Active Directory and Lion -Network accounts are unavailable

[mtn.lion]

Indeed, PUG, if it's true that updating the Windows server(s) resolves Lion's problems integrating with Active Directory, you'd be helping out a lot of people if you'd provide some detail or just identify the relevant updates.
p.s. Our domain controller is SBS 2011 (i.e., Windows Server 2008R2).

 

[brownn]

Hey guys

Fixed this by booting to recovery (command+r) and running a repair on file permissions

(as per a suggestion in this thread: https://forums.macrumors.com/threads/1191494/)

I keep having to do this, enter recovery mode and repair permissions, reboot and it works for a couple of times, then stops working again!

Its very frustrating as my Mini is working as a HTPC and is joined to my server 2008 R2 domain, is set to auto login to an account with limited readonly access to just music and video shares and to automatically launch my media software (xbmc) and every time this problem occurs, I have to dig the keyboard and mouse out.

 

[mtn.lion]

David the Gnome -- Everything I can find about backing down from Lion to Snow Leopard makes it clear that new MacBook Airs (i.e., those that came with Lion) CANNOT run Snow Leopard. ("Snow Leopard lacks the necessary drivers for Apple's latest hardware.") So when you say you've re-imaged machines to SL, I gather that didn't include any new Airs? My kingdom for a way to do this....

 

[Mack Daddy]

Fixed this by booting to recovery (command+r) and running a repair on file permissions

I keep having to do this, enter recovery mode and repair permissions, reboot and it works for a couple of times, then stops working again!

I've just turned my Lion test machine on after being off for a week and I was greeted with "Network Accounts Unavailable" it's fallen off the domain again

I'll try some of the other suggestions in this thread and report back.

 

[mobtek]

All I did was System Preferences -> Users and Groups -> Login Options -> Network Account Server (click the Edit... button) -> click Open Directory Utility... which will now open up properly, then double-click your Active Directory, Unbind, Click Create mobile account on Login, then rebind and ta-dah.
Worked for me (tm)
make sure you choose SMB as the protocol too

 

[Corex]

All I did was System Preferences -> Users and Groups -> Login Options -> Network Account Server (click the Edit... button) -> click Open Directory Utility... which will now open up properly, then double-click your Active Directory, Unbind, Click Create mobile account on Login, then rebind and ta-dah.
Worked for me (tm)
make sure you choose SMB as the protocol too

Didn't work for me, tried a couple of time. Would be nice to know what patch fixes the problem

 

[kevincraz]

help

i have two new mac mini's with OSX 10.7 lion, tried all the idea's given above still unable to bind to my domain......User name & PW are both correct and my my domain is present becuz i can ping????

domain is on a server 2003
??????

anymore ideas????????

 

[mtn.lion]

Call around 'til you find a Best Buy that still has some pre-Lion Mac Mini's in stock, then return the new ones. Or a specialty Mac online store like: http://www.themacstore.com/parts/show/c-nmm-mc270ll__a

That's how we resolved our MacBook Air situation. Rather have computers that work than computers with latest hardware. Imagine.

 

[derbothaus]

Apple is aware and I have a beta patch that updates some OD components (don't ask). Wont get to it till Friday though. Most likely fixed in 10.7.1. I'll report back so people don't have to return machines if they are not in a time crunch at work. It may not fix my problem but it's a step in the right direction.

 

[eritho]

Apple is aware and I have a beta patch that updates some OD components (don't ask). Wont get to it till Friday though. Most likely fixed in 10.7.1. I'll report back so people don't have to return machines if they are not in a time crunch at work. It may not fix my problem but it's a step in the right direction.

Does the update fix any issues regarding Active Directory?

 

[derbothaus]

Does the update fix any issues regarding Active Directory?

That's what it is supposed to do. Did you not read the thread we are on here? Portions of OD are used to communicate with AD.

 

[brownn]

I installed the updates below on my Windows Server 2008 R2 machine and since then the problem with network login has resolved itself!!

 

[derbothaus]

So the patch sort of worked but still no confidence in 10.7 as a deployment I can manage. Warehouses are starting to run real low on 10.6 shipping Mac's as demand is pretty high specifically for those.
I have "some network accounts available" now with a yellow indicator. Although I now have "multiple" domains bound even though I only bound the same single one that show as single in 10.6. Search paths had to be manually entered as it did not find them.
Unfortunately there are so many other buggy things with Directory utility. I had to fight to keep my settings from reverting but they never reverted in any logical repeatable manner. The lock stays unlocked each time I launch it even after locking it and just re-launching. Stupid. I told it to not "ask" for mobile account creation and it "asked" each and every time regardless. Finder crashed on initial account creation. 2nd log in was fine. Great. This is probably the worse implementation of AD integration yet for me.

 

[Mack Daddy]

I'm tempted to try the updates brownm has highlighted on my AD server(s) but I don't see how this is Microsoft's problem..

 

[brownn]

Just to follow up, this initially fixed my problems, but since posting here I have had the network logon unavailable message again.

Thankfully though, I have only needed to reboot and it has started working again instead of having to boot into repair mode and using Disk Utility to fix permissions but still extremely annoying!!

Im hoping the next 10.7.x update fixes this.

 

[juiced2010]

Need a search path

The Lion AD connector apparently doesn't like 'Active Directory/All Domains' in the Search Policy-->Authentication tab of Directory utility. Add a custom search path to your domain for authentication and contacts-- '/Active Directory/MY' if your domain is 'MY.DOMAIN.COM'; you ought to be able to authenticate after that.

 

[lexicon5]

The Lion AD connector apparently doesn't like 'Active Directory/All Domains'

This is exactly my issue. I did the normal SL route of Us&Gs>Login Options>Network Account Server>Join>Open Directory Utility>Service yadda yadda...that never worked for us in Lion. It joins AD but never created the Mobile account even though that was selected.
The way I got it to work is instead of clicking Open Directory Utility after clicking Join, I enter the DC info in the drop box that appears when you click Join. If that is good, that drop box extends to uncover the AD Admin User and PW entry fields. Enter that info and it creates the account or joins a manually created account in the proper container in AD.
I had to wait a few minutes for all the Authentication Search Paths to appear so I could rearrange them. We had to delete the /Active Directory/All to keep AD accounts from locking when logged in.
Create Mobile selected...and that works.
Deselected Allow Auth from any domain under Administrative tab.
Everything seems to function...

 

[dmillbank]

The following worked for me

We're running Windows 2003 Active Directory. Some of the settings are of course optional, as they are the way I like to have it set up, so you might want to customize it to your liking. If you have suggestions on how to optimize the steps, by all means, post them here and share with the rest of us.

Join to the domain:
a. System Preferences > Users & Groups > Login Options > Join
b. Enter your AD server address
c. Enter the Client Computer ID, AD Admin User and AD Admin Password and click OK.

Check the following boxes
- Name and password (instead of List of Users)
- Show Input menu in login window
- Show password hints
- Allow network users to log in at login window
(The rest of the boxes can are left unchecked.)

Click Edit (in Login Options)

Click on Open Directory Utility
Under Search Policy, select Custom Path under the dropdown and make sure that only

/Local/Default
/Active Directory/[Domain name without .com]/[Domain name with .com]

i.e. /Active Directory/WIDGETS/widgets.com

Click Apply
Click on Services
Double-click on Active Directory.
Click on Show Advanced Options
Check Create mobile account at login
Uncheck Require confirmation before creating a mobile account
Click on the Administrative tab
Check Allow administration by:
Uncheck Allow authentication from any domain in the forest
Click OK
Click the Lock and the red X to close
Click the Lock and the red X to close

Restart and make sure a user on the network account for the user can log in.

That works for me. I've tested it on a couple computers now and the settings are sticking.

One strange thing:
If I unbind the domain and log out or restart, it brings up the Network Accounts are unavailable bubble!! That part just doesn't make sense.

 

[aummac]

Repair Permissions

The disk utility, repair permissions worked for us. This process takes about 10 minutes. You can create the mobile account but all that does is give you access when there are "no accounts available" we use this for laptop users who take the machines outside our domain.

We have Golden Triangle Setup

OS X 10.6.8 Server
Server 2008 R2
OS X Lion and 10.6.4-10.6.8 machines

 

[Mattie Num Nums]

This is still broken in 10.7.2.

Download Centrify Express. Its free (but doesn't allow you to use AD Groups.)

 

[PUG]

Unfortunately, I don't know what updates my domain admins installed on the AD server. However, the problem seems to be back. It was fine for a few days but now the network accounts are unavailable again. Hopefully this is something that will be patched by Apple, soon.
The Disk permission fix was only temporary as well.

 

[MacN00bie]

This worked...

Here's what worked for me... please leave me feedbacks. I'm assuming that you already joined the domain and login as local admin account.

1. go to "System Preferences", "User & Groups", and unlock the padlock
2. select "Login Options"
3. click on "Edit" button next to Network Account Server: xxx
4. now "Open Directory Utility" go to "Search Policy" tab
5. click "+" and Add "/Active Directory/xxx"
6. now move "/Active Directory/xxx" line up above "/Active Directory/xxx/All Domains" line so it reads first.
7. Apply and Reboot.

Good Luck

 

[mazeno]

Directory Servives / Open Directory logging

dsconfigad: The daemon encountered an error processing request. (10002), also trying without mobile and localhome, but same error =(

Where's the logfile for dsconfigad? system.log doesn't show anything when i execute the command

Pre lion one would enable debugging for directory services using

sudo killall -USER1 DirectoryServices

. Apple has now moved Directory Services into opendirectoryd, and you can set the debug level with a

odutil set log debug

This generates lots of output into /var/log/opendirectoryd.log
Check the KB at http://support.apple.com/kb/HT4696



Happy Debugging ;-)

 

[Corex]

thx dmillbank followed your suggestions but unfortunately it didn't work. There's 1 step i can't follow:

Check the following boxes
- Name and password (instead of List of Users)
- Show Input menu in login window
- Show password hints
- Allow network users to log in at login window
(The rest of the boxes can are left unchecked.)

- Allow network users to log in at login window <--- I don't have this option Mac OSX 10.7.0 and 10.7.1.

Mazeno: I'll try this, thx for the info

 

[mazeno]

- Allow network users to log in at login window <--- I don't have this option Mac OSX 10.7.0 and 10.7.1.

This choice doesn't become available until after a successfull bind.