Active Directory broken in Lion?

Did not work for me. When disabling the mdns, it broke open directory on the machine.

Well, not sure what you are all doing but I've been running perfectly fine ever since 10.7.2 came out. 10.7.1 also worked but needed tweaking. Occasionally I get a "no network accounts" warning at the login screen but it goes away after a few seconds and it's not that common anyway.

We are running an AD domain on Windows server 2008. Not running any OD servers or anything and it all just works.

Not at work at the moment but on Monday I can post up the script I use to join the domain if you want. rolled out to about 50 odd macs so far with no issues and no need for third party tools.

neilbo12 wrote:

Did not work for me. When disabling the mdns, it broke open directory on the machine.

I am very surprised.

bartron wrote:

Well, not sure what you are all doing but I've been running perfectly fine ever since 10.7.2 came out. 10.7.1 also worked but needed tweaking. Occasionally I get a "no network accounts" warning at the login screen but it goes away after a few seconds and it's not that common anyway.

We are running an AD domain on Windows server 2008. Not running any OD servers or anything and it all just works.

Not at work at the moment but on Monday I can post up the script I use to join the domain if you want. rolled out to about 50 odd macs so far with no issues and no need for third party tools.

Are you running a .local domain? The issue seems to be with .local domains.

unfortunately yes. I understand there is no fix for this as of now.

I have the same Problem with mobile account on a new MacBook Air with 10.7.2.

I have called the support. I have got the answer: I am the first who has this problem and i must pay for support! I'm the first and the bug is open since 6 month? What is apple doing in this time?

I will send back the MacBook to apple.

Just another "me too".

I had the same issue with new MacBookPro8,1 [ MacBook Pro (Early 2011) ].

The Centrify doc (http://www.centrify.com/downloads/public/centrify-directcontrol-for-mac-local-do main-workaround.pdf) provides a temporary work around.

It dissapoints me that Apple have removed the support (that added they only added in 10.5) for AD domains ending in ".local".

What Are the steps

Could you please let me know what the work around is

Take time to read back through this thread and you will see the post by me with the workaround.

I followed your document, and it was AWESOME! But I did have to combine another post with it to get everything working. Instructions that I used are reproduced below. My domain login time is now 10 seconds from login to desktop.

A combination of statically assigning the hosts in the host file and the fixes reccomended in the "centrify" document has sucessfully worked around the issue for me.

The problem is .local domain names, which we all know. I used to fix it by turning off bonjour, but i think you cant do that anymore (with iservbox)

I will reproduce the instrcuctions that i wrote below. Please note that in addition to this, i have also done the following:

Port 119 fix on the windows DHCP server as detailed here: http://www.mattzuba.com/2011/03/windows-2008-rc2-dhcp-server-option-119/

LOCAL dns zone in the forest (no entries, it just needs to be created and athoritative)

--- instructions follow (HOPEFULLY IT DOESNT GET TOO MESSED UP) --

to get lion which is buggy onto a .local domain

1.) install OSX

2.) go into directory utility and go to join the computer.

3.) make sure that the domain server is DOMAINCONTROLLER.domain.local . Turn off "search all domain controllers"

4.) join to domain. After join, open the console and run the following command:

sudo dscl /Search -append / CSPSearchPath "/Active Directory/DOMAIN/domain.local"

this will add the main domain.

5.) in the search list, make sure that "/Active Directory/DOMAIN/All Domains" is at the top (just below local/local or whatever, the default)

6.) perform the following steps to manually get it talking reliably to the domain:

Workaround

The following steps require root or sudo privileges. Important: Save a backup of the original files in another location, to provide a means of recovering from any mistakes made in editing.

Mac 10.7 always does both an IPv4 and IPv6 query. We can configure IPv6 to be disabled and that will improve performance.

Unfortunately, you cannot disable IPv6 from System Preferences, and so you need to

7.) manually edit the /Library/Preferences/SystemConfiguration/preferences.plist on the Mac.

Find the network adapter (Ethernet or Airport) under NetworkServices key, and then edit the IPv6 setting, changing the config method to __INACTIVE__:

--------------------------------------

<plist version="1.0">

<dict>

<key>CurrentSet</key>

<string>/Sets/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</string>

... ...

<key>NetworkServices</key>

<dict>

<key>XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</key>

<dict>

... ...

<key>IPv6</key>

<dict>

<key>ConfigMethod</key>

<string>__INACTIVE__</string>

</dict>

--------------------------------------------------

8.) There's no way to change the DNS lookup order, but you can reduce the multicast DNS timeout by editing mdns_timeout, located here:

/System/Library/SystemConfiguration/IPMonitor.bundle/Contents/Info.plist

The default setting is 5. Set mdns_timeout to 0 as shown below.

-------------------------------------------

<key>mdns_timeout</key>

<integer>0</integer>

-------------------------------------------

9.) If you set mdns_timeout to 0, then you won't be able to ping any ".local" host/domain, but other apps such as Finder and Apple's Active Directory plugin work well (it can resolve a .local hostname). You can login as a network home user very quickly.

If you try to mount a SMB share in the Finder, you can ignore the prompt that says there's a problem connecting to the server. If you wait for several seconds and retry, it will eventually connect. This prompt can be removed by adding the machine that hosts the DNS server and Windows share into /etc/hosts file on the Mac:

10.0.0.14 DOMAINCONTROLLER.domain.local

10.0.0.19 ANYOTHERHOSTYOUNEEDACCESSTO.domain.local

Note: Because you cannot ping domain.local, adclient will stay in disconnected mode for up to 60 seconds after start (which means you need to wait for more than 1 minute after reboot). Adding domain.local into /etc/hosts solves the disconnect issue.

10.)

Reboot the Mac after performing steps 1) through 4).

11.)

Login to the Mac

After all that it should work. I also had to add a local zone to DNS as well as adding a DHCP option 119 on the dhcp server.

I should also say replace the above "DOMAIN" and "domain".local with your domain.

Are complicated workarounds better than simple ones?

Kent

Has anyone installed the new 10.7.3 update? Does it really fix AD authentication?

Kent

I installed it within 10 minutes of it being released.

It did nothing for me. AD binding is still broken and I had to do the login roulette with rebooting and rebinding for 25 minutes to just log in. I plan on contacting Applecare and the engineer I was working with before tomorrow.

Also, network share (smb) names are still broken and all show the root directory.

meaning if /server/share1 /server/share2 /server/share3 are mounted, you would see /server/ 3 times instead of the individual share (windows 2008 r2 host).

I wonder what they did for a gig of updates....

I haven't tried 10.7.3 yet but, I'm not holding my breath any longer. Unless apple specifically lists fix for .local domains not even going to bother anymore with this issue and work towards dumping .local altogether. The centrify workaround still works for me to this day but, it does have its drawbacks. Good bye .local, it's a brave new world. :-(