OS X 10.7, Lion, and ".local" domains

Updated May 18, 2012

UPDATE:  This resolution to this issue in included in the OS X 10.7.4 Update.  If you are using OS X 10.7.3 or 10.7.4, it is not necessary to follow the steps below.

We have tested OS X 10.7.4 internally, and have had customers confirm our findings that this latest update resolves issues with ".local" domains.


The description of the initial problem and its resolution is intentionally left below for informational purposes.
Apple has recently made a significant change in how the OS handles requests for ".local" name resolution that can adversely affect Active Directory authentication and DFS resolution.

When processing a ".local" request, the Mac OS now sends a Multicast DNS (mDNS) or broadcast, then waits for that request to timeout before correctly sending the information to the DNS server.  The delay caused by this results in an authentication failure in most cases.

There is an option to change the mDNS timeout in the Mac OS, and after changing this to the lowest possible number, we've been able to successfully authenticate and verify in our test environment.  This does not require any change to your DNS (Apple's "IPv6" solution), only that a command be run on the Mac.

Here are the steps to take to test this in your environment:

 - Log in to the Mac with a local admin account
 - Launch the Terminal (in the /Applications/Utilities folder)
 - At the command prompt, enter the following lines, each followed with the "return" key:

cd /System/Library/SystemConfiguration/IPMonitor.bundle/Contents/

sudo defaults write Info mdns_timeout -int 1

 - Enter your password when prompted
(The Terminal does not show that a password is being enterered.  Simply enter it, then hit return.)
 - Reboot

After restarting the Mac, you should be able to install and configure ADmitMac, join the domain, and connect to Windows shares.

Please Note:  This solution only works with OS X 10.7, Lion, and only affects ".local" domain login.  If you are using Mac OS X 10.6.8, Snow Leopard, please see this FAQ.  If your domain does not end in ".local", or if you have any other questions, please contact our Support Specialists at support@thursby.com