Wednesday 26 October 2011

Active Directory Login Problems with OSX 10.7.2 Lion and .local domains

Recently one of our clients had two Macs decide to drop off the domain - all of a sudden they could no longer log in to them with active directory accounts. Both machines are running OSX Lion 10.7.2 and the problem seemed to start after installing the latest updates from Apple.

Poking about on the net, this seems to be a known problem with no real solution but I managed to piece together a process to get this working.

The problem is related to the way that OSX uses the .local domain for Bonjour and uses multicast DNS queries to try to locate network resources instead of directly querying the DNS server. If you have your Active Directory domain set up as mydomain.local (which is Microsoft best practice and the default in Small Business Server) then conflicts arise. This has been an ongoing issue with using Macs in Windows domains for some time and the reliability of domain logins seems to go up and down with each new release.

My first thought was to just disable mDNS but it seems that this is not possible as OSX uses this for normal DNS queries as well as for Bonjour.

Googling reveals lots of potential solutions for different versions of OSX but none of these worked for me. Eventually by piecing different bits of information together I stumbled on a working configuration which I repeated successfully on two machines.

I'm not sure if all of this is strictly necessary - the machines in question I was working on remotely and the client needed them up and running as soon as possible so I was not able to isolate exactly which steps are required but there is nothing in here that will cause problems for small environments. For larger installations with multiple domain controllers this isn't really the best way of setting up machines but it will at least get them logging on to the network until Apple can come up with a proper fix.

Before you start, if you have tried increasing the mDNS timeout settings as recommended by lots of articles on the net, then change them back. Once the machine has been set up as below it works correctly with the default and I suspect that increasing the timeout would actually be counterproductive as we want the mDNS query to timeout quickly so that the machine fails over to normal DNS queries

Open a terminal and type

sudo nano /System/Library/SystemConfiguration/IPMonitor.bundle/Contents/Info.plist

Ensure the mdns timeout is set to 2

<key>mdns_timeout</key>
<integer>2</integer>

First off, ensure name resolution is set up correctly by adding mydomain.local and mydomain to the DNS Search Domains

System Preferences, Network, Ethernet Connection, Advanced button, DNS, Search Domains
Add

mydomain.local
mydomain

Ensure the naked domain resolves by adding a record for it in the machine's hosts file
Open a terminal and type

sudo nano /etc/hosts

And add the following line, substituting the correct values for your environment:

mydomain ipaddress_of_domain_controller

If the machine is already bound to the domain, then un-bind it before re-joining the domain as below:

System Preferences, Users & Groups, click Login options,
if already bound to a domain, click Edit and then Unbind. Else click Join

Do not enter the details in the first window that pops up but instead click on Open Directory Utility

Go to Services, Active Directory, and click the pencil icon to edit
Enter the domain name,

mydomain.local

Click Show Advanced Options and click on the Administrative tab
Tick Use Preferred Server and enter the IP address (not the name) of the domain controller
Untick Allow Authentication from any domain in the forest
Click Bind, enter credentials when prompted and wait for 10 minutes...

Once this finishes, stay in the Directory Utility and go to the Search Policy tab
Remove /Active Directory/MYDOMAIN/All Domains
Add /Active Directory/MYDOMAIN/mydomain.local
Move this entry up to immediately under /Local/Default
Your Search Policy list should now look like this:

/Local/Default
/Active Directory/MYDOMAIN/mydomain.local
/Active Directory/MYDOMAIN

Reboot and you can now login with Active Directory accounts

10 comments:

  1. You're a legend. Thanks so much for taking the time to write this up. It's very clear and explains the problem. Much appreciated.

    ReplyDelete
  2. Glad to have helped Giles.
    It's always nice to hear from someone else who has had the same problem, especially if it has saved you some of the grief that I went through :) - thanks for letting me know!

    ReplyDelete
  3. Hi Jon, I cannot help thinking your blog entry will increase the sales of Apple desktops and laptops within businesses - at least while Lion OS 7.2.1 is around!

    As the others have said you are a time saver of the utmost degree - and time = life so, yes, a life saver! :-)

    Your solution has worked perfectly on Mac Air and iMac's connecting to Windows Small Business Server 2011 AD environment with a .local

    I also followed the advice in the Apple discussion here for configuring the server IPv6 side of things - http://support.apple.com/kb/TS4041 - not sure if I needed to but it all works now.

    Thanks again :-)

    ReplyDelete
  4. p.s I posted a link to this blog on thread in MacForums which comes high in the 'lion OS AD' search on Google, hopefully many others will be reading this soon!

    ReplyDelete
    Replies
    1. Hi Kev, thanks for your kind post on the Mac Rumours forum and the link to the IPv6 DNS configuration for people using that.

      I'm really quite surprised that this issue is still ongoing - I expected Apple to put some kind of fix in place long ago - but I'm glad that my instructions are still fixing things for people.

      Delete
  5. Thanks so much Jon!

    Extremely helpful article for me. We have approximately 35 iMac's running in our school and this helped us to finally get lion up and running!

    ReplyDelete
    Replies
    1. Good to hear that Matt, I really hope you haven't been struggling with this since October!?

      Glad you're all working now though.

      Delete
  6. Can anyone offer me some advice with the same issue ?

    When I set the above I get a red light next to Network Account Server. If I flick the search path across to Custom - I get a green light.

    Even with the green light, upon a reboot I don't get an option to log in as anyone other than local user.

    I can ping server / Mac with both IP and DNS name and can see server folders - just not authenticate against domain for users / login.

    Please excuse basic terminology - this is my first expereince of Mac.

    Simon

    ReplyDelete
    Replies
    1. Hi Simon,

      You might want to try disabling IPv6 as detailed by Lincoln in his comment below.

      Failing that, have you definitely changed all the DNS search path, hosts file, and search policies as above ?
      You'll find that even though you can ping the server fine, unless all the options are configured as I described then it still won't allow you to login to the domain.

      Let me know how you get on
      Jon

      Delete
  7. Hey thanks for this. I've just rolled out 40 new iMacs and was going mad trying to figure out why AD logins weren't working. Finally came across your blog. In addition to your instructions I found I had to disable IPV6 like this.

    networksetup -setv6off Ethernet

    Now at 3:42pm Friday AD logins are working. School comes back on Monday!

    Thanks very much.

    Lincoln

    ReplyDelete