Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Mac AD Migration from old Domain to New Domain

Hi Everyone, I'm reaching out in the need of assistance. I'm currently working on the migration of 300 AD bound macs. The scenario is the following:

-All 300 Macs are joined to old domain with network accounts and need to be migrated to the new domain without deleting their user data and making sure it has the correct permissions. -Currently their is no FileVault enabled. -I've been looking into scripts or some sort of automation that could help me un-join from the old domain, re-join to the new domain and move the user's profile with the same naming convention over to the new domain.

Any help on this would be greatly appreciate it, as I would like to publish this script on self service to do this on all the Macs that need to be migrated.

I'm no expert in JAMF, but I understand the concepts and have been using it for a while now. So detailed explanation would be greatly appreciate it.

Thanks for everyone's time on this threat, thanks in advanced.

Please feel free to have any input, anything would help.

Like Comment
Order by:
SOLVED Posted: by ddcdennisb

@markhamandstein Are the username's the same on both domains? I've now done 2 full domain migrations (1500+ machines each time).

I got some scripts that can help you out. just need to know if usernames are the same or different.

Like
SOLVED Posted: by markhamandstein

@ddcdennisb Thank you very much for your reply on this topic, to answer your question no, they don't have the same naming convention from the old domain to the new, but that will be changing, so after the change and before the migration they will have the same name on both old and new domain.

Thanks again for your help on this.

Like
SOLVED Posted: by ddcdennisb

@markhamandstein So I've got 2 scripts for you, one that could run automated when at the login screen or one that is a little more interactive that can be run via Self Service.

First: (Automated) This one will require you to setup a domain join policy as well as setup some variables in the policy that runs this script. Variables are:
- Username of an account that can disjoin from the old domain
- Password of an account that can disjoin from the old domain
- Old domain (ie. company.int)
- new domain (ie new.company.int)
- New Domain Join Policy trigger You will also need to change the local administrator account on line 71 to match your local admin account.
Automated Migration

Second: (Self Service Option) this one will also require a domain join policy and setting variables in the script before running.
Self Service Migration

Both scripts assume the username is the same on both domains.

Like
SOLVED Posted: by markhamandstein

@ddcdennisb Thank you so for your help on this, I really appreciate it. I'm going to give it a try now, and If I run into any inconvenience, I'll reach back.

Again your time it's much appreciate it.

Like
SOLVED Posted: by markhamandstein

Hi @ddcdennisb Thanks again for all your help on this. I'm still having some issues, I was wondering what's your take on this.

  1. It properly unjoins from the old domain. 2.It properly joins to the new domain.
  2. Right after it shows the following error" Migration Incomplete" -description "The Migration has not completed. There was an issue with your migration, please reach out to Support for help." -button1 "OK"

I apologize if this take much of your time, but your help would be greatly appreciate it.

Here's the script with the modified variables:

!/bin/sh

LoggedInUser=python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");'

oldDomain="olddomain.corp.com"
newDomain="newdomain.corp.com"
newDomainTrigger="ADBind"

runMigration ()
{

echo "Unjoining Old Domain"

dsconfigad -remove -force -u user -p pass

sleep 3

prompt for User's username for changing permissions later in the script

un=`/usr/bin/osascript <<EOT
tell application "System Events" activate with timeout of 600 seconds set un to text returned of (display dialog "Please type in Active Directory Username" default answer "" with icon 2) end timeout
end tell
EOT`

Chcek to see if disjoin worked. If not, a forced disjoin will be done and then joined to new Domain. If the disjoin worked at first it will just join to the new domain.

domain1=$(dsconfigad -show | grep 'Active Directory Domain')
if [[ ${domain1} =~ '$oldDomain' ]]; then echo "Still on $oldDomain" dsconfigad -force -remove -u user -p pass sleep 10 /usr/local/jamf/bin/jamf policy -trigger $newDomainTrigger
else echo "Looks like unjoin worked. Lets join the $newDomain Domain" /usr/local/jamf/bin/jamf policy -trigger $newDomainTrigger sleep 5
fi
sleep 3

Make sure we are on the new domain

echo "first check after bind"
domain2=$(dsconfigad -show | grep 'Active Directory Domain')

Line for recording in Policy Log

echo "results of first check $domain2"
sleep 3

If on the new Domain, reset permissions on home directory to new UUID for first Login

if [[ ${domain2} =~ '$newDomain' ]]; then echo "Sweet you are on $newDomain You are all set" echo "Lets clean up your old AD account" #removing profile but not home dir dscl . -delete /Users/$un echo "Lets fix permissions on $un home directory" #change ownership of home dir to new UUID chown -R $un /Users/$un sleep 2
prompt1=`/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "Migration Complete" -description "The Migration has completed successfully. click OK and reboot your computer." -button1 "OK"` echo "Results of $prompt1"; if [ "$prompt1" == "0" ]; then exit 0 fi

else prompt3=/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "Migration Incomplete" -description "The Migration has not completed. There was an issue with your migration, please reach out to Support for help." -button1 "OK" echo "Results of $prompt3"; if [ "$prompt3" == "0" ]; then exit 1 fi
fi
}
if [[ ${LoggedInUser} =~ "admin" ]] || [[ ${LoggedInUser} == "pmcadmin" ]]; then echo "No normal user is logged in! lets run the migration!" runMigration
else echo "$LoggedInUser is logged in and this process will exit" /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "FAIL" -description "You must be logged in as pmcadmin or admin account. Please Logout of $LoggedInUser and login as pmcadmin or admin and run this process again." -button1 "OK" exit 1
fi

Like
SOLVED Posted: by ddcdennisb

@markhamandstein

Are you able to send me the results from the script running? If you want to send them to me direct rather then on here, i can provide my email.

Like
SOLVED Posted: by markhamandstein

Hi @ddcdennisb yes that would be great, I can gladly provide those to you. Let me know the best way to send those out to you.

Thanks again!

Like
SOLVED Posted: by ddcdennisb

edit

Like
SOLVED Posted: by markhamandstein

Hi @ddcdennisb , I just sent you the logs for you to look over when possible. Thanks again for your help!

Like
SOLVED Posted: by wmateo

@markhamandstein how did this work for you? can you share scripts with me? experiences? I am migrating from one domain to the next as well. Thanks!

Like
SOLVED Posted: by shann1976

Hi,

I am new to MAC world and I need to move around 1000 MAC's that are bound to the AD Domain ABC.COM to the AD Domain XYZ.COM.

Does this require JAMF software OR can it work independantly without any software provided that the Admin user has credentials to d

  1. disjoin the system from ABC.com (source domain)
  2. join the system from XYZ.com (target domain)

The usernames are different in both the domains. How can we migrate systems, users & their profiles to the new AD domain>

Like
SOLVED Posted: by amleshsingh

Hi,

I need this scripts. I have domain migration. For windows it is ok but 200 Mac it is difficult. If there is profile migration in Mac please provide to me.

Like
SOLVED Posted: by amleshsingh

Hi,

I need this scripts. I have domain migration. For windows it is ok but 200 Mac it is difficult. If there is profile migration in Mac please provide to me.

Like
SOLVED Posted: by merps

@amleshsingh The scripts are linked above from @ddcdennisb Posted: 2/14/18 at 10:21 AM

Like
SOLVED Posted: by coaty.obrien

@ddcdennisb this looks great! I have a question however, will this work if a user is FileVault enabled?

Like
SOLVED Posted: by ddcdennisb

@coaty.obrien, these scripts were created before the wonderful world of secure tokens. Logic to deal with that is not currently in the scripts but can be added. Most likely wouldn't be able to fully automate the process as you'd need a password prompt unless you have a local admin account that is FV enabled.

Like
SOLVED Posted: by mgorton

Thanks for this. I am trying to modify this for our needs. Do you have a version of the self service one that will prompt for a source account to migrate from? We have many accounts that don't match from one domain to the next.

Like
SOLVED Posted: by ddcdennisb

@mgorton , its been about a year since i looked at this, but this should still work, or at least get you going.

#!/bin/sh

LoggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");'`

oldDomain="company.com"
newDomain="newCompany.com"
newDomainTrigger="ADBind"

Run_Migration ()
{
#prompt for User's username for changing permissions later in the script
# New Domain Username
newUn=$(/usr/bin/osascript <<EOT
tell application "System Events"
    activate
    with timeout of 600 seconds
        set newUn to text returned of (display dialog "Please type in users $newDomain AD Username" default answer "" with icon 2)
    end timeout
end tell
EOT)
# Old Domain username
oldDomainUn=$(/usr/bin/osascript <<EOT
tell application "System Events"
    activate
    with timeout of 600 seconds
        set oldDomainUn to text returned of (display dialog "Please type in users $oldDomain username" default answer "" with icon 2)
    end timeout
end tell
EOT)
#Force removed from previous Domain
dsconfigad -r -f -u user -p pass
dsconfigldap -r -f -u user -p pass
sleep 3
#Lets update the home dir folder name to the correct name
mv /Users/$oldDomainUn/ /Users/$newUn
#Lets join the $newDomain Domain
/usr/local/jamf/bin/jamf policy -trigger $newDomainTrigger
sleep 5
#Make sure we are on the new domain
echo "first check after bind"
domain2=$(dsconfigad -show | awk '/Active Directory Domain/{print $NF}')
#Line for recording in Policy Log
echo "results of first check $domain2"
sleep 3
# If on the new Domain, reset permissions on home directory to new UUID for first Login
if [[ ${domain2} == $newDomain ]]; then
    echo "Sweet you are on $newDomain You are all set"
    echo "Lets clean up your old account"
    #removing profile but not home dir
    dscl . -delete /Users/$oldDomainUn
    echo "Lets fix permissions on $newUn home directory"
    #change ownership of home dir to new UUID
    chown -R $newUn /Users/$newUn
    sleep 2

    /usr/local/bin/jamf recon
    sleep 2

prompt1=`/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "Migration Complete" -description "The Migration has completed successfully.  Please click OK and logout of this account." -button1 "OK"`
    echo "Results of $prompt1";
        if [ "$prompt1" == "0" ]; then
            exit 0
        fi

else
    prompt3=`/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "Migration Incomplete" -description "The Migration has not completed.  There was an issue with your migration, please reach out to Client Engineering on-call." -button1 "OK"`
    echo "Results of $prompt3";
        if [ "$prompt3" == "0" ]; then
            exit 1
        fi
fi
}
if [[ ${LoggedInUser} =~ "admin" ]] || [[ ${LoggedInUser} == "pmcadmin" ]]; then
    echo "Not regular user logged in, lets run migraiton"
    Run_Migration
else
    /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "FAIL" -description "You must be logged in as pmcadmin or admin account.  Please Logout of $LoggedInUser and login as pmcadmin or admin and run this process again." -button1 "OK"
fi
Like
SOLVED Posted: by mgorton

Awesome, thank you so much. Funny is that I was almost there and just missing the profile move part. Guess I'm starting to get the hang of this. Appreciate your time on this. This script will save quite a bit of time for our Mac support group.

Like
SOLVED Posted: by marklamont

As an alternative you could consider using NoMAD login and stop binding at all.

Like
SOLVED Posted: by mgorton

Yeah, I looked into that before working on this script. The issue is that you may be replacing one issue with another down the road. Apple is rather restrictive with 3rd party apps and doesn't play nice with other vendors (as we found out with kernel panics from Carbon Black last year). Not to say that they may break bindings in some way either, but we've actually been rather stable on that front since 10.13 rolled out.

@ddcdennisb As far as this script goes, if the username is different, does the user need to be added as well to the Mac to be allowed to log in? I believe I have mobile account creation allowed in Jamf, but can't seem to log in with the new domain account after the script runs. I suppose I may be confusing how it works for Windows systems and may be missing something.

Like
SOLVED Posted: by ddcdennisb

If its plugged into your network, you shouldn't have an issue logging in as the new user. Are you getting an error or just a shaking password field?

Like
SOLVED Posted: by mgorton

Password shaking. No Lan on these, so assuming its network related and trying to figure out how to push a wifi profile that allows the user to log onto wifi before the actual system.

Like