Active Directory and Lion -Network accounts are unavailable

[selgart]

Here's what worked for me... please leave me feedbacks. I'm assuming that you already joined the domain and login as local admin account.

1. go to "System Preferences", "User & Groups", and unlock the padlock
2. select "Login Options"
3. click on "Edit" button next to Network Account Server: xxx
4. now "Open Directory Utility" go to "Search Policy" tab
5. click "+" and Add "/Active Directory/xxx"
6. now move "/Active Directory/xxx" line up above "/Active Directory/xxx/All Domains" line so it reads first.
7. Apply and Reboot.

Good Luck

This worked for me. I was getting the "no domains available" error with the red light. The first time after I did this I got the yellow light that said "some domains available," and then on subsequent logins it just worked.

Thanks!

 

[arkaine23]

How I got it working

I got this to work. There were two things I had to adjust. I bind this via a script. The first thing is that the syntax of dsconfigad has changed. Without making this change I was unable to bind. The second thing is that the search path needs to be rearranged. Without this change I was bound, but got the wonderful "Network accounts are unavailable" message on the login window.

Changed the syntax of dsconfigad from:

sudo dsconfigad -f -a $computerid -domain mydomain.com -u $user -p $password
sudo dsconfigad -groups "comma,delimited,list,of,domain,groups"
sudo dsconfigad -mobile enable -mobileconfirm disable -useuncpath disable

to:

sudo dsconfigad -add mydomain.com -username $user -password $password -computer $computerid
sleep 5
sudo dsconfigad -groups "comma,delimited,list,of,domain,groups"
sudo dsconfigad -mobile enable -mobileconfirm disable -useuncpath enable


And change the search path from:

sudo dscl /Search -create / SearchPolicy CSPSearchPath
sudo dscl /Search -append / CSPSearchPath "/Active Directory/All Domains"

to:


sudo dscl /Search -create / SearchPolicy CSPSearchPath
sudo dscl /Search -delete / CSPSearchPath "/Active Directory/MYDOMAIN/All Domains"
sudo dscl /Search -append / CSPSearchPath "/Active Directory/MYDOMAIN"
sudo dscl /Search -append / CSPSearchPath "/Active Directory/MYDOMAIN/All Domains"

 

[Mack Daddy]

ok seriously..

did the 10.7.1 update fix Lion + Active Directory?

I updated around 2 weeks ago and ever since then my test machine is still on the domain, I've logged in with a few different accounts and tried to break it a few times but its still joined and still works???

 

[MattRK]

10.7.1 didn't seem to fix anything for me.

What i will say is that the two things that helped me were the following:

1) DNS
Make sure your DNS servers are configured correctly. Several times throughout my testing i would reboot and then find a random 127.0.0.1 entry under my DNS servers. This was causing me a huge headache. Still not sure what was doing that. (My NIC was setup for a manual IP address, not DHCP)

2) Hostname
I am able to bind and get most things working as long as my hostname is set correctly. By default the machine's hostname is computername.local. Make sure you change this to match your AD domain. (sudo hostname computer.ADDomain.sufx) As soon as i changed this, rebooted, the "Network Accounts Not available" warning went away.

Also, when the machine first boots up you will see the "network accounts unavailable" warning for a bit until the machine establishes communications with the directory server. (Though i suppose maybe that's obvious.) Just wanted to mention that for anyone, who like me, isn't very patient with buggy/broken technology. Lol.

I'm still having trouble getting all of my AD security groups to show up when i go to set permissions on a specific file or folder. (Get Info > Sharing & Permissions > + sign > Network Groups) For some reason only about 20 or so groups show up. (We have bout 75) Still working on this one. I think it may have something to do search paths but i'm not sure.

 

[Corex]

2) Hostname
I am able to bind and get most things working as long as my hostname is set correctly. By default the machine's hostname is computername.local. Make sure you change this to match your AD domain. (sudo hostname computer.ADDomain.sufx) As soon as i changed this, rebooted, the "Network Accounts Not available" warning went away.

sudo hostname computer.domain.suffix

This only changes the hostname of the computer for the current session, it'll revert back to the old one after reboot.
To permanently stick it, use this instead:

sudo scutil --set HostName computer.domain.suffix

 

[MattRK]

sudo hostname computer.domain.suffix

This only changes the hostname of the computer for the current session, it'll revert back to the old one after reboot.
To permanently stick it, use this instead:

sudo scutil --set HostName computer.domain.suffix

Good to know. Thanks for the info.

 

[Mack Daddy]

just another update

10.7.1

"Preferred Domain Server" is populated

IPv6 switched off

machine has been on the domain for over a week! it gets used every day too..

 

[MattRK]

I did a fresh install of 10.7.1 on a spare mac pro i had this afternoon and then put 10.7.2 on it. I was able to bind it to AD and it is reliably working. (I've rebooted 3 or 4 times so far and it comes works every time. Here is what i did:

1) Gave the machine a manual IP. (Made sure to set the search domain to our AD domain name)

2) I set the computer name via Sharing and then rebooted.

3) I then set the hostname to include the computer & our ad domain. (sudo scutil --set HostName computername.domain.suffix) Rebooted.

4) Verified i could ping our domain and the DNS was responding reliably

5) Under Users & Groups > Login Options i selected Name & Password from the display login window as selection.

6) Clicked on Join and typed in our AD domain name. I made sure the computer name matched what i had set the hostname to and entered my credentials.

7) After the computer bound to the domain i opened Directory Utility and opened the Active Directory options.

8) Under the Advanced options section > User Experience tab, i checked "Create mobile account at login" and unchecked "Require confirmation."

9) On the Administrative tab i checked the "Allow administration by:" box and made sure domain admins and enterprise admins were listed.

That's it. It seems to be working. I had one slight problem after the reboot where i logged in as the local admin account and it logged me into some weird blank profile i didn't have permissions to. (Couldn't open anything) A reboot fixed that. Haven't run into that issue again.

I haven't had time to try out anything more advanced than simply logging in with domain credentials. I'll try and do some more testing later. I did test and verify that displaying all security groups under the "Network Groups" section of Get Info > Sharing & Permission tab is still broken. I outlined the problem in this thread on Apple's website forums.

 

[satcomer]

Also make sure you are using the same time server that the Domain is using to avoid any Kerberos issues.

 

[chaseerry]

After pointing both my Lion machine and the 2008 R2 Server to the same NTP server I was able to bind using the Join button. After that, I logged out, saw there was an option to login to a network account. Put in some credentials and got the red light and the no network accounts available message popped up. Since then I don't even get the option to try a network account at the login screen.

They have to fix this in the next update.

 

[sickofit]

I have 128 MacBooks and am having 2 issues with Network Accounts on random units on random days. Running Mac OS X, Version 10.6.7. or .8
Basically the issue is same, cannot log on with a shared network account. (all lower school students use same user name and password.)

Here's where the real problem is: With the GREEN light on for Network Accounts Available I cannot log on with the shared network account. I've checked the Open and Active Directories and have tried changing the order in which they are listed. I have verified that the Computer ID (in System/Accounts/Network Accounts Server/Edit/Open Directory Utility) matches the Computer Name in "Sharing".

Now for the really wicked part: Someone posted be patient and wait for the Green light. I wasn't. I ran the RED light and I was able to log in with the shared network account. WHY? Or HOW?
Thanks for reading this super long posting.

 

[oxleyk]

I upgraded from 10.6.8 to 10.7.2 on a test iMac and could not bind to our domain no matter what I tried. This was a big problem since I'm planning on upgrading all of our iMacs. Yesterday I booted from my Lion DVD, erased the drive and did a fresh install of Lion. I was then able to bind and rebind several times with no trouble. Binding works in both the Login Options in Users and Groups AND the Directory Services utility. Apparently there was something in the old settings that Lion does not like and was causing this problem. The only odd thing is that it shows the yellow dot in the login screen with the message, "Some network accounts are available."

Kent

 

[oxleyk]

After rebooting my test iMac I am now getting the red light message "Network accounts are unavailable."

Kent

 

[banawalt]

solution for .local domain login issues

Hello,

I have spent the better part of a month trying to get some new mac minis with 10.7.1 originally and now 10.7.2 to work properly when logging into the domain. I found lots of information on many sites, including this one, but nothing solved the issues I was having with the inability to log into the domain without having to wait 10+ minutes and try multiple times. I am happy to say that I believe I have finally gotten the login issue resolved for my new macs with 10.7.2. I posted what I did over at https://discussions.apple.com/thread/3191111?start=15&tstart=0 If you are on a domain with .local, maybe it will help you.

 

[msniner]

DNS search path

Hmm...I got this solved.

My company uses pre-configured Lion images from our US headquarters to be cloned onto MacBook Air laptops. We have a forest with many domains and subdomains. I was in the Asia subdomain.

In a nutshell it was a network oversight on our part. What happened was:

I used the Accounts pane to bind a MacBook Air to a subdomain, which happens to be a DC nearest my office and something that makes sense geographically to my company.
Binding went through without a hitch, and i get a green light at the Accounts pane stating that I'm connected to the (let's name this...) asia.company.com domain.

When I logged out and proceeded to login as the new user (thereby to create his new mobile account on the MacBook), I couldn't login. There was a red light - "Network accounts are not available"

I tried unbinding, and rebinding using Directory Utility instead: No dice. Same issue.

Deleting and recreating the computer account on AD, and making sure on the Mac, the computername is correct: No go.

It was then I figured out that maybe the MacBook Air couldn't find the domain for authentication. I went into Network Settings, and in its DNS settings, the Search Domains were "company.com" in gray font, but I was in the asia.company.com domain.

So I added another entry to the Search Domains with "asia.company.com", and also added "company.com".

Upon logging out, the username field turned yellow, and then green.

My take: The DNS/DHCP administrator did not include the asia domain name in one of its Search Domains parameter when he configured his DHCP server to begin handing out addresses to computers in the network. My MacBook Air didn't know where to find my asia subdomain and thus a DC where I'm at.

So there, another potential rollout issue solved. I can now churn more MacBook Airs to my folks without worry

 

[gillrakesh]

Re: Active accounts are unavailable

Hey Guys,

I had the same problem. It was very much annoying and I visited MacRumors Forum (as usual) for an easy solution. But I could not find any thing helpful there. Then I started thinking myself and found a very simple solution. If you see on your screen top extreme right next to spotlight you can find a user name, actually it as you guys know it is the admin name.Now let me tell you guys how I fixed the problem:
Click on it and open Users and Groups Preference.
Now in that window Highlight the admin and Click the login options
Now in Automatic Login select Show sleep, Start and Shutdown buttons
Don't forget to select the the Automatic login user.
Now close that window and next time when you will restart you will see that your problem is fixed.