before? As we really want to decomission our old Windows 2003 Server, but not when it leaves over 50 Macs unable to login.

I suppose my question is – does OSX retain information regarding the specific server it uses to bind to Active Directory? Thus, when that specific server is unavailable, regardless of whether Active Directory is working, the OSX clients try to connect to that server only?!?!

I have heard about the “You can’t have a domain with ‘.local’ on the end” but this has been working for quite a while now….

Thanks,
The_Rug

[the_rug]

Hi MacTroll,

Thanks for the reply.

At the moment, we have not ‘decomissioned’ (DCPROMO-ed) the Windows 2003 Server. We have simply turned it off to see what systems are still reliant on it – hence we found out the Macs were. It is still in DNS, but so is the new Windows 2008 Server.

The way Active Directory *should* work is that when one AD server is not available, the others will respond. This is clear in DNS as there are serveral ‘A Records’ for our domain name, each pointing to the AD servers. Thus, when a client cannot contact one, it should move onto the next listed in DNS.

However, I have found that many clients do not do the ’round-robin’ method of resolving DNS very well (including Windows), could this be the problem?

I don’t want to DCPROMO the Windows 2003 Server just yet, as if that does not solve the Mac problem, I am going to have a whole lab and staff Macs down until I find a resolution 😯

I suspect it is not a DNS issue but will investigate further.

I was hoping that someone who knew the insides of Directory Integration for OSX might know a simply solution for the problem.

Thanks!
The_Rug

[Author]

Posts