You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: RBrookbanks
RBrookbanks Author
User level: Level 1
4 points

Active Directory, Lion and .local domains

Hi,


What's the likelihood of Active Directory support being fixed in the upcoming updates?


MBP, formatted today and freshly installed from a Lion DVD won't bind reliably and logons can take upwards of two minutes if it can be persuaded to work.


AD and DNS are working perfectly and installed to MS standards. I've set the prefered DC to an IP address as a precaution although originally it was done with a dns name.


DC is running SBS 2008 and all ldap,gc,pdc records etc. are in place and ping correctly.


Google goes mental if you query Active Directory OSX, it seems to have been buggy for a while!





$ dsconfigad -show


Active Directory Forest = domain.local

Active Directory Domain = domain.local

Computer Account = rob_macbook$



Advanced Options - User Experience

Create mobile account at login = Enabled

Require confirmation = Disabled

Force home to startup disk = Enabled

Mount home as sharepoint = Enabled

Use Windows UNC path for home = Enabled

Network protocol to be used = smb

Default user Shell = /bin/bash



Advanced Options - Mappings

Mapping UID to attribute = not set

Mapping user GID to attribute = not set

Mapping group GID to attribute = not set

Generate Kerberos authority = Enabled



Advanced Options - Administrative

Preferred Domain controller = 172.16.250.100

Allowed admin groups = domain admins,enterprise admins

Authentication from any domain = Enabled

Packet signing = allow

Packet encryption = allow

Password change interval = 14

Restrict Dynamic DNS updates = not set

Namespace mode = domain

MacBook Pro, Mac OS X (10.7)

Posted on Aug 3, 2011 10:53 AM

Reply
13 replies
User profile for user: JnelsonCPath
JnelsonCPath
User level: Level 1
0 points

Aug 9, 2011 9:23 PM in response to dgwharrison

Same issue here with SBS 2008 and a .local domain. I upgraded to Lion and all appeared ok. However I couldn't connect to any SMB share in the office. I unbound from the domain and now it simply will not rebind. I am getting unknown error code (1) I'm getting Unable to add server unknown error code... etc when I try to bind.
Snow Leopard would bind fast; within seconds and Lion seems to take about four minutes for each step of the bind, "getting information about active directory... checking credentials... checking for previous...

Reply
User profile for user: mikemct
mikemct
User level: Level 1
0 points

Aug 11, 2011 6:34 AM in response to RBrookbanks

Same problems, so frustrating. Upgraded to Lion and couldn't login as AD user, logon screen just states "network users are unavailable". I ended up unbinding and rebinding the machine to the domain and was able to have marginal luck with logging into the workstation. Today I finally changed my AD password because it was about to expire. I can no longer log into my workstation. I logged back in as a local user and did the whole unbind, rebind thing. This time I am having no luck and cannot get back in. This feature worked perfectly in Leopard and Snow Leopard. I am copying all the files from the network users directory to a local user as root and will then change permissions to see if I can at least work as a local user. Not what I would expect from Apple with an OS upgrade. I wish I stayed on Snow Leopard.

Reply
User profile for user: Bubba2413
Bubba2413
User level: Level 1
0 points

Sep 9, 2011 8:37 PM in response to RBrookbanks

Supposedly, 10.7.2 fixes this issue. A poster in a different thread believed it was expected to be released on or before 1 Sept. As it's now the 9th, and it's still not available...


in any event, I've got a brand spanking new MBA (yea!... not!), that I can't join to our domain because it shipped with Lion 10.7.1.


I know I can simply wait it out, as long as I don't want to use my computer... OR I could maybe downgrade? to Snow Leopard, seeing as that seems to be solid. Of course, with an MBA, doing OS Loads to anything other than whats in the recovery partition (I know.. Windoze parlance...) is not so simple. Also, even doing a reload to a factory image requires Internet access... Whats THAT about?


I've been primarily a Windows and *nix Admin for the last couple decades, avoiding Apples because of the weird proprietary stuff they pull. our executive team has had a big gulp of the apple cool-aid and since I have to support them, I thought I'd spend some time getting more fluent in the OSX/IOS world. Frankly, this is a great example of why I've stayed away. How can you ignore the ability to interoperate with the 8000 lb gorilla in the enterprise network world?? As I'm using 10.7.1, this means that Apple has left this critical (IMHO) issue unfixed/unaddressed for TWO releases (.0 and .1) and is slow and silent on whether or not it will be fixed in 10.7.2.


Sad... very Sad!


Guess I'll go back to my Linux/windows world and tell our executive team that Apple apparently does not care enough about enterprise environments to get this fixed in a timely issue. I really hate to have to downgrade our executive team (most with MBPs) back to snow leopard... This ***!

Reply
User profile for user: Jarek Bingo MacGee
Jarek Bingo MacGee
User level: Level 1
5 points

Oct 13, 2011 6:25 AM in response to dgwharrison

First, I do want to say that, though the effort is appreciated, the posts from stallamaris5 are very old and have absolutely nothing to do with the current issues Lion has with ".local" domains.


Most importantly, though:


My admittedly brief testing shows that Apple has yet to fix the problem in 10.7.2. I think the first developer seed actually had the problem fixed, but subsequent seeds wouldn't allow network login at all. The release build, 11C74, does not have any fix for this presumptively huge bug.


I'll keep trying to see what I come up with, but it just seems that Apple has abandoned AD customers in Lion.

Reply
User profile for user: nfonz23
nfonz23
User level: Level 1
0 points

Nov 24, 2011 6:50 PM in response to RBrookbanks

REALLY Frustrating, especially when you work with a large directory (800+ users in a school environment) which includes exchange 2007 + and Sharepoint. Having exchange and sharepoint in your environment rules out renaming your domain. Why would apple break something that was working in Snow Leopard? ".local" domains are MS best practice and now im sure ALOT of people will have this problem...
Only thing I can think of is creating a new domain and migrating everything across, which is a very big pain!

Big fail on apples part....

Reply
User profile for user: fsck!
fsck!
User level: Level 1
30 points

Dec 5, 2011 9:37 PM in response to nfonz23

I have been using this workaround for a month now and it sucessfully corrects the issue

http://www.centrify.com/downloads/public/centrify-directcontrol-for-mac-local-do main-workaround.pdf


It was provided by Centrify, which is a vendor of an AD plugin, BUT, you do not need to run their plugin. This is simply a fix for the .local problem plaguing Lion. The workaround will involve changes at the client level and a minor change to your DNS servers.


For a brief test results review of the workaround refer to this:

https://discussions.apple.com/thread/3198558?answerId=16701295022#16701295022


If you have those many clients though, perhaps you should consider a 3rd party plugin like Centrify itself or Likewise. AD integration wasn't 100% functional in SnowLeopard either, though not as problematic as with Lion, granted...

Reply

Active Directory, Lion and .local domains

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up