Active Directory broken in Lion?
Just installed Lion on a network that authenticates users using Active Directory and it shows a red dot saying "network accounts are unavailable".
Does anyone have a workaround to make AD bind?
98 replies
Lion just made me a liar. After rebooting my test iMac I am now getting the red light message "Network accounts are unavailable." It seems to go away after a while but I'm not sure how long it takes.
Kent
I've found that it's just that Lion is more honest about what it's doing and what it has access to compared to Snow Leopard.
If your search paths are set (go into directory utility and keep hitting the plus untill you've added all the right ones in) and your network settings are correct (DNS, search domains etc) then everything should be fine.
I had major issues with 10.7.0.
10.7.1 was better and would work but needed tweaking
10.7.2 is fine. So far I haven't had anything worse that an amber light at the login screen and even that goes away after a few seconds. For our situation this release is ready to roll out but I know there are going to be calls to the help desk to the effect of "It logged on but there was an orange light. What was that?"
All in all, this situation is no different to when Sno wLeopard was released
With the exception of a recurring problem on one specific iMac, which finally resolved itself, I didn't have nearly this much trouble with Snow Leopard. I thought I had Lion connecting to AD last Friday but today it's totally broken.
Kent
I think I found a solution. I add about 28 iMacs running Lion about 3 weeks ago and it still works. This is what I did: After adding it to AD, I clicked on Search Policy. In Search Policy there are 2 tabs (Authentication and Contacts) Click on both and click the plus sign and add any Available Directory Domains that are on the list on both tabs. Then on both tabs set your networks AD Domain at the top to set as the primary (Just drag and drop). NOTE: Some will not let you move down the list, thats okay.
While a recommended step, been there, done that - makes no difference...
This article has actually helped quite a bit http://support.apple.com/kb/TS4041. I didn't think it would, but my AD status has remained between yellow and green most of the time since adding forward IPv6 AAA and reverse PTR records (w/IPv6 reverse lookup zone) for the DCs on my DNS server (2K3SP2R2)
Did that, didn't work. The only thing I have found that works is to install the Likewise Open AD plugin. This also seems to work better for AD in Snow Leopard.
Kent
Thanks for that, cticompserv. You made my day. 🙂
Between upgrading to 10.7.2, and setting up basic IPv6 networking/DNS records, my AD binding woes have been smoothed out. After a reboot, there's still a 20-30 second delay between the login screen appearing and network accounts becoming available, but it works a lot better than before, so I'll take it.
Note: Modifying your preferences.plist to disable IPv6 does NOT solve the binding/authentication delay issues in a .local domain. You HAVE to set up IPv6. Those sneaky engineers...
You may find that this does not work as a permament workaround or fix for that matter. Mine got better at first and now I'm on the same boat again. It can take as much as an hour for AD to become accessible. . I was avoiding having to load a 3rd party app but I am so sick of this AD snaffu that I am going to give the LikeWise AD plugin a shot. Fixing AD integration issues is most defenitely not on apple's top things to fix. Not even Snow Leopard got it 100% right.
Hello,
I am having the same issue with user's not being able to login with their AD accounts and with Open Directory losing connection after a rebootl. Have you been able to resolve either of these issues with 10.7?
Hi Folks
First post on the forums, let's hope it helps you out. Centrify have found the problem and have posted a workaround on their website. Even though they supply their own plug-in for AD integration, this workaround also gets Lion's own Active Directory component working. I've managed to successfully bind and login on a number of Lion machines using this without having to make any changes to search paths etc. The file can be located
Click here to get Centrify file with workaround for .local domains
Apple have eventually acknowledged this as a bug. About time!
Thanks for the info cticompserv. Have you tested this on devices still running 10.7 (not 10.7.2)?
Only a very brief test in 10.7 I tested it on my workstation in 10.6.8, where the problem first arose, and then upgraded to Lion and installed the 10.7.2 update. The original problem WAS NOT resolved in 10.7.2 as had been reported.
The Likewise AD plug-in just works, and it's fast. The only noticable difference is that it creates home folders in /Users/local/DOMAIN_NAME/user_name. I'm still working on getting Addressbook to look up network accounts, however, but I'm probably the only one here who uses it.
Kent
I just read through this work-around. Is it for use with the Centrify AD plug-in, or with the Mac OS plug-in?
Kent
Hi
Centrify worked out the solution but it works with the MAC OS plug-in. You do not need to use Centrify. I've now just applied it to a whole suite of iMacs running 10.7.2 and it works a charm.
Active Directory broken in Lion?