In this article you will learn some strategies for troubleshooting the “Network accounts are unavailable” error in Mac OS X Lion computers that are bound to Active Directory Domain Services.

4sysops readers have spoken: there are serious integration problems between Apple Mac OS X 10.7 Lion and Active Directory Domain Services (AD DS). Specifically, we are seeing (a) sluggish binding between the Macs and AD; (b) super-slow domain logons; and (c) completely blocked domain logons.

The biggest indicator of this problem is the red dot icon and “Network accounts are unavailable” message in the Mac OS X Lion logon screen; this is shown in Figure 1.

Network accounts are unavailable error in Mac OS X Lion

The dreaded "Network accounts are unavailable" error in Mac OS X Lion

For what one IT professional’s opinion is worth, here is my two-fold take on why this problem exists:

  1. Due to GPL license restrictions (among other reasons, I’m sure), Apple scrapped Samba and re-wrote their Server Message Block (SMB) and network directory services protocol stack. Check out this Apple Insider reference for more details.
  2. Apple released “half-baked” SMB/directory services components in Lion that will eventually be fixed in a software update.

A couple of weeks ago I attended a lecture given by Mark Russinovich, one of the world’s leading authorities on Windows internals. He made the offhanded but simultaneously serious statement that “Apple doesn’t know how to make Windows software.” In my opinion, Mark hit the nail squarely on the head.

Hey, all this jibber-jabbering doesn’t solve the problem, does it? Let’s get to some troubleshooting strategies.

Update all software ^

As I mentioned previously, I strongly believe that this issue represents a code problem on Apple’s side. Therefore, please keep a rigorous eye on Apple software updates over the coming days and weeks.

Some users have seen the “Network accounts are unavailable” error disappear after updating their Windows Server 2008 domain controllers, so keep these machines up-to-date as well.

Repair permissions ^

This tip is a possible quick fix that I include in this article for completeness’ sake. Boot your Lion computer into Lion Recovery by restarting the Mac and holding down Command + R.

Once you arrive in Lion Recovery mode, open Disk Utility, run a permissions repair, and reboot the system in normal mode.

Rebind Macs to Active Directory ^

You can try unbinding the Lion computer from Active Directory and then redoing the bind. The path to the Directory Utility in Lion has changed (again):

  1. Open Users & Groups from System Preferences.
  2. Select the appropriate user and click Login Options.
  3. By Network Account Server, click Edit.
  4. From the drop-down pane, select the Active Directory Domain entry and remove the binding. Next, click Open Directory Utility.

In the Directory Utility pane, please consider the following points:

  • Computer ID: This is the system’s DNS host name. We will need to synchronize this name with the computer name listed in the computer’s Sharing preference pane.
  • Create mobile account at login: Users have had success with enabling this option, even if the Mac system is not a laptop.

Binding Mac OS X Lion to AD

Binding Mac OS X Lion to AD

In the Advanced Options, navigate to the Administrative pane and consider testing the following option:

Prefer this domain server: You might want to “point” the Lion workstation to a nearby domain controller, preferably a domain controller that doubles as a DNS server.

Adjust authentication search policy ^

In Directory Utility, navigate to the Search Policy tab and move the /ActiveDirectory/DomainName entry to the top of the search list.

Reordering the search policy

Reordering the search policy

Synchronize Mac host name ^

From System Preferences, open the Sharing pane and set the Computer Name field to the DNS host name of the Mac system. We want to ensure that this name matches the system name in the Directory Utility exactly.

Setting the Mac Hostname

Setting the Mac Hostname

Verify DNS and system time ^

You already understand that the Kerberos authentication protocol is highly time sensitive. On your Lion workstation, I recommend that you open the Date & Time system preference pane, navigate to the Date & Time tab, select Set date and time automatically, and fill in the DNS host name of your Windows Server 2008 Network Time Protocol (NTP) time server.

Synchronizing the Mac's clock with AD

Synchronizing the Mac's clock with AD

Use domain name with user name ^

This particular troubleshooting tip is a bit of a long shot, but desperate times call for desperate measures, right?

Try logging on to the Lion workstation by using the “old school” domain\username syntax instead of supplying either just the username or the username@domain syntax.

Reinstall Mac OS X Lion ^

Obviously, OS reinstallation is a worst-case scenario. However, some users have found that performing a clean reinstallation of Mac OS X Lion cleared up the problem.

Conclusion ^

I hope that you were able to find success with your Mac OS X Lion/Active Directory integration issues by applying one or more of these troubleshooting techniques. Please leave feedback in the comments portion of this post so that the 4Sysops community can benefit from your experience.

  1. Babun 11 years ago

    I wonder why anyone bothers trying to integrate anything else than windows to an AD environment, it just spells trouble..

    I used to troubleshoot these issues with earlier versions of os X and seems it hasn’t gotten any better. I’m unaware of the collaboration between apple and microsoft in this, but it seems pretty obvious apple’s compatibility issues will always be minorly important to microsoft as they implement new features.

  2. Michael 11 years ago

    I built a new domain recently. When I first set up Lion I had no issues logging into the domain, but not 24 hours later the computer wouldn’t log into the domain. Initially I used a 3rd party app to bypass the issue, but then it started happening to the 10.6 computers as well. 10.5 continued to be solid. I discovered having a .local domain name was causing the conflict, as well as general slow performance. I had a choice between renaming the domain and disabling Bonjour on every Mac. I chose renaming the domain, just seemed like less of a headache. 10.6 and 10.7 now log in quickly and the general network latency has also disappeared.

  3. Martijn 11 years ago

    I Fixed this problem by checking all users “altsecurityidentities” in The diradmin. For Somers reason there where 2 with : KERBEROS :untitled_1@xxx.yyy.zzz

    Two with The Same name are causing an integrity error.
    I had to create a new connection as in the post above to my server.local and completely removed LDAP after that authenticating to server.local with diradmin worked, the open directory log told me the usernames with the same altsecurityidentities.

    This is configured but I do not use Kerberos.

  4. Gary Hoffman 11 years ago

    Removing the spurious search path seemed to fix things for me, after I had done all the other things above it, then removed it from the AD.

    Thanks for the suggestions.

  5. benoit segonnes 9 years ago

    we have recently the case with a macbook air.
    the solution was very simple.
    I’ve checked the local hostname and modify it to match with my AD hostname. the problem was coming from the ‘.local’ at the end.
    to change it, you must add the line ‘search ‘ in your resolv.conf file.
    you still have the notification you can’t log with network user without network connection but the authentication is successly performed

    best regards and sorry for my poor english, I’m just a little french student ^^’

  6. Frustrated 5 years ago

    It sounds like you have lots of solution, the problem is I can’t get past the log in screen!!!

  7. Brian 5 years ago

    I am having the same issue, with Network accounts are unavailable.  I have to be hardwired in order to login.  Once logged in I can connect to wireless fine without any issues, but once I lock the computer I cannot log back in without being hardwired.  I’m trying to find a way around having to be hardwired to log into my MacBook air.

  8. Gloria Coleman 4 years ago

    This article was very helpful. My problem is fixed. Thanks.

  9. graham 4 years ago

    Make sure you have Mobile enabled on the login options

Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account