Lenovo Software Help Center

Slow access to MS AD LDAP from OSX

Customer is having slow access talking to MS AD via LDAP. WebNetwork is being run on a MAC OSX box and is using MS AD for Directory Services. The dns server is running on MS AD and the OSX box is pointing to that for its DNS information. Directory services is configured, Global Catalog is configured in webnetwork. Customer is using a .local for domain name. Also tried adding company.local , forestdnszones.local domaindnszones.local to the host file on the OSX box.
This is an issue with OSX, the following information came from : http://docs.info.apple.com/article.html?artnum=107800

Mac OS X 10.3, 10.4: How to look up ".local" hostnames via both Bonjour and
standard DNS Mac OS X 10.3 or later normally treats hostnames ending in ".local"
only as Bonjour (formerly "Rendezvous") hosts. However, some network
administrators also assign .local hostnames. This document explains how to look
up .local names using Bonjour and standard DNS.

The Multicast DNS feature of Rendezvous technology allows devices on a local
network to connect to each other by name without a separate DNS server. See
technical document 107174, "Mac OS X 10.2: About Multicast DNS" for details. By
default, any hostname ending in .local is treated as a Rendezvous host rather
than by querying the DNS server entries in Network preferences.

Though the .local domain is not defined as a valid top-level domain on the
Internet, some private networks have DNS servers that assign hostnames in the
.local domain. In its default state, Mac OS X 10.3 does not use the DNS server
to resolve these names. This may result in unexpected failures to connect to
.local hostnames defined by your server. If .local names are assigned by a DNS
server on your network, use the solution below to configure Mac OS X 10 to look
up .local names in both ways. If the host is not available via Rendezvous, the
query will be tried using unicast DNS to contact the DNS server.

Mac OS X 10.4 and later: Open the Network preference pane in System Preferences.
Select the desired network interface and click Configure. Add "local" to the
Search Domains field. If you have multiple entries in this field, be sure that
"local" is first, and separate them with commas. For example:

local, apple.com Mac OS X 10.3 - 10.3.9: To create the script, execute each of
these commands in Terminal (/Applications/Utilities/). Each command is preceded
by the dollar sign ($), which represents the Terminal prompt. You must be logged
with an administrator account to perform these steps. After the first command
(sudo), you will be prompted to enter your administrator password. After typing
each command, press Return to execute it. After entering the "cat" command, you
will not see a prompt ($) for the next four lines, though you must still press
Return after each. For the line that says "[Control-D]", you will hold down the
Control key, then press D.

The commands:

$ sudo su
$ cd /usr/sbin
$ cat > EnableUnicastDotLocal
echo domain local > /etc/resolver/local.1
grep -v domain /etc/resolv.conf | grep -v search >> /etc/resolver/local.1
echo search_order 2 >> /etc/resolver/local.1
$ chmod +x EnableUnicastDotLocal
$ exit

These steps create an executable shell script named "EnableUnicastDotLocal" that
will create and populate the necessary configuration files to enable dual
lookups of .local hostnames.<

To run the script, execute this command:

$ sudo /usr/sbin/EnableUnicastDotLocal

Important: The address of the DNS server configured by this script for .local
name lookups will not change automatically if your default DNS server address
changes. (Your DNS server address may change if you change network locations, if
a change is made by your DHCP server administrator, or if you change it manually
in Network preferences.) To change the DNS server used for lookups in the .local
domain, you must run this script again. To disable unicast DNS lookups entirely
after running this script, delete the file /etc/resolver/local.1.

Note: For the Active Directory plug-in to work with .local domains, you must
update to Mac OS X 10.3.3 or later.


    • Related Articles

    • General MS AD LDAP information.

      General MS AD LDAP information
    • MS AD LDAP bind errors.

      LDAP error code 49 is the generic code for authentication error.  https://helpdesk.lenovosoftware.com/portal/kb/articles/ldap-error-codes-22-8-2017 has the list of java ldap top level error codes.  To fully understand the error you need the rest of ...
    • How to display the MS AD LDAP Settings being used.

      The following comes from the URL : http://support.microsoft.com/kb/315071 This step-by-step article describes how to manage Lightweight Directory Access Protocol (LDAP) policies by using the Ntdsutil.exe tool. To make sure that domain controllers can ...
    • LDAP Error Codes

      AcceptSecurityContext error, data 52e means "bad password" AcceptSecurityContext error, data 525 means "bad user name" AcceptSecurityContext error, data 773 means "password expiring" or similar.  Standard error codes Standard LDAP errors Error / data ...
    • SizeLimitExceededException when using LDAP

      When using a ldap browser like JXplorer to query AD, sometimes depending on the query the following error is displayed :  javax.naming.SizeLimitExceededException: [LDAP: error code 4 - Sizelimit Exceeded]; remaining name ...
    • Popular Articles

    • Can a Teacher see Students outside of school?

      This content has moved! Visit the new LanSchool Classic Help Desk It looks like you may be interested in LanSchool Classic General FAQ.
    • LanSchool Latest Release Notes

      This content has moved! Visit the new LanSchool Classic Help Desk It looks like you may be interested in LanSchool Classic Latest Release Notes.
    • How to uninstall LanSchool Student and WebHelper from Chromebook

      This content has moved! Visit the new LanSchool Classic Help Desk It looks like you may be interested in Mass Deploying LanSchool Student for Chromebook.
    • LanSchool Release Notes

      LanSchool™ Release Notes Updated: December 16, 2019 Component Versions LanSchool, December 16, 2019 Chromebook App, December 16, 2019 Chrome Web Helper:, December 16, 2019iOS TA and Student 8.2.0, December 16, 2019 Android ...
    • Controlling multiple students at once

      Problem: Can I remote control multiple computers at once? Cause: N/A Prerequisite(s): LanSchool Teacher and Student Solution(s): If all of the computers in the lab are the same basic image or configuration (for example. all Windows XP machines with ...
    • Recent Articles

    • Log4J 1.x Vulnerability CVE-2021-4104

      Issue A vulnerability was discovered in Apache Log4j1.x. Does this vulnerability affect Unified Workspace? If so, how do we go about mitigation of the vulnerability? CVE-2021-4104 Solution Unified Workspace does use Log4J 1.2.16. This vulnerability ...
    • Log4J Vulnerability CVE-2021-44228

      Issue A vulnerability was discovered in Apache Log4j2. Does this vulnerability affect Unified Workspace? If so, how do we go about mitigation of the vulnerability? CVE-2021-44228 Solution Unified Workspace does use Log4J 1.2.16. We have confirmed ...
    • Management Console non-directory credentials

      Question How can I access Unified Workspace if my directory credentials are not working? For example: We are having directory issues and need to configure Unified Workspace to connect to a different Directory Controller. Solution The Management ...
    • Lenovo Software Newsletter

      Question Is there a way I can be notified about product updates? Solution To receive updates from Lenovo Software about product updates, we encourage customers to subscribe to our Lenovo Software Newsletter.
    • Allow Help Desk to reset Image Challenge images

      Issue Customer would like to allow Help Desk users to only be able to reset user Image Challenge images when they have been forgotten by a user. Solution This can be done by assigning specific users in the system the User Group Admin role, as well as ...