Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

s.p.xosder

macrumors newbie
Original poster
Jun 23, 2010
9
0
Any other developers connect their machines to an Active Directory domain? Since installing 10.7, I am unable to connect to my domain. At the login screen, there is a message stating that "Network accounts are unavailable".

I can confirm that the computer is able to ping the Domain Controller and during the bind process, the machine recognizes the computer account in AD and asks if I want to join the existing account.

I have attempted both an upgrade install and a fresh install and both had the same result. Thanks in advance for help!:D
 

David the Gnome

macrumors newbie
Nov 20, 2008
21
0
We're having the same problem. None of our Lion machines will bind to the AD, not even the Xserves. I can sometimes get them to bind but they will randomly stop allowing network logins, even though the AD shows green in the directory utility. The same machine will work just fine if it's re-imaged to Snow Leopard but Lion just won't cooperate with the Active Directory. We're running Windows Server 2008 R2.
 

s.p.xosder

macrumors newbie
Original poster
Jun 23, 2010
9
0
Update: not quite there yet

So, I've been messing around with this for the better part of the weekend, and I found a few things.

First, I had to turn on the mobile account creation option in the directory utility. Without that being on, I couldn't get it to work at all. If I asked it to prompt me at login and I said not to create the mobile account, it caused issues, so I am now allowing it to create the account.

Second, I'm not sure why, and I didn't want to believe it, but I seem to have better luck if the login settings are set to "List of Users" and not "Name and Password".

I've also turned off the wireless and removed my Open Directory settings. Not sure if those matter, but I wanted to rule them out.

On machines that still don't connect, I use the dscl command and browse the domain manually from within terminal. Somehow this seems to help too. It still isn't close to 100% and a restart can cause the machine to not login again even if it was working before.
 

Ragnar-Kon

macrumors member
Jul 17, 2011
41
0
Have had it working for 2 months or so now, and ran into absolutely zero issues. Just set it up the same way I did with Snow Leopard. I use a slight variation of the "golden triangle" setup.

Computers
Mixture of 10.5.8, 10.6.8, and 10.7.0

Active Directory
Windows Server 2003 R2

Open Directory
Mac OS X 10.6.8 Server

Bind information:
Active Directory first, then Open Directory. The users log in with their Active Directory account, therefore you MUST use mobile accounts. I could be wrong, but it is my understanding you can't use standard managed accounts unless they are logging in with an Open Directory account. Lastly, I reorganize the Search policy where it searches for the Open Directory server first, and then the Active Directory. Reboot, then done.

The result allows me to manage the Mac computers from the Open Directory server, while the users still log into their Active Directory accounts. My network is setup where I manage the Macs on a per-computer basis rather than a per-user basis. I have gotten it to work on a per-user basis before, but the permissions were patchy at best. But, since it wasn't really necessary for my network, it wasn't a huge loss.

Several of the Mac Pros are connected to an Xsan through fiber and a private vlan. That setup requires a master Xsan controller and a backup Xsan controller, both running 10.6.8 and both are physically separate servers from the Open Directory server. Permissions on the Xsan are managed on an Active Directory user basis (since all of my servers are dual-bound to Active Directory and Open Directory, just like my other Macs). I also have 4th Xserve machine that is running several 10.6.8 virtual machines that I use as web servers, development servers, etc.

The only thing I haven't tested yet is 10.7.0 Server. The only reason why is I haven't is because I have not heard anything regarding virtual machines and 10.7.0. Obviously you have to install regular Mac OS X Lion before you can install server software, and previously it was against Apple's terms to install a regular copy of Mac OS X on a virtual machine. So I'm afraid that means I can't run 10.7.0 Server through virtual machines since it requires the installation of Mac OS X first.
On top of this, I typically wait for the first few patches before I upgrade any servers, so as of right now the plan is to wait until December vacation before I upgrade any of my servers.

Having said that, I'm running into all kinds of stupid issues with Lion that are non-network related that will probably force me to wait until December vacation to upgrade any of my machines. (I work at a University, so the prime time to upgrade computers is during the summer and winter break.)

Hopefully that was well-explained enough to help. If not, let me know.
 

Ragnar-Kon

macrumors member
Jul 17, 2011
41
0
For kicks and giggles I installed Lion Server on a Mac Pro just to see what issues I would run into.

Long story short, Lion Server is gonna need a lot of work if Apple hopes to have it work within a Active Directory environment. Right now the only purpose it has is to suck electricity out of the wall and dazzle me with its single blinking LED. Worthless. Completely worthless.
 

collegetech

macrumors newbie
Dec 15, 2004
5
0
We had the same problem here and found the fix today. After binding to the domain, when you go back to the directory utility you will notice the Apply button is greyed out. You need to click on the lock to lock the settings. Quit directory utility, and click on the lock for Users and Groups.

We did not check the mobile account setting
 

jonritter

macrumors newbie
Jul 22, 2011
2
0
- Install Lion
- Log into your local admin account
- Set the machine name to "XXX" and remember this name
- Open Directory Utility
- Open Active Directory
- Set the Comuter ID to "XXX"
- (Optional) Show Advanced Options, check "Create mobile account...", uncheck "Require confirmation..."
- Click BInd
- Enter in your admin domain credentials
- Hit OK
- Log the directory utility by clicking the lock in the lower right corner
- Log out of the local admin profile
- Log in as any domain user
 

stikkman

macrumors newbie
Jul 25, 2011
7
0
Re: Active Directory and Lion -Network accounts are unavailable Reply to Thread

So what's the trick to logging into Lion w/ your domain account? The local admin and user accounts I've created and bound to my AD service just prompt me for a password - no domain affiliation. Logging in as Guest gives me the option to include my Windows domain login but won't accept my Windows password. This was all working fine via Snow Leopard - seems related to my recent Lion update. Did run a permissions check/repair as advised but have no way of logging in per my AD account. Seem to recall w/ Snow Leopard as separate account related to AD in the login screen?

Thanks!

Scott
 

Corex

macrumors newbie
Jul 27, 2011
12
0
I've folloed both jonritters and Mack Daddy's suggestions but doesn't work.

Repair permissions, changing the search path's order to get the apply button activated and locking the settings doesn't work. It's flawless with SL, but Lion's driving me nuts. Any other suggestions? Still having problems here =-(
 

derbothaus

macrumors 601
Jul 17, 2010
4,093
30
Same here. Just started widespread testing. Stopped after bind. No accounts available. Just not working with exact same and/or slightly modified AD settings.
Is it me or is Directory utility acting a little weird? It will unlock and change settings back at differing intervals. I had to fight to bind and not have my settings changed. Win 2008 vanilla. 10.6 implementations are flawless. I tried all the above fixes to no avail.
 

Corex

macrumors newbie
Jul 27, 2011
12
0
I've setup a working SL machine to try to see what's wrong, The SL machine get for example the search paths /Active Directory/All Domains and the Lion machine get the /Active Directory/DOMAIN/All Domains, but the directory utility still doesn't give an error message (if i change the searchpath DU gives the error cannot connect to auth database).. On the SL machine i have an option "allow network users to login to this computer" but not on the Lion machine i'll reinstall Lion since i've done too many settings to track hehe.
 

eritho

macrumors newbie
Jul 26, 2011
10
0
Norway
I've setup a working SL machine to try to see what's wrong, The SL machine get for example the search paths /Active Directory/All Domains and the Lion machine get the /Active Directory/DOMAIN/All Domains, but the directory utility still doesn't give an error message (if i change the searchpath DU gives the error cannot connect to auth database).. On the SL machine i have an option "allow network users to login to this computer" but not on the Lion machine i'll reinstall Lion since i've done too many settings to track hehe.

I'm experiencing the exact same thing. In another forum post here somone suggested to me that i try running /System/Library/Coreservices/ManagedClient.app/Contents/Resources/createmobileaccount after joining the domain but it does not work.

My users who upgraded their all ready domain-joined Snow Leopard to Lion cannot log in. They are asked to change their password when trying to log on.
 

Corex

macrumors newbie
Jul 27, 2011
12
0
Well i reinstalled and the windows are the same so it's problably meant to be missing that option. Still haven't found a way to login with AD accounts.
 

eritho

macrumors newbie
Jul 26, 2011
10
0
Norway
I some how thing the two issues are related.

Have you tried doing:
Code:
sudo dsconfigad -add yourdomain.com -mobile enable -localhome enable -computer computername -username "domainadmin" -password "SomePassword" -ou "CN=Computers,DC=yourdomain,DC=com"

You can off course remove the -mobile and -localhom attributes if you don't use them. Do
Code:
dsconfigad -help
for the complete command options.
 

Corex

macrumors newbie
Jul 27, 2011
12
0
I some how thing the two issues are related.

Have you tried doing:
Code:
sudo dsconfigad -add yourdomain.com -mobile enable -localhome enable -computer computername -username "domainadmin" -password "SomePassword" -ou "CN=Computers,DC=yourdomain,DC=com"

You can off course remove the -mobile and -localhom attributes if you don't use them. Do
Code:
dsconfigad -help
for the complete command options.

dsconfigad: The daemon encountered an error processing request. (10002), also trying without mobile and localhome, but same error =(

Where's the logfile for dsconfigad? system.log doesn't show anything when i execute the command
 

eritho

macrumors newbie
Jul 26, 2011
10
0
Norway
Had you done an unbind before you ran dsconfigad?

I have not been able to locate any logfile for dsconfigad.
 

Corex

macrumors newbie
Jul 27, 2011
12
0
Had you done an unbind before you ran dsconfigad?

I have not been able to locate any logfile for dsconfigad.

Yup, unbound before, but after a restart today it worked. Ran the command both with localhom/mobile and without and restarts, waiting at the login window for about 3mins and the dot is still red, network accounts unavailable.
 

PUG

macrumors newbie
Aug 1, 2011
3
0
My Domain Admins installed some automatic updates over the weekend on the Domain Controller servers. This morning I rebound the Lion machine and it seems to be working now.
 
Last edited:

derbothaus

macrumors 601
Jul 17, 2010
4,093
30
My Domain Admins installed some automatic updates over the weekend on the Domain Controller servers. This morning I rebound the Lion machine and it seems to be working now.

Could you possibly get any info on the patch and/or final version you are running that fixed it for you?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.