Poking about on the net, this seems to be a known problem with no real solution but I managed to piece together a process to get this working.
The problem is related to the way that OSX uses the .local domain for Bonjour and uses multicast DNS queries to try to locate network resources instead of directly querying the DNS server. If you have your Active Directory domain set up as mydomain.local (which is Microsoft best practice and the default in Small Business Server) then conflicts arise. This has been an ongoing issue with using Macs in Windows domains for some time and the reliability of domain logins seems to go up and down with each new release.
My first thought was to just disable mDNS but it seems that this is not possible as OSX uses this for normal DNS queries as well as for Bonjour.
Googling reveals lots of potential solutions for different versions of OSX but none of these worked for me. Eventually by piecing different bits of information together I stumbled on a working configuration which I repeated successfully on two machines.
I'm not sure if all of this is strictly necessary - the machines in question I was working on remotely and the client needed them up and running as soon as possible so I was not able to isolate exactly which steps are required but there is nothing in here that will cause problems for small environments. For larger installations with multiple domain controllers this isn't really the best way of setting up machines but it will at least get them logging on to the network until Apple can come up with a proper fix.
Before you start, if you have tried increasing the mDNS timeout settings as recommended by lots of articles on the net, then change them back. Once the machine has been set up as below it works correctly with the default and I suspect that increasing the timeout would actually be counterproductive as we want the mDNS query to timeout quickly so that the machine fails over to normal DNS queries
Open a terminal and type
sudo nano /System/Library/SystemConfiguration/IPMonitor.bundle/Contents/Info.plist
Ensure the mdns timeout is set to 2
First off, ensure name resolution is set up correctly by adding mydomain.local and mydomain to the DNS Search Domains
System Preferences, Network, Ethernet Connection, Advanced button, DNS, Search Domains
Ensure the naked domain resolves by adding a record for it in the machine's hosts file
Open a terminal and type
sudo nano /etc/hosts
And add the following line, substituting the correct values for your environment:
If the machine is already bound to the domain, then un-bind it before re-joining the domain as below:
System Preferences, Users & Groups, click Login options,
if already bound to a domain, click Edit and then Unbind. Else click Join
Do not enter the details in the first window that pops up but instead click on Open Directory Utility
Go to Services, Active Directory, and click the pencil icon to edit
Enter the domain name,
Click Show Advanced Options and click on the Administrative tab
Tick Use Preferred Server and enter the IP address (not the name) of the domain controller
Untick Allow Authentication from any domain in the forest
Click Bind, enter credentials when prompted and wait for 10 minutes...
Once this finishes, stay in the Directory Utility and go to the Search Policy tab
Remove /Active Directory/MYDOMAIN/All Domains
Add /Active Directory/MYDOMAIN/mydomain.local
Move this entry up to immediately under /Local/Default
Your Search Policy list should now look like this:
Reboot and you can now login with Active Directory accounts