I am trying to bind Lion mac using the Directory Utility. It never gets past "getting AD domain info" and eventually fails with "authentication server coud not be contacted." Anyone else having problems joining Lion mac to AD?
Intel Dual-Core, Mac OS X (10.7)
I am having the exact same problem. I have done a ton of research and it appears to be a common problem with no real fix as of yet. I am going to look and see if I can find anything in the innerworking of AD and will post results if I find anything.
I am another one with problems getting AD to work properly in Lion. This problem exists in both systems I have tried. One is an update to Lion from a long used and properly running 10.6.8 system. The other is a brand new out of the box 10.6 with all upgrades to make it current and then download and install Lion. Both are the newest iMac model 27".
I get a number of different responses. One time when I try to bind I get "Can not save password" error yet the AD will install the computer. I find this out by trying a new bind using the same computer name but then I get "do you want to join an existing account?" Yet the computer is showing that it is NOT bound to AD. To remove the account from AD I actually have to go in from Windows Amin tools and delete the account.
I tried a number of different things like changing the order, adding or removing the various authentications, using a preferred server checked, and changing one or another settings. None of these things worked reliably.
My most common result is the Red Dot showing no network accounts. On a few ocassions I got, insted of the Red Dot, a Yellow dot saying only some network accounts are available. When I got this I could log in to my AD account but the Home Folder (network storage home folder) never showed up. Also, this was NOT repeatable. The next time I tried it, using the same settings, I got the Red Dot. If I repeatd the login I would sometimes get the Red Dot and the very next time, without any changes being made, the next try resulted in the Yellow (or Red) Dot.
The 10.6 systems login fine using the same default settings as the problem 10.7 systems. Not only is it not working correctly, it is working several different ways of incorrect.
I don't think this part of Lion is ready for prime time!
What I had to do AND IT IS NOT A PERMANT FIX, to even get AD to let a user in on the Lion installed system is to:
1. Run Repair Disk Pemissions FROM THE RESTORE HD PARTITION. Running it directly from Disk Utility of the installed Lion system does NOT work.
2. Once the Restore completes, and boots back to the regular startup, I could then bind,and have users login iin via Active Directory.
3.NOTE WELL!!!! This only worked until a RESTART OR SHUTDOWN occurred. Then the bootup took a LONG time on the spinning wheel. The amount of time it took was at least as long, if not longer, than the time it would take in Snow Leopard to reboot after a hard crash. In that time it is checking disks and, Obviously judging by the results, "repairing Permissions" as part of the boot process. THE PROBLEM IS THAT IT RESTORES THE PERMISSIONS THAT DO NOT, REPEAT, DO NOT ALLOW ACTIVE DIRECTORY TO WORK!
ME THINKS THAT APPLE DID NOT TEST THE FUNCTION PROPERLY BEFORE RELEASING THE NEW OS! :-(
Been trying to connect a Lion Mac to our AD for the past day and getting all the same errors you guys are getting (red dot, yellow dot etc), trying to stay away from 3rd party solution like AdmitMac etc.
Eventually gave in to a clean install and have had some success in getting it to connect now but had to do the following: Re-bound to Ad as a new user (deleted AD old account) LAN ID had to be all capitals, and on first logon had to include the domain in the username field (DOMAIN\LANID).
-AD Bind seems to be lost everytime users logs out and the machine must be restarted to allow LAN login again.
-Directory permissions don't seem to be read correctly as I'm unable to connect to shared drives properly
-Having random issues with keychain and DFS definately isn't working but if permissions aren't being read properly that will probably be the case.
Hopefully a fix is comming as there certainly aren't many success stories around AD.
No Joy :-(
What worked yesterday, several times, today does NOT work! I used the Restore partition to repair disk permissions and then network accounts worked. It stayed working until a restart. Then network accounts were "not available". Doing the Permissions Reair from Restore brought the network back to working. This reapeated four or five times.
Today, I try the same thing and it does NOT work! INSERT VERY LOUD SCREAM OF ANGUISH HERE!!!!
I then tried doing a Onyx set of repair permissions, clean caches and so forth using a freshly downloaded copy of Onyx Lion. The first try after using Oynx allowed network accounts but it first showed the Red Dot (network accounts not availoable which changed to Yellow but still showing the "network accounts not available" message and then, after a few more seconds the dot vanished and my AD login worked just fine. Logged outr and logged back in and It worked three more times. Restart and back to the Red Dot. Neither Onyx or Restore partition repair permissions brought it back to even a Yellow on the next three tries.
INSERT EVEN LOUDER SCREAM OF ANGUISH HERE!!!!
This OS release should have been killed before it was ever released. Granted that AD is a Microsoft product and Apple doesn't like Microsoft a whole bunch but why Apple would let this Lion out of its cage before it was properly trained to work with AD is beyond comprehension!
I am wondering if there is any correlation to network infrastructure being used. I have a 100 M network I have to use and without students here now, if network timings and collisions or whatever are a problem, what can we expect when the network gets up to its normal load. If anyone has made AD work correctly, and REPEATEDLY, with Lion, what are you using for a network connection? When I ping the domain controller, the ping times I get range anywhere from .3 Ms to1.0 Ms. I am wondering if this variation in response time might have any correlation to why something will work one time but then not work again. If Apple has a response acknowledgement time that is to tight, could this be a problem area.
I do not work with the network hardware as such so my thoughts are purely speculative but I have noticed in recent months, when using ARD to access remote, on-campus, systems I have been getting a greater number of "communications failure" messages but when I try again, just a few seconds later, I can connect sucessfully. I am just beginning to wonder if, at least some of, the problem might not be centered in that area.
I'd give up if I was you 🙂
You've got a problem with your dns or you're entering an invalid DC name/IP address.
That's not a dig, AD support is really flaky in Lion at the time of typing, and that's from a guy who's been working with IP for twenty odd years.
I'd use a local account and revisit the problem after a coupl of Apple updates.
The exact same DNS, Domain Controller, network and everything all work just fine on 10.6.8 systems set up right next to two Lion systems. The SL systems have not had a single problem. That would kind of rule out everything except the Lion. The same 10.6.8 setup also works fine on the other 150+ systems on the network.
I do not have the option to use local accounts since these systems are going into a student lab (23 computers) and require individual log in credentials. It was hoped to also have Lion on the other 90 or 100 other lab and individual student work stations in my operation. That ain't a gonna happen!!!
The lab is going to be set up with 10.6.8 since it is supposed to be on line and fully functional in two weeks. What really gets me is the "now it works...now it doesn't" aspect and finding no way to make the problem repeatable and tied to one or two specific items.
Good luck!
I'm hoping Apple put a bit of effort into AD support when the next updates come out..
Have you tried setting the preferred DC to an IP address instead?
I did the rebuild of permissions and was able to join to AD and log in with domain credentials. Have not tried a shut down/reboot yet to see if I can still log in.
On another mac upgraded to Lion, it shows it is still bound to AD, but at the log in screen, it has the red light and says network account unavailable. However, it let me log in with domain credentials. Not sure if it's using cached credentials yet, however. Will delete the account and try to log in again to verify one or the other!!
Thanks everyone for your suggestions.
Lisa
Me again. Okay, rebooted mac that I just joined to AD, and as noted in a reply above, get the network account unavailalb notice and red dot, and could log in with cached credentials. But when I deleted that network account, could not log back in to recreate it.
Ran another permission repair, but it did not repair anything. Only message I got had something to do with ARD being modified and it could not repair it. Not sure what that meant....
So, basically back to square one. When I check Directory Utility, everything looks peachy. Says it's bound, all the right things are there. But no joy on trying to log in!
As also stated above, I have gotten communication errors when in ARD and sending to SL clients, then try again, and it works fine. I have also seen a lot of "offline" or "screen sharing" in ARD, and if I delete and readd that computer, it adds fine and I can see it and connect. This is so annoying as you don't know if one is truly offline, or just needs to be readded. I support upwards of 400 macs, and just do not have the time to keep adding macs back into ARD every day!
I can SEE the Lion macs in ARD, and the client is set up to allow access, but yet, I cannot connect from my SL admin console even though it is running same version of ARD as the Lion client 3.5.1. Has anyone else seen this?
I agree this version of Lion should never have been let out of the cage.
Lisa
Yet still another interesting thing. I erased the Macintosh HD partion using the Disk Utility in the Restore partition. Did a complete scrub of everything in the Macintosh partition OR SO I THOUGHT, or maybe I did. Confused, Yep me too!
The Macintosh partition showed to be completly empty,
I did an Install of Lion downloaded from the App store.
I came up on the Login window and what is there waiting for me but the RED DOT. This is BEFORE I even tried loogging in!
Without doing anything else at all, when it restarted I tried binding to AD using a brand new never used computer name and got what appeared to be a bind but there were no logins allowed from network accounts
Now I am confused. After a complete new clean install of Lion on a hard drive that does not contain (because of the ERASE) anything from 10.6.8, I still ended up with the RED DOT. Where did the computer get the information to tell itself that there are no network accounts availalble? Previously, when Lion was first installed on this system and another identical system, the first boot up did NOTshow any Red Dot or anything even hinting at network coinnection to an AD (or any other directory service)
Why and maybe more importantly, where did the computer retain something which told it that there was a network that it could not access account info? Is this stored in the Restore partition? Is it stored in firmware (EFI?) Does is just automaticlly try to see if a network is there even if Directory Utility does not have a Directory Service set up? Does it store something on the Active Directory (MAC addr maybe?) showing that the computer had, at some time previously, been connected to the AD, even if the AD account for that computer is removed from the AD using the Windows tools for deleting computers? Does an ERASE NOT erase the partition that is, supposedly, erased? I did not try this on a secure erase but that might be next simply to see if that would "scramble" the residual files left (so it seems) on the Macintosh partition.
I'd never setup AD on a Mac before - I was excited that the lower price of Lion ($30 vs $499 for SL server) would finally permit me to.
Was i wrong! Having all the same issues as Lisa has noted. I did the clean reinstall. Unfortunately I didn't back up the clients i converted to Lion. And now I can't go back.
I run dual boot Windows / Mac on Mac hardware, but was getting more and more comfortable in the OS X environment. All the troubles getting AD to work with Lion have me feeling like my Apple conversion just took 5 giant steps backward.
I hope Steve comes off sabatical to yell at a bunch of engineers in a meeting room. They couldn't have screwed this up worse.
I have only tried on test macs doing an upgrade from 10.6.8 to Lion. Worked the first time after a permission repair, but on reboot stopped working. Even if I again do permission repair, no joy. Get the red dot. If you look in Directory Utility, however, it looks happy. Says it's bound, everything is as it should be. But it does not work.
Another question to gtown_cc: why do you have dual boot? We use VMWare Fusion and can run both operating systems at same time. Need minimum 4 GB RAM, but I'd advise more. We load the same std. load on the PC VM as on our regular PCs, and they get all the GPOs and updates the same. We also set the VM to auto launch on bootup so it forces the updates.
We will NOT go to Lion until the AD bind problem is fixed. That and the SMB connection problem. Too show stoppers here at least.
Lisa
lmadden wrote:
Get the red dot. If you look in Directory Utility, however, it looks happy. Says it's bound, everything is as it should be. But it does not work.
This is EXACTLY what I am seeing also.
I went back to basics. Formatted my MBP, installed Lion from DVD, bound to Active Directory and it fails. It *looks* OK, it just doesn't actually work. From where I'm sat there doesn't seem to have been much testing done....
Well I say doesn't work. I can currently get logged in as I haven't rebooted, but it takes an age! I've just come to Apple from the dark side but if this is the future I'll take Vista!
As an aside, is anyone else using a domain.local format for their DNS as per typical MS recommendations?
I am trying to bind a Lion 10.7 mac to Active Directory
