Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Active Directory broken in Lion?

Just installed Lion on a network that authenticates users using Active Directory and it shows a red dot saying "network accounts are unavailable".


Does anyone have a workaround to make AD bind?

Posted on Jul 22, 2011 3:21 AM

Reply
98 replies

Jul 25, 2011 7:52 AM in response to Hat-Rack

Same here I'm afraid. Rebinding to my 2K3 R2 domain corrected the issue for a while but it is still flaky (I get network accounts unavailable or active directory inaccesible from time to time).


To rebind:


1- delete Lion machine account from AD (and force replication if you have multpiple DCs)

2- logon to Lion with a local admina account (do not use the domain/mobile account you already have)

3- unbind, reboot, rebind to AD, reboot

4- Check AD tool in Lion, make sure all of the search paths for directory services are there. If you click the + sign you may find there is one path missing.


Again, rebinding got me past the initial issue where it would not see my AD environment whatsoever BUT, the problems are not fixed. Looking at the console while you troubleshoot this may give you some clues. Can't wait for apple to start issuing patches.....

Jul 29, 2011 7:34 AM in response to Hat-Rack

I just posted similar question. I have only upgraded one mac so far as a test. I cannot bind to AD at all. I get to point where it is "getting AD domain info" and then it eventuall fails with "Authentication server could not be contacted."


I've tried several times. When I look inside the Directory Service directory, there is nothing there.


I will try some of the suggestions above to see if this helps, but I sure hope Apple comes out with a patch as I really do not want to be removing and readding over 400 computers to AD and rebinding them!!


Lisa

Aug 5, 2011 9:59 AM in response to Hat-Rack

same trouble, this was the only fix I found only works until machine is rebooted:




1. unbind machine

2. rename machine

3. reboot

4. login as local user

5. in directory utility go to services

6. enter active directory name

7. check create mobile and require confirm (optional)

8. check prefer this domain controller, enter full primary domain controller

9. check allow auth for any domain in forrest

10. enter ad name

11. bind

12. logout (network login will be unavailable)

13. login local admin

14. go to search policy

15. make for custom path - click + add /active directory/domain

16 move /active directory/domain up above /active directory/domain/all domains

17. click + then cancel out of that

18. it will now be able to login to network --- but don't reboot.


Called enterprise support on this, they are well aware of the problem, and have been since day 1 of the official release. Their response "We are looking into this matter....".


Gee thanks apple. Now we know why lion upgrade was selling for $25.

Aug 9, 2011 8:08 AM in response to joey jo jo

Joey,


Are you able to log in with a domain user?

This is the same problem we were having.


Luckily I'm in a position where I can work directly with Apple sw engineers on diagnosing the problem.


Here's the main issue.


The green light in that window means the computer can see a domain controller as a valid address.

The login screen is active negociation.


aaron-wy is correct in pointing out that you need to use Directory Utility to manually add your search path. If you look at your opendirectoryd log files in Console you'll see timeouts to /ALL DOMAINS/.


When you hit the + button, you'll see your actual domain there instead the generic catch-all.


Add it, give the priority, and apply it. Give it about a minute for the computer to realize what just happened. Try a quick user switch and you should be able to authenticate (and encounter the next bug shortly after).


You'll authenticate and if you active quick user switching you'll be listed as your user name in all caps. If you log out and log back in, even with quick user switch, you'll log in as your display name. Lion sees this as two different accounts but the same home folder. No programs will launch (1 bounce then instant close) and Safari will launch slowly. You need to restart and hope you can login to the correct account (user name not display name).

Aug 9, 2011 2:23 PM in response to mwfischer

Thank You for your help mwfischer and aaron-wy.


I added the search path and I got it to work. But, the only small issue I found now is that our AD domain admin accounts can no longer be administrators to the computers without checking the "Allow to administer computer" check box. With Snow Leopard our domain admin accounts were able to administer the computers without further tweaking. This is small issue and I can work around it by creating a local admin account or enabling root. But if anyone knows a fix please share. Thanks again.

Aug 9, 2011 4:23 PM in response to Hat-Rack

I've had pretty good luck by resetting the directory services configuration. Typically, this involves deleting the whole OpenDirectory folder in /Library/Preferences, rebooting, then binding again with dsconfigad or Directiry Utility. By the way, the syntax fir dsconfigad has changed a bit in Lion. The advantage of using it instead if Directory Utility us that you get more detailed error messages.


Note that if you're running Lion Server, you'll need to rebind to your shared LDAP (OpenDirectory master) domain as well. Your LDAP database, password server store, and KDC should be just fine, but your server won't be able to contact them as it should until you rebind.

Aug 11, 2011 8:29 AM in response to Gerrit DeWitt

Hi Everyone,


Well, once Apple releases the update 10.7.2 this should fix the AD bind issue. It is only in preview for ADC members right now, but I loaded it and was able to create my domain account and mobile account. Rebooted system, and was able to log back in with same domain account.


It aso seems to fix the SMB share connection issue. Yay.


Another oddity in case you have not noticed but in /Users/<user ID>, the /Library directory is invisible!


Lisa

Aug 18, 2011 10:09 AM in response to Hat-Rack

Since 10.7.2 isn't actually out yet I thought I'd add a workaround that worked for me concerning mobile accounts in Lion.


WORKAROUND for "Error: The home folder for user "ActiveDirectoryUser" isn't located in the usual place or can't be accessed. The home or Users folder may have been moved or deleted. If the home...."


I was able to "Fix" the Mobile Account issue above in Lion -for now. (Valid as of 8/18/11 on Lion 10.7.1)

- In Directory Utility -> Active Directory -> Advanced Options, I unchecked "Create mobile account at login" and left "Force local home directory on startup disk" checked

- Log out then back in as a networked user, -A local home directory will be created under /Users but will not be accessible if network is offline (non-mobile)

- Open Terminal

--- Type: cd /System/Library/CoreServices/ManagedClient.app/Contents/Resources/

--- Type: ./createmobileaccount -n username


The username you specify with the createmobileaccount command will turn it from a standard account into a mobile account.

This fixes Active Directory mobile accounts for the time being so now its on to Open Directory which refuses to stay bound after a reboot.

Active Directory broken in Lion?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.