As part of a domain migration project, I was recently tasked with figuring out a way to handle migrating the Macs from one AD domain to another. I had the following requirements:
- Unbind the Mac from the old AD domain
- Bind the Mac to the new AD domain
- Migrate the user’s data from the old AD domain to the new AD domain
Preferably, it would be a procedure that anybody could use. That way, anyone on the team could be perform the migration process regardless of their personal skill level with Macs.
I had a pre-existing interactive script that I could modify and use to fulfill requirement 3, but I needed a way to fulfill requirements 1 and 2.
With some help from DeployStudio, I was able to develop an unbind / rebind procedure that fulfilled requirements 1 and 2. It also gave me the following features:
- Anyone on our helpdesk team could do it, regardless of familiarity with Macs or Active Directory.
- Potential for human error was minimized
- Reboots (generally a good idea when making directory service changes) were a built-in part of the migration process.
For details, see below the jump.
To perform the migration process, I built a new workflow in DeployStudio. For the purposes of this example, the workflow is named as follows:
Rename and Re-bind a Company Mac to the new AD Domain
The workflow has the following components:
1. Set the system time using a network time server.
The reason for this step is to ensure that the system clock is set to the correct time before binding the Mac to the new AD domain. If the time is off, the AD bind will fail.
2. Name the Mac (in case a name change is needed as part of the domain change.)
3. Force unbind the Mac from the old AD domain
For this step, I use a payload-free package based on a script available from my GitHub repo.
This script uses a username and password that won’t exist in AD, so the AD computer object won’t be removed from the domain that this Mac is migrating from. However, this domain is being retired so leaving behind the computer object didn’t matter in this case.
4. Bind the Mac to the new AD domain
5. Re-set the time server settings
The reason for this last step is that setting the system clock in step 1 removes the Mac’s previous time server settings. I use a payload-free package based on this script to set the Mac’s time server settings back to what they should be.
Once the workflow was built, here’s the process to migrate the Mac.
1. Boot the Mac you want to migrate to DeployStudio.
2. Log in and select the Rename and Re-bind a Company Mac to the new AD Domain workflow.
3. Select the boot drive of the Mac being migrated as the target volume.
4. Run the workflow
5. Once the workflow finishes, select Quit when prompted. Your Mac should reboot at this point.
On restart, the Mac will automatically unbind itself from the old AD domain, bind itself to the new AD domain and re-set the time server settings.
Once the Mac has been finished running the DeployStudio workflow tasks, it will reboot again. The Mac should now be bound to the new AD domain.
Once the Mac has been bound to the new AD domain, the next step is to migrate the existing AD accounts on the Mac. I recommend using the previously-mentioned interactive script to migrate the users’ data from the old AD account to the equivalent account on the new AD domain.
