Troubleshooting and Getting Help with Lion Server on Active Directory
There are some known things that cause problems when trying to implement Lion Server on Active Directory, so here are some troubleshooting tips. Because every Active Directory implementation is different, troubleshooting every possible scenario is impossible. But Apple stands behind its products and will help you figure out what’s going wrong if these tips fail. One of the best places to start is Apple’s directory support web site.
The most commonly reported issues are
DNS service problems: The Mac client must use the same DNS servers as all the Windows clients on the network. To ensure that the correct DNS server is being used, open a Terminal session, and type dig -t SRV _ldap._tcp.yourDomainDNS.com.
If it’s configured properly, you should receive, in response, the IP address of your domain server. If not, either the Mac systems are using a different DNS server than the Windows clients or DNS is set up improperly on your Mac server.
Time server issues: If the times on the Mac server and the domain server are more than five minutes apart, you’ll be unable to join the domain.
.local domain issues: It’s possible that the .local domain used by Bonjour may conflict with a .local Active Directory domain. If this is a problem, add the .local domain to the search domain settings of the Network preferences pane.
Replication issues: In the past, binding a Mac to a large AD domain has resulted in the computer account being created on one domain and the computer account’s password on another domain. If the replication interval isn’t fast enough, the set password request fails, and the Mac isn’t bound to the domain. Ensure that the same server is being used for both Kerberos and LDAP connections.