PDA

View Full Version : Active Directory and Lion -Network accounts are unavailable




s.p.xosder
Jul 15, 2011, 05:46 PM
Any other developers connect their machines to an Active Directory domain? Since installing 10.7, I am unable to connect to my domain. At the login screen, there is a message stating that "Network accounts are unavailable".

I can confirm that the computer is able to ping the Domain Controller and during the bind process, the machine recognizes the computer account in AD and asks if I want to join the existing account.

I have attempted both an upgrade install and a fresh install and both had the same result. Thanks in advance for help!:D



David the Gnome
Jul 18, 2011, 11:23 AM
We're having the same problem. None of our Lion machines will bind to the AD, not even the Xserves. I can sometimes get them to bind but they will randomly stop allowing network logins, even though the AD shows green in the directory utility. The same machine will work just fine if it's re-imaged to Snow Leopard but Lion just won't cooperate with the Active Directory. We're running Windows Server 2008 R2.

s.p.xosder
Jul 18, 2011, 01:28 PM
So, I've been messing around with this for the better part of the weekend, and I found a few things.

First, I had to turn on the mobile account creation option in the directory utility. Without that being on, I couldn't get it to work at all. If I asked it to prompt me at login and I said not to create the mobile account, it caused issues, so I am now allowing it to create the account.

Second, I'm not sure why, and I didn't want to believe it, but I seem to have better luck if the login settings are set to "List of Users" and not "Name and Password".

I've also turned off the wireless and removed my Open Directory settings. Not sure if those matter, but I wanted to rule them out.

On machines that still don't connect, I use the dscl command and browse the domain manually from within terminal. Somehow this seems to help too. It still isn't close to 100% and a restart can cause the machine to not login again even if it was working before.

Ragnar-Kon
Jul 18, 2011, 02:34 PM
Have had it working for 2 months or so now, and ran into absolutely zero issues. Just set it up the same way I did with Snow Leopard. I use a slight variation of the "golden triangle" setup.

Computers
Mixture of 10.5.8, 10.6.8, and 10.7.0

Active Directory
Windows Server 2003 R2

Open Directory
Mac OS X 10.6.8 Server

Bind information:
Active Directory first, then Open Directory. The users log in with their Active Directory account, therefore you MUST use mobile accounts. I could be wrong, but it is my understanding you can't use standard managed accounts unless they are logging in with an Open Directory account. Lastly, I reorganize the Search policy where it searches for the Open Directory server first, and then the Active Directory. Reboot, then done.

The result allows me to manage the Mac computers from the Open Directory server, while the users still log into their Active Directory accounts. My network is setup where I manage the Macs on a per-computer basis rather than a per-user basis. I have gotten it to work on a per-user basis before, but the permissions were patchy at best. But, since it wasn't really necessary for my network, it wasn't a huge loss.

Several of the Mac Pros are connected to an Xsan through fiber and a private vlan. That setup requires a master Xsan controller and a backup Xsan controller, both running 10.6.8 and both are physically separate servers from the Open Directory server. Permissions on the Xsan are managed on an Active Directory user basis (since all of my servers are dual-bound to Active Directory and Open Directory, just like my other Macs). I also have 4th Xserve machine that is running several 10.6.8 virtual machines that I use as web servers, development servers, etc.

The only thing I haven't tested yet is 10.7.0 Server. The only reason why is I haven't is because I have not heard anything regarding virtual machines and 10.7.0. Obviously you have to install regular Mac OS X Lion before you can install server software, and previously it was against Apple's terms to install a regular copy of Mac OS X on a virtual machine. So I'm afraid that means I can't run 10.7.0 Server through virtual machines since it requires the installation of Mac OS X first.
On top of this, I typically wait for the first few patches before I upgrade any servers, so as of right now the plan is to wait until December vacation before I upgrade any of my servers.

Having said that, I'm running into all kinds of stupid issues with Lion that are non-network related that will probably force me to wait until December vacation to upgrade any of my machines. (I work at a University, so the prime time to upgrade computers is during the summer and winter break.)

Hopefully that was well-explained enough to help. If not, let me know.

Ragnar-Kon
Jul 18, 2011, 04:48 PM
For kicks and giggles I installed Lion Server on a Mac Pro just to see what issues I would run into.

Long story short, Lion Server is gonna need a lot of work if Apple hopes to have it work within a Active Directory environment. Right now the only purpose it has is to suck electricity out of the wall and dazzle me with its single blinking LED. Worthless. Completely worthless.

collegetech
Jul 21, 2011, 10:00 AM
We had the same problem here and found the fix today. After binding to the domain, when you go back to the directory utility you will notice the Apply button is greyed out. You need to click on the lock to lock the settings. Quit directory utility, and click on the lock for Users and Groups.

We did not check the mobile account setting

jonritter
Jul 22, 2011, 03:25 PM
- Install Lion
- Log into your local admin account
- Set the machine name to "XXX" and remember this name
- Open Directory Utility
- Open Active Directory
- Set the Comuter ID to "XXX"
- (Optional) Show Advanced Options, check "Create mobile account...", uncheck "Require confirmation..."
- Click BInd
- Enter in your admin domain credentials
- Hit OK
- Log the directory utility by clicking the lock in the lower right corner
- Log out of the local admin profile
- Log in as any domain user

stikkman
Jul 25, 2011, 11:23 AM
So what's the trick to logging into Lion w/ your domain account? The local admin and user accounts I've created and bound to my AD service just prompt me for a password - no domain affiliation. Logging in as Guest gives me the option to include my Windows domain login but won't accept my Windows password. This was all working fine via Snow Leopard - seems related to my recent Lion update. Did run a permissions check/repair as advised but have no way of logging in per my AD account. Seem to recall w/ Snow Leopard as separate account related to AD in the login screen?

Thanks!

Scott

Mack Daddy
Jul 25, 2011, 09:05 PM
Hey guys

Fixed this by booting to recovery (command+r) and running a repair on file permissions

(as per a suggestion in this thread: http://forums.macrumors.com/showthread.php?t=1191494)

Corex
Jul 27, 2011, 09:05 AM
I've folloed both jonritters and Mack Daddy's suggestions but doesn't work.

Repair permissions, changing the search path's order to get the apply button activated and locking the settings doesn't work. It's flawless with SL, but Lion's driving me nuts. Any other suggestions? Still having problems here =-(

derbothaus
Jul 27, 2011, 09:02 PM
Same here. Just started widespread testing. Stopped after bind. No accounts available. Just not working with exact same and/or slightly modified AD settings.
Is it me or is Directory utility acting a little weird? It will unlock and change settings back at differing intervals. I had to fight to bind and not have my settings changed. Win 2008 vanilla. 10.6 implementations are flawless. I tried all the above fixes to no avail.

Corex
Jul 28, 2011, 02:15 AM
I've setup a working SL machine to try to see what's wrong, The SL machine get for example the search paths /Active Directory/All Domains and the Lion machine get the /Active Directory/DOMAIN/All Domains, but the directory utility still doesn't give an error message (if i change the searchpath DU gives the error cannot connect to auth database).. On the SL machine i have an option "allow network users to login to this computer" but not on the Lion machine i'll reinstall Lion since i've done too many settings to track hehe.

eritho
Jul 28, 2011, 05:32 AM
I've setup a working SL machine to try to see what's wrong, The SL machine get for example the search paths /Active Directory/All Domains and the Lion machine get the /Active Directory/DOMAIN/All Domains, but the directory utility still doesn't give an error message (if i change the searchpath DU gives the error cannot connect to auth database).. On the SL machine i have an option "allow network users to login to this computer" but not on the Lion machine i'll reinstall Lion since i've done too many settings to track hehe.

I'm experiencing the exact same thing. In another forum post here somone suggested to me that i try running /System/Library/Coreservices/ManagedClient.app/Contents/Resources/createmobileaccount after joining the domain but it does not work.

My users who upgraded their all ready domain-joined Snow Leopard to Lion cannot log in. They are asked to change their password when trying to log on.

Corex
Jul 28, 2011, 06:40 AM
Well i reinstalled and the windows are the same so it's problably meant to be missing that option. Still haven't found a way to login with AD accounts.

eritho
Jul 28, 2011, 06:57 AM
Here is the link to the other forum thread regarding this topic. OSX Lion and AD (http://forums.macrumors.com/showthread.php?p=13053424#post13053424)

Corex
Jul 28, 2011, 07:08 AM
Here is the link to the other forum thread regarding this topic. OSX Lion and AD (http://forums.macrumors.com/showthread.php?p=13053424#post13053424)

That issue regards no home folder gets created and not beeing able to login OFFLINE, we're online and can't even login with an AD account.

eritho
Jul 28, 2011, 07:14 AM
That issue regards no home folder gets created and not beeing able to login OFFLINE, we're online and can't even login with an AD account.

Yeah, sorry guess your right.

Corex
Jul 28, 2011, 07:27 AM
Yeah, sorry guess your right.

Please keep anything coming, other stuff can point one in the right direction ;) Really stuck hehe

eritho
Jul 28, 2011, 07:35 AM
I some how thing the two issues are related.

Have you tried doing:sudo dsconfigad -add yourdomain.com -mobile enable -localhome enable -computer computername -username "domainadmin" -password "SomePassword" -ou "CN=Computers,DC=yourdomain,DC=com"


You can off course remove the -mobile and -localhom attributes if you don't use them. Do dsconfigad -help for the complete command options.

Corex
Jul 28, 2011, 08:05 AM
I some how thing the two issues are related.

Have you tried doing:sudo dsconfigad -add yourdomain.com -mobile enable -localhome enable -computer computername -username "domainadmin" -password "SomePassword" -ou "CN=Computers,DC=yourdomain,DC=com"


You can off course remove the -mobile and -localhom attributes if you don't use them. Do dsconfigad -help for the complete command options.

dsconfigad: The daemon encountered an error processing request. (10002), also trying without mobile and localhome, but same error =(

Where's the logfile for dsconfigad? system.log doesn't show anything when i execute the command

eritho
Jul 28, 2011, 08:34 AM
Had you done an unbind before you ran dsconfigad?

I have not been able to locate any logfile for dsconfigad.

Corex
Jul 29, 2011, 01:12 AM
Had you done an unbind before you ran dsconfigad?

I have not been able to locate any logfile for dsconfigad.

Yup, unbound before, but after a restart today it worked. Ran the command both with localhom/mobile and without and restarts, waiting at the login window for about 3mins and the dot is still red, network accounts unavailable.

PUG
Aug 1, 2011, 10:55 AM
My Domain Admins installed some automatic updates over the weekend on the Domain Controller servers. This morning I rebound the Lion machine and it seems to be working now.

PUG
Aug 1, 2011, 10:55 AM
deleted

derbothaus
Aug 1, 2011, 07:06 PM
My Domain Admins installed some automatic updates over the weekend on the Domain Controller servers. This morning I rebound the Lion machine and it seems to be working now.

Could you possibly get any info on the patch and/or final version you are running that fixed it for you?

mtn.lion
Aug 2, 2011, 12:49 PM
Indeed, PUG, if it's true that updating the Windows server(s) resolves Lion's problems integrating with Active Directory, you'd be helping out a lot of people if you'd provide some detail or just identify the relevant updates.
p.s. Our domain controller is SBS 2011 (i.e., Windows Server 2008R2).

brownn
Aug 2, 2011, 01:07 PM
Hey guys

Fixed this by booting to recovery (command+r) and running a repair on file permissions

(as per a suggestion in this thread: http://forums.macrumors.com/showthread.php?t=1191494)

I keep having to do this, enter recovery mode and repair permissions, reboot and it works for a couple of times, then stops working again!

Its very frustrating as my Mini is working as a HTPC and is joined to my server 2008 R2 domain, is set to auto login to an account with limited readonly access to just music and video shares and to automatically launch my media software (xbmc) and every time this problem occurs, I have to dig the keyboard and mouse out.

mtn.lion
Aug 2, 2011, 01:12 PM
David the Gnome -- Everything I can find about backing down from Lion to Snow Leopard makes it clear that new MacBook Airs (i.e., those that came with Lion) CANNOT run Snow Leopard. ("Snow Leopard lacks the necessary drivers for Apple's latest hardware.") So when you say you've re-imaged machines to SL, I gather that didn't include any new Airs? My kingdom for a way to do this....

Mack Daddy
Aug 2, 2011, 09:41 PM
Fixed this by booting to recovery (command+r) and running a repair on file permissions


I keep having to do this, enter recovery mode and repair permissions, reboot and it works for a couple of times, then stops working again!


I've just turned my Lion test machine on after being off for a week and I was greeted with "Network Accounts Unavailable" it's fallen off the domain again :(

I'll try some of the other suggestions in this thread and report back.

mobtek
Aug 2, 2011, 09:52 PM
All I did was System Preferences -> Users and Groups -> Login Options -> Network Account Server (click the Edit... button) -> click Open Directory Utility... which will now open up properly, then double-click your Active Directory, Unbind, Click Create mobile account on Login, then rebind and ta-dah.
Worked for me (tm) ;)
make sure you choose SMB as the protocol too

Corex
Aug 3, 2011, 04:06 AM
All I did was System Preferences -> Users and Groups -> Login Options -> Network Account Server (click the Edit... button) -> click Open Directory Utility... which will now open up properly, then double-click your Active Directory, Unbind, Click Create mobile account on Login, then rebind and ta-dah.
Worked for me (tm) ;)
make sure you choose SMB as the protocol too

Didn't work for me, tried a couple of time. Would be nice to know what patch fixes the problem

kevincraz
Aug 3, 2011, 03:38 PM
i have two new mac mini's with OSX 10.7 lion, tried all the idea's given above still unable to bind to my domain......User name & PW are both correct and my my domain is present becuz i can ping????

domain is on a server 2003
??????

anymore ideas????????

mtn.lion
Aug 3, 2011, 10:33 PM
Call around 'til you find a Best Buy that still has some pre-Lion Mac Mini's in stock, then return the new ones. Or a specialty Mac online store like: http://www.themacstore.com/parts/show/c-nmm-mc270ll__a

That's how we resolved our MacBook Air situation. Rather have computers that work than computers with latest hardware. Imagine.

derbothaus
Aug 3, 2011, 11:01 PM
Apple is aware and I have a beta patch that updates some OD components (don't ask). Wont get to it till Friday though. Most likely fixed in 10.7.1. I'll report back so people don't have to return machines if they are not in a time crunch at work. It may not fix my problem but it's a step in the right direction.

eritho
Aug 4, 2011, 05:09 AM
Apple is aware and I have a beta patch that updates some OD components (don't ask). Wont get to it till Friday though. Most likely fixed in 10.7.1. I'll report back so people don't have to return machines if they are not in a time crunch at work. It may not fix my problem but it's a step in the right direction.

Does the update fix any issues regarding Active Directory?

derbothaus
Aug 4, 2011, 12:06 PM
Does the update fix any issues regarding Active Directory?

That's what it is supposed to do. Did you not read the thread we are on here? Portions of OD are used to communicate with AD.

brownn
Aug 4, 2011, 02:03 PM
I installed the updates below on my Windows Server 2008 R2 machine and since then the problem with network login has resolved itself!!

http://img153.imageshack.us/img153/38/screenshot20110804at195.png (http://imageshack.us/photo/my-images/153/screenshot20110804at195.png/)

derbothaus
Aug 5, 2011, 08:52 PM
So the patch sort of worked but still no confidence in 10.7 as a deployment I can manage. Warehouses are starting to run real low on 10.6 shipping Mac's as demand is pretty high specifically for those.
I have "some network accounts available" now with a yellow indicator. Although I now have "multiple" domains bound even though I only bound the same single one that show as single in 10.6. Search paths had to be manually entered as it did not find them.
Unfortunately there are so many other buggy things with Directory utility. I had to fight to keep my settings from reverting but they never reverted in any logical repeatable manner. The lock stays unlocked each time I launch it even after locking it and just re-launching. Stupid. I told it to not "ask" for mobile account creation and it "asked" each and every time regardless. Finder crashed on initial account creation. 2nd log in was fine. Great. This is probably the worse implementation of AD integration yet for me.

Mack Daddy
Aug 8, 2011, 12:39 AM
I'm tempted to try the updates brownm has highlighted on my AD server(s) but I don't see how this is Microsoft's problem..

brownn
Aug 8, 2011, 01:18 AM
Just to follow up, this initially fixed my problems, but since posting here I have had the network logon unavailable message again.

Thankfully though, I have only needed to reboot and it has started working again instead of having to boot into repair mode and using Disk Utility to fix permissions but still extremely annoying!!

Im hoping the next 10.7.x update fixes this.

juiced2010
Aug 8, 2011, 02:14 PM
The Lion AD connector apparently doesn't like 'Active Directory/All Domains' in the Search Policy-->Authentication tab of Directory utility. Add a custom search path to your domain for authentication and contacts-- '/Active Directory/MY' if your domain is 'MY.DOMAIN.COM'; you ought to be able to authenticate after that.

lexicon5
Aug 9, 2011, 08:58 AM
The Lion AD connector apparently doesn't like 'Active Directory/All Domains'
This is exactly my issue. I did the normal SL route of Us&Gs>Login Options>Network Account Server>Join>Open Directory Utility>Service yadda yadda...that never worked for us in Lion. It joins AD but never created the Mobile account even though that was selected.
The way I got it to work is instead of clicking Open Directory Utility after clicking Join, I enter the DC info in the drop box that appears when you click Join. If that is good, that drop box extends to uncover the AD Admin User and PW entry fields. Enter that info and it creates the account or joins a manually created account in the proper container in AD.
I had to wait a few minutes for all the Authentication Search Paths to appear so I could rearrange them. We had to delete the /Active Directory/All to keep AD accounts from locking when logged in.
Create Mobile selected...and that works.
Deselected Allow Auth from any domain under Administrative tab.
Everything seems to function...

dmillbank
Aug 10, 2011, 11:08 AM
We're running Windows 2003 Active Directory. Some of the settings are of course optional, as they are the way I like to have it set up, so you might want to customize it to your liking. If you have suggestions on how to optimize the steps, by all means, post them here and share with the rest of us. :)

Join to the domain:
a. System Preferences > Users & Groups > Login Options > Join
b. Enter your AD server address
c. Enter the Client Computer ID, AD Admin User and AD Admin Password and click OK.

Check the following boxes
- Name and password (instead of List of Users)
- Show Input menu in login window
- Show password hints
- Allow network users to log in at login window
(The rest of the boxes can are left unchecked.)

Click Edit (in Login Options)

Click on Open Directory Utility
Under Search Policy, select Custom Path under the dropdown and make sure that only

/Local/Default
/Active Directory/[Domain name without .com]/[Domain name with .com]

i.e. /Active Directory/WIDGETS/widgets.com

Click Apply
Click on Services
Double-click on Active Directory.
Click on Show Advanced Options
Check Create mobile account at login
Uncheck Require confirmation before creating a mobile account
Click on the Administrative tab
Check Allow administration by:
Uncheck Allow authentication from any domain in the forest
Click OK
Click the Lock and the red X to close
Click the Lock and the red X to close

Restart and make sure a user on the network account for the user can log in.

That works for me. I've tested it on a couple computers now and the settings are sticking.

One strange thing:
If I unbind the domain and log out or restart, it brings up the Network Accounts are unavailable bubble!! That part just doesn't make sense.

aummac
Aug 11, 2011, 01:03 PM
The disk utility, repair permissions worked for us. This process takes about 10 minutes. You can create the mobile account but all that does is give you access when there are "no accounts available" we use this for laptop users who take the machines outside our domain.

We have Golden Triangle Setup

OS X 10.6.8 Server
Server 2008 R2
OS X Lion and 10.6.4-10.6.8 machines

Mattie Num Nums
Aug 11, 2011, 01:47 PM
This is still broken in 10.7.2.

Download Centrify Express. Its free (but doesn't allow you to use AD Groups.)

PUG
Aug 12, 2011, 11:04 AM
Unfortunately, I don't know what updates my domain admins installed on the AD server. However, the problem seems to be back. It was fine for a few days but now the network accounts are unavailable again. Hopefully this is something that will be patched by Apple, soon.
The Disk permission fix was only temporary as well.

MacN00bie
Aug 16, 2011, 04:32 PM
Here's what worked for me... please leave me feedbacks. I'm assuming that you already joined the domain and login as local admin account.

1. go to "System Preferences", "User & Groups", and unlock the padlock
2. select "Login Options"
3. click on "Edit" button next to Network Account Server: xxx
4. now "Open Directory Utility" go to "Search Policy" tab
5. click "+" and Add "/Active Directory/xxx"
6. now move "/Active Directory/xxx" line up above "/Active Directory/xxx/All Domains" line so it reads first.
7. Apply and Reboot.

Good Luck:D

mazeno
Aug 18, 2011, 04:00 AM
dsconfigad: The daemon encountered an error processing request. (10002), also trying without mobile and localhome, but same error =(

Where's the logfile for dsconfigad? system.log doesn't show anything when i execute the command


Pre lion one would enable debugging for directory services using sudo killall -USER1 DirectoryServices. Apple has now moved Directory Services into opendirectoryd, and you can set the debug level with a odutil set log debug This generates lots of output into /var/log/opendirectoryd.log
Check the KB at http://support.apple.com/kb/HT4696



Happy Debugging ;-)

Corex
Aug 29, 2011, 01:46 AM
thx dmillbank followed your suggestions but unfortunately it didn't work. There's 1 step i can't follow:

Check the following boxes
- Name and password (instead of List of Users)
- Show Input menu in login window
- Show password hints
- Allow network users to log in at login window
(The rest of the boxes can are left unchecked.)

- Allow network users to log in at login window <--- I don't have this option Mac OSX 10.7.0 and 10.7.1.

Mazeno: I'll try this, thx for the info

mazeno
Aug 29, 2011, 03:21 AM
- Allow network users to log in at login window <--- I don't have this option Mac OSX 10.7.0 and 10.7.1.


This choice doesn't become available until after a successfull bind.

selgart
Aug 29, 2011, 01:59 PM
Here's what worked for me... please leave me feedbacks. I'm assuming that you already joined the domain and login as local admin account.

1. go to "System Preferences", "User & Groups", and unlock the padlock
2. select "Login Options"
3. click on "Edit" button next to Network Account Server: xxx
4. now "Open Directory Utility" go to "Search Policy" tab
5. click "+" and Add "/Active Directory/xxx"
6. now move "/Active Directory/xxx" line up above "/Active Directory/xxx/All Domains" line so it reads first.
7. Apply and Reboot.

Good Luck:D

This worked for me. I was getting the "no domains available" error with the red light. The first time after I did this I got the yellow light that said "some domains available," and then on subsequent logins it just worked.

Thanks!

arkaine23
Aug 31, 2011, 03:30 PM
I got this to work. There were two things I had to adjust. I bind this via a script. The first thing is that the syntax of dsconfigad has changed. Without making this change I was unable to bind. The second thing is that the search path needs to be rearranged. Without this change I was bound, but got the wonderful "Network accounts are unavailable" message on the login window.

Changed the syntax of dsconfigad from:

sudo dsconfigad -f -a $computerid -domain mydomain.com -u $user -p $password
sudo dsconfigad -groups "comma,delimited,list,of,domain,groups"
sudo dsconfigad -mobile enable -mobileconfirm disable -useuncpath disable

to:

sudo dsconfigad -add mydomain.com -username $user -password $password -computer $computerid
sleep 5
sudo dsconfigad -groups "comma,delimited,list,of,domain,groups"
sudo dsconfigad -mobile enable -mobileconfirm disable -useuncpath enable


And change the search path from:

sudo dscl /Search -create / SearchPolicy CSPSearchPath
sudo dscl /Search -append / CSPSearchPath "/Active Directory/All Domains"

to:


sudo dscl /Search -create / SearchPolicy CSPSearchPath
sudo dscl /Search -delete / CSPSearchPath "/Active Directory/MYDOMAIN/All Domains"
sudo dscl /Search -append / CSPSearchPath "/Active Directory/MYDOMAIN"
sudo dscl /Search -append / CSPSearchPath "/Active Directory/MYDOMAIN/All Domains"

Mack Daddy
Sep 1, 2011, 01:26 AM
ok seriously..

did the 10.7.1 update fix Lion + Active Directory?

I updated around 2 weeks ago and ever since then my test machine is still on the domain, I've logged in with a few different accounts and tried to break it a few times but its still joined and still works???

MattRK
Sep 13, 2011, 04:19 PM
10.7.1 didn't seem to fix anything for me.

What i will say is that the two things that helped me were the following:

1) DNS
Make sure your DNS servers are configured correctly. Several times throughout my testing i would reboot and then find a random 127.0.0.1 entry under my DNS servers. This was causing me a huge headache. Still not sure what was doing that. (My NIC was setup for a manual IP address, not DHCP)

2) Hostname
I am able to bind and get most things working as long as my hostname is set correctly. By default the machine's hostname is computername.local. Make sure you change this to match your AD domain. (sudo hostname computer.ADDomain.sufx) As soon as i changed this, rebooted, the "Network Accounts Not available" warning went away.

Also, when the machine first boots up you will see the "network accounts unavailable" warning for a bit until the machine establishes communications with the directory server. (Though i suppose maybe that's obvious.) Just wanted to mention that for anyone, who like me, isn't very patient with buggy/broken technology. Lol.

I'm still having trouble getting all of my AD security groups to show up when i go to set permissions on a specific file or folder. (Get Info > Sharing & Permissions > + sign > Network Groups) For some reason only about 20 or so groups show up. (We have bout 75) Still working on this one. I think it may have something to do search paths but i'm not sure.

Corex
Sep 14, 2011, 04:51 AM
2) Hostname
I am able to bind and get most things working as long as my hostname is set correctly. By default the machine's hostname is computername.local. Make sure you change this to match your AD domain. (sudo hostname computer.ADDomain.sufx) As soon as i changed this, rebooted, the "Network Accounts Not available" warning went away.

sudo hostname computer.domain.suffix

This only changes the hostname of the computer for the current session, it'll revert back to the old one after reboot.
To permanently stick it, use this instead:

sudo scutil --set HostName computer.domain.suffix

MattRK
Sep 14, 2011, 10:20 AM
sudo hostname computer.domain.suffix

This only changes the hostname of the computer for the current session, it'll revert back to the old one after reboot.
To permanently stick it, use this instead:

sudo scutil --set HostName computer.domain.suffix


Good to know. Thanks for the info.

Mack Daddy
Sep 14, 2011, 06:32 PM
just another update

10.7.1

"Preferred Domain Server" is populated

IPv6 switched off

machine has been on the domain for over a week! it gets used every day too..

MattRK
Sep 15, 2011, 04:04 PM
I did a fresh install of 10.7.1 on a spare mac pro i had this afternoon and then put 10.7.2 on it. I was able to bind it to AD and it is reliably working. (I've rebooted 3 or 4 times so far and it comes works every time. Here is what i did:

1) Gave the machine a manual IP. (Made sure to set the search domain to our AD domain name)

2) I set the computer name via Sharing and then rebooted.

3) I then set the hostname to include the computer & our ad domain. (sudo scutil --set HostName computername.domain.suffix) Rebooted.

4) Verified i could ping our domain and the DNS was responding reliably

5) Under Users & Groups > Login Options i selected Name & Password from the display login window as selection.

6) Clicked on Join and typed in our AD domain name. I made sure the computer name matched what i had set the hostname to and entered my credentials.

7) After the computer bound to the domain i opened Directory Utility and opened the Active Directory options.

8) Under the Advanced options section > User Experience tab, i checked "Create mobile account at login" and unchecked "Require confirmation."

9) On the Administrative tab i checked the "Allow administration by:" box and made sure domain admins and enterprise admins were listed.

That's it. It seems to be working. I had one slight problem after the reboot where i logged in as the local admin account and it logged me into some weird blank profile i didn't have permissions to. (Couldn't open anything) A reboot fixed that. Haven't run into that issue again.

I haven't had time to try out anything more advanced than simply logging in with domain credentials. I'll try and do some more testing later. I did test and verify that displaying all security groups under the "Network Groups" section of Get Info > Sharing & Permission tab is still broken. I outlined the problem in this thread (https://discussions.apple.com/thread/3328068) on Apple's website forums.

satcomer
Sep 16, 2011, 07:50 AM
Also make sure you are using the same time server that the Domain is using to avoid any Kerberos issues.

chaseerry
Oct 6, 2011, 02:04 PM
After pointing both my Lion machine and the 2008 R2 Server to the same NTP server I was able to bind using the Join button. After that, I logged out, saw there was an option to login to a network account. Put in some credentials and got the red light and the no network accounts available message popped up. Since then I don't even get the option to try a network account at the login screen.

They have to fix this in the next update.

sickofit
Oct 14, 2011, 12:35 PM
I have 128 MacBooks and am having 2 issues with Network Accounts on random units on random days. Running Mac OS X, Version 10.6.7. or .8
Basically the issue is same, cannot log on with a shared network account. (all lower school students use same user name and password.)

Here's where the real problem is: With the GREEN light on for Network Accounts Available I cannot log on with the shared network account. I've checked the Open and Active Directories and have tried changing the order in which they are listed. I have verified that the Computer ID (in System/Accounts/Network Accounts Server/Edit/Open Directory Utility) matches the Computer Name in "Sharing".

Now for the really wicked part: Someone posted be patient and wait for the Green light. I wasn't. I ran the RED light and I was able to log in with the shared network account. WHY? Or HOW?
Thanks for reading this super long posting.

oxleyk
Oct 21, 2011, 08:58 AM
I upgraded from 10.6.8 to 10.7.2 on a test iMac and could not bind to our domain no matter what I tried. This was a big problem since I'm planning on upgrading all of our iMacs. Yesterday I booted from my Lion DVD, erased the drive and did a fresh install of Lion. I was then able to bind and rebind several times with no trouble. Binding works in both the Login Options in Users and Groups AND the Directory Services utility. Apparently there was something in the old settings that Lion does not like and was causing this problem. The only odd thing is that it shows the yellow dot in the login screen with the message, "Some network accounts are available."

Kent

oxleyk
Oct 21, 2011, 11:14 AM
After rebooting my test iMac I am now getting the red light message "Network accounts are unavailable."

Kent

banawalt
Oct 25, 2011, 04:16 PM
Hello,

I have spent the better part of a month trying to get some new mac minis with 10.7.1 originally and now 10.7.2 to work properly when logging into the domain. I found lots of information on many sites, including this one, but nothing solved the issues I was having with the inability to log into the domain without having to wait 10+ minutes and try multiple times. I am happy to say that I believe I have finally gotten the login issue resolved for my new macs with 10.7.2. I posted what I did over at https://discussions.apple.com/thread/3191111?start=15&tstart=0 If you are on a domain with .local, maybe it will help you.

msniner
Dec 21, 2011, 09:47 PM
Hmm...I got this solved.

My company uses pre-configured Lion images from our US headquarters to be cloned onto MacBook Air laptops. We have a forest with many domains and subdomains. I was in the Asia subdomain.

In a nutshell it was a network oversight on our part. What happened was:

I used the Accounts pane to bind a MacBook Air to a subdomain, which happens to be a DC nearest my office and something that makes sense geographically to my company.
Binding went through without a hitch, and i get a green light at the Accounts pane stating that I'm connected to the (let's name this...) asia.company.com domain.

When I logged out and proceeded to login as the new user (thereby to create his new mobile account on the MacBook), I couldn't login. There was a red light - "Network accounts are not available"

I tried unbinding, and rebinding using Directory Utility instead: No dice. Same issue.

Deleting and recreating the computer account on AD, and making sure on the Mac, the computername is correct: No go.

It was then I figured out that maybe the MacBook Air couldn't find the domain for authentication. I went into Network Settings, and in its DNS settings, the Search Domains were "company.com" in gray font, but I was in the asia.company.com domain.

So I added another entry to the Search Domains with "asia.company.com", and also added "company.com".

Upon logging out, the username field turned yellow, and then green.

My take: The DNS/DHCP administrator did not include the asia domain name in one of its Search Domains parameter when he configured his DHCP server to begin handing out addresses to computers in the network. My MacBook Air didn't know where to find my asia subdomain and thus a DC where I'm at.

So there, another potential rollout issue solved. I can now churn more MacBook Airs to my folks without worry ;)

gillrakesh
Sep 22, 2012, 03:14 AM
Hey Guys,

I had the same problem. It was very much annoying and I visited MacRumors Forum (as usual) for an easy solution. But I could not find any thing helpful there. Then I started thinking myself and found a very simple solution. If you see on your screen top extreme right next to spotlight you can find a user name, actually it as you guys know it is the admin name.Now let me tell you guys how I fixed the problem:
Click on it and open Users and Groups Preference.
Now in that window Highlight the admin and Click the login options
Now in Automatic Login select Show sleep, Start and Shutdown buttons
Don't forget to select the the Automatic login user.
Now close that window and next time when you will restart you will see that your problem is fixed.