I have had this issue since I purchased two new mac minis a month or so ago. Happened on 10.7.1 and 10.7.2. Our domain contains .local so this might be complicating the issue for me. No matter what I tried, the login process either would not work at all, or it would take 10+ minutes and multiple login attempts to work. All my other macs (OS 10.5) work just fine logging in with domain accounts. I found plenty of things other people tried with success, but nothing worked for me. This article http://support.apple.com/kb/TS4041 started me in the correct direction finally, but it alone didn't work. Combined with several other articles and information, I finally got something together that appears to be working for me. I have now been able to successfully and repeatedly log in with domain accounts in under 5-10 seconds with one login attempt. I have tested it on both mac minis with numerous restarts, shutdowns, and different domain users. If you are on a domain with .local in it, this might help you. I unfortunately do not know exactly which part of the following solution worked the magic, but here is what I did:
-I enabled IPv6 on my two windows server 2003 DCs.
-I ran ipconfig on both DCs to get their IPv6 addresses. You want the IPv6 attached to your network adapter, not the IPv6 on the tunnel adapters or whatever other interfaces you might have. It will most likely be the IPv6 in the same group/adapter section as your current IPv4 address.
-I added a forward lookup AAAA record for both the w2k3 DCs into my domain.local DNS forward lookup zone (put your domain name in place of domain) with their respective IPv6 addresses.
-I ensured the new AAAA records were updated in my domain and reachable from a vista box that already had IPv6 enabled (local link addresses).
-I logged into the mac mini with local admin, then opened the /etc/hosts file for editing, you will need to sudo into your favorite editor, I used vi. e.g. at terminal prompt> sudo vi /etc/hosts
-in /etc/hosts add the following lines at the bottom of the file:
127.0.0.1 domain.local
::1 domain.local
DC1_IPv6_address fqdn_of_DC1.domain.local
DC2_IPv6_address fqdn_of_DC2.domain.local
DC1_IPv4_address fqdn_of_DC1.domain.local
DC2_IPv4_address fqdn_of_DC2.domain.local
-save your edits, restart your machine and hopefully your domain login actually works now. It does for me. You do need to already be bound to the domain of course.
*fqdn_of_DCx.domain.local = the fully qualified domain name of your domain controller(s). Replace domain with your domain name. e.g. if your DC is named DCserver and your domain is mydomain you would have DCserver.mydomain.local
*DCx_IPv6 = the IPv6 address of your domain controller(s).
*DCx_IPv4 = the IPv4 address of your domain controller(s).
Additional information:
-mac minis OS 10.7.2:
--set to use DHCP for IPv4 and Automatically for IPv6.
--do not have anything set in the network DNS search domains (have seen that suggested)
--bound to AD using the Open Directory Utility button not the + button (dont know if it makes a difference)
--have domain.local in the active directory domain box in the afore mentioned utility
--not using mobil accounts
--have IPv4 address of one DC in Prefer this domain server: (and box is checked)
--have Allow administration by: checked with default domain admins and enterprise admins in there
--do not have Allow authentication from any domain in the forest box checked
--only have /Active Directory/DOMAIN/domain.local in the authentication search policy path, so using the example domain referenced above = /Active Directory/MYDOMAIN/mydomain.local (also has /local/default)
--have Display login window as: Name and Password selected
I cant think of any other settings that I have messed with in trying to get this to work, but with all those things set, I can now log into the mac minis on my .local domain with domain accounts and do not have issues anymore. At one point I had messed with so much stuff on one of the minis that is was borked. I reformatted the drive, reinstalled 10.7.1, installed 10.7.2 patch and all other mac software updates, bound the mac to the domain, then made the changes above. The other mac was as received from the retailer with only 10.7.2 update and all other patches applied. After dealing with this broken login crap for over a month, I am tired of it and just glad it is finally working. Hopefully this might help some of you.