Cannot Join OS X Lion to Active Directory 2003

+1... most oddly is that it's in a DeployStudio workflow, which should be laying down the same image that it was yesterday, and earlier today, but late today, it stopped working. I've made some small tweaks to a postinstall package, but there's no reason they should touch the ability to bind to AD....

I **** had success getting the red dot to go away in Lion 10.7.1, even after reboot.

In System Preferences->Users and Groups authenticate and click Login Options.

Click the Edit button next to Network Account Server.

Click Open Directory Utility button.

Click the lock and authenticate.

Here is where I made my change. The authentication search was set to "Custom path". It looked good listing /Local/Default as well as two paths for our domain. Switching this to "Automatic" and clicking Apply instantly made my Network Account Server light green. Logged out and there was no red dot, logged in. Rebooted and there was still no red dot.

If it drops again I will come back and edit this post as invalid. Sorry if it doesn't help your particular situation.

Dear Michaeltgt:

I have try to Switching "Custom path" to Automatic but it is not work if new user login(first time login at this MAC) but it is better for user login before at this MAC.

Best Regards,

Bosco

I also had this issue but found a very weird solution that works most of the time.

I take the ethernet cable from the Mac and plug it into a different ethernet port (one that it wasn't plugged into before), restart. I get the red dot, that disappears after a couple of seconds, then the yellow dot and then after about 20-25 seconds if I'm lucky the yellow dot disappears and the users can login again!

Strange, doesn't work all the time but might be worth having ago.

Morgan

Now that it's public, we can say this: 10.7.2 really seems to have fixed all the stupid AD problems in the 2 previous releases. If you're having AD issues in Lion, stop everything and update if you're not using 10.7.2.

I just tried it on one of new fresh installs with the new updates and it was successful first go...

Good to see the updates fixed it.!

It was a weird bug I have no idea what caused it.

We bought a new server (wasn't nessassary but we had to our buy own) and updated it to 10.7.2, unbound the all of our Macs from AD and OD, restarted, rebound them to AD and OD and now we haven't had any issues so far!

One of the Macs is running 10.7.2 and the others are running 10.7.1 and neither versions are having issues.

So yeah, I believe the update has fixed it as well! 🙂

Guys, it could be that your upgrade to Lion hase changed Microsoft Hashes for your Machine account in AD. Try to remove your computer from AD and join your computer again.

Hey guys,

I too was having a huge issue with this, running into every problem that was listed in this thread. I did finally get it resolved.

First, upgrade to 10.7.2 - it is a necessary update in this case.

Now, here was the part that hung me up:

Go to System Preferences -> Network -> #your_connection# and manually configure. On the DNS tab, enter in the IP address of your Active Directory machine in the primary DNS slot, and your domain in the Search Domains slot. This was the step that hung me up. Unlike adding a Windows machine, OS X can't seem to resolve the AD Machine's IP address when you add it, even if you did plop it into /etc/hosts and /etc/resolv.conf

Once that is taken care of, apply the settings and close System Preferences.

Now, all you need to do is fire up Directory Utility (on 10.7, is is in /System/Library/CoreServices/) etner in the required info (Forest can be set to -Automatic-) click BIND, enter in your AD ADMINISTRATOR Account Credentials, and watch it fire up.

You can check your options by launching:

$ dsconfigad -show

on a command line.

Log out, and you can then log back in with your Domain/Username and password. Of course, you can always unbind and customize your settings.

This worked flawlessly on 15 iMacs running 10.7.2 on our network here at work. We have 10 more on the way that will be automated using dsconfigad in a Perl script.

I also tested this on the commandline using dsconfigad. After pouring through a ton of debugs, I have deduced that both /etc/hosts and /etc/resolv.conf don't seem to get the same props as they do on Linux/BSD. I'm not sure why, but the DNS entry was the problem.

Enjoy!

I have tried everything here and no joy. I can get it to work briefly at times, but at next reboot, I have to start the process all over again.

If I have Apple Care on my MacBook Pro, do I have support for this issue? Snow leopard had no issues. I have no other issues with Lion other than being able to log into my domain.

Go to a Terminal. At the prompt, type in :

dscacheutil -configuration

What does it return?

So here is my resolve as of now.

I contacted Apple Care, and of course they tried to bow out of any help with connecting to an AD domain. I explained that this was working fine with Snow Leopard, and the first tier of support didn't quite understand what I was trying to do. I finall got handed off to someone in Enterprise support, and that was the type of help I needed. Instead of going through a 100 troubleshooting steps, I started supplying the items I had already tried, and results.

The one thing that got their attention was when I told them I could, from my Windows Server, ping the Mac by machine name, but not by fqdn, so I could ping "macbook" but not macbook.mydomain.local. Of course from my side this made no sense. What I was told is Lion has a problem with domains with a .local address, as this is somehow tied ot Bonjour. What I did was go to both my Domain Controllers and addex IPv6, and set the forward and reverse lookups. As you know, you cannot disable IPv6 on the LION side, so I needed this configured.

IPv6 is not set up by default on a Windows Server 2003 AD Domain. I configured the IPv6 and set my forward and reverse lookups in DNS, and off to the races we went!

I have booted my MacBookPro at least 10 times now, and while I have to give it a second shen the log in screen comes up to establish a connection before logging in (maybe 10 seconds), it seems to be working fine now.

I really did search for hours on end, and while I found 100's of solutions, none of them were my problem. Here's to hoping this helps the next poor soul 😉

Thank you for your post. This solved the issue for us. All machines now bind.

Good work!!!

Re: Cannot Join OS X Lion to Active Directory 2003

Oct 5, 2011 2:58 PM (in response to ragenkagen)

I've found the source of this problem for me, and have been able to bind without further issue. Even though I'm connected to the internet, and using the Apple time server, the time on machines is not at all correct, which prevents the machines from binding to AD. I perform the below steps:

1. Change the date and time to the correct values (or within the acceptable threshold of your AD).
2. Restart the machine (will not work if you do not restart).

My machines are now happily binding to AD. 🙂

Josh