Adding iMac to Active Directory Domain and separate network for Internet Access

[Jdo300]

I am managing an Windows Active Directory network and have several mac machines that need to be added in. Our office has a LAN (with no internet access) to allow users to access local resources (File Server, printers, etc). But to connect to the internet, we all use the building's WiFi connection.

I was able to setup one of the Macs to connect to the active directory domain and users are able to authenticate through the AD server and access shares on the file server as expected. However, once I add the second network for the WiFi connection, users cannot access the internet.

The only way I have found to get the internet to work is to Change the Service Order of the two networks, such that the WiFi Network has priority. But when I do this, and log out and back in, then the internet works, but the iMac can't see the Active Directory Server and doesn't show login options for network accounts.

I did a couple of tests to further characterize the problem.

If the LAN is set as the first network in the Service Order, then I can ping computers on the LAN by their IP or hostnames, but not any WAN IPs or addresses. I can also ping the domain server by the FQDN (Fully qualified domain name - like local.foo.com) and it works fine.

If the WAN is set as the first network in the Service Order, then I can ping computers on both the LAN via their IP addresses, and the WAN servers via IP or hostname/web address, but the iMac can't find the active directory server on the LAN to allow network logins. Also in this case, I cannot ping the domain server by its FQDN.

Based on the above, I suspect that there is a DNS issue here. Is there a way to allow the Mac to resolve the domain server when the WAN network is first in the list? Or alternatively, Is there a way to reroute all internet traffic through the WAN when the LAN is set as the priority network?

Thanks,
Jason O

 

[hobowankenobi]

This was asked once before, don't recall if there was a solution. None I am aware of using two physical ports.

An arcane and prohibitive network structure....to require 2 network connections. No laptops? No wifi....anything?

Here was the last one I saw asked. Will dig around some more.
[doublepost=1531004561][/doublepost]Seems like there should be a better way to configure your network to maintain privacy without need of two networks...but if that is set in stone, it may be possible via virtual interfaces. Info here.

Makes sense...as we see this all the time when running VMs. VLANs might get you there...never used one for this setup though.

 

[DJLC]

I'm going out on a limb here, but I have two thoughts that may have a snowball's chance...

1) Join the Mac to the AD domain using an IP of a DC instead of FQDN. I know this can work on the OD side, not sure about AD. And it may not be possible to rely on one particular DC depending on your AD forest. This MAY allow the Mac to authenticate with WAN set as primary.

-or-

2) Manually set DNS in Network -> Advanced with the AD DNS server first and your WAN DNS second on WAN.

You're right that the issue is likely DNS — it can't resolve the AD FQDN because it's looking to the WAN DNS first. Agreed with hobowankenobi tho, there are better ways to set up the network topology. Although thinking about it, perhaps you're using the wifi provided by an office park and saving some $ by not paying for your own internet connection.

 

[satcomer]

This all depends on serval factors! What version of Domain or Active Domain are you running? Microsoft Server 10 plus adds modern Mac connections natively and it it possible on Server 2008 but you have to 1) add a time server in the Server and put into OS X’s Time connections! The you have to add them manually 2) Add the Mac client manually into the server!

Here is article and what you trying to do: http://icomputerdenver.com/how-to-integrate-mac-os-x-with-windows-active-directory/

 

[chrfr]

This all depends on serval factors! What version of Domain or Activpce Domain are you running? Microsoft Server 10 plus adds modern Mac connections natively and it it possible on Server 2008 but you have to 1) add a time server in the Server and put into OS X’s Time connections! The you have to add them manually 2) Add the Mac client manually into the server!

Here is article and what you trying to do: http://icomputerdenver.com/how-to-integrate-mac-os-x-with-windows-active-directory/

Not every issue regarding Active Directory is related to time servers. This is one of those cases where it's not.

 

[satcomer]

Not every issue regarding Active Directory is related to time servers. This is one of those cases where it's not.

This always happen in Microsoft Server 2008s2 when a Mac client wants to reboot! This is because most Domain Admins don’t start the Time server function on their Domains! Luckily in Server 2010+ Microsoft even fixed this!

 

[chrfr]

This always happen in Microsoft Server 2008s2 when a Mac client wants to reboot! This is because most Domain Admins don’t start the Time server function on their Domains! Luckily in Server 2010+ Microsoft even fixed this!

Again this thread has nothing to do with time servers.

 

[TriBruin]

99% sure this is a DNS issue. Are both interfaces using DHCP and getting their DNS servers from DHCP?

IF so, I would try manually add DNS entries to Wifi/Internet connection. Set your local DNS as the first DNS and your internet DNS (or any external DNS) as the 2nd entry. In theory, you Mac should query the local DNS first. If the DNS entry is found, it will return the IP address. If not, it should error out and the Mac should try querying the next DNS server.

Any chance of putting your DNS server on the internet and allowing it do DNS forwarding?

 

[satcomer]

Again this thread has nothing to do with time servers.

Look up Kerberos before you say it has nothing to do with this problem!

 

[Marshall73]

I am managing an Windows Active Directory network and have several mac machines that need to be added in. Our office has a LAN (with no internet access) to allow users to access local resources (File Server, printers, etc). But to connect to the internet, we all use the building's WiFi connection.

I was able to setup one of the Macs to connect to the active directory domain and users are able to authenticate through the AD server and access shares on the file server as expected. However, once I add the second network for the WiFi connection, users cannot access the internet.

The only way I have found to get the internet to work is to Change the Service Order of the two networks, such that the WiFi Network has priority. But when I do this, and log out and back in, then the internet works, but the iMac can't see the Active Directory Server and doesn't show login options for network accounts.

I did a couple of tests to further characterize the problem.

If the LAN is set as the first network in the Service Order, then I can ping computers on the LAN by their IP or hostnames, but not any WAN IPs or addresses. I can also ping the domain server by the FQDN (Fully qualified domain name - like local.foo.com) and it works fine.

If the WAN is set as the first network in the Service Order, then I can ping computers on both the LAN via their IP addresses, and the WAN servers via IP or hostname/web address, but the iMac can't find the active directory server on the LAN to allow network logins. Also in this case, I cannot ping the domain server by its FQDN.

Based on the above, I suspect that there is a DNS issue here. Is there a way to allow the Mac to resolve the domain server when the WAN network is first in the list? Or alternatively, Is there a way to reroute all internet traffic through the WAN when the LAN is set as the priority network?

Thanks,
Jason O

Your issue is that the primary gateway is the internet connection which cannot see the AD network. A simple workaround would be to create entries in the hosts file, on each Mac, for all servers on the AD network. This will allow the Macs to know where to find the servers and route requests to the correct network. All this is on the assumption that both networks use different subnets.

 

[belvdr]

Look up Kerberos before you say it has nothing to do with this problem!

Kerberos is not involved with DNS and neither are time servers.

It sounds like the domain controller cannot do recursive lookups to the Internet, and a client does not have the intelligence to use one set of DNS servers for the one domain and another set for the rest. I think the hosts file mentioned above is one solution.

Another is to find a way to have the domain controller to be able to do recursive queries to the Internet (ie forwarders). Then you can leave the LAN as the primary interface, as long as clients do not receive a default gateway from it.

 

[chrfr]

Look up Kerberos before you say it has nothing to do with this problem!

I don’t need to look up Kerberos. This is a DNS related problem caused by the dual network configuration in the OP’s environment.

 

[satcomer]

I don’t need to look up Kerberos. This is a DNS related problem caused by the dual network configuration in the OP’s environment.

Like I said before the when using Microft Server 2008 you have to manually have to start Time server for your Domain of you’ll have problems getting non-Microsoft clients to stay on a Domain! Like I said before Server 2010+ fixed this issue in the setup to setup a Time server function in the Domain!

So if your are using more modern Mac client make sure the Domain is acting like a Time Server for the Domain!

Again it would be nice if the OP told us what Domain is he running his Active Directory Server!