Mac AD Migration from old Domain to New Domain

markhamandstein
New Contributor II

Hi Everyone, I'm reaching out in the need of assistance. I'm currently working on the migration of 300 AD bound macs. The scenario is the following:

-All 300 Macs are joined to old domain with network accounts and need to be migrated to the new domain without deleting their user data and making sure it has the correct permissions. -Currently their is no FileVault enabled. -I've been looking into scripts or some sort of automation that could help me un-join from the old domain, re-join to the new domain and move the user's profile with the same naming convention over to the new domain.

Any help on this would be greatly appreciate it, as I would like to publish this script on self service to do this on all the Macs that need to be migrated.

I'm no expert in JAMF, but I understand the concepts and have been using it for a while now. So detailed explanation would be greatly appreciate it.

Thanks for everyone's time on this threat, thanks in advanced.

Please feel free to have any input, anything would help.

35 REPLIES 35

DBrowning
Valued Contributor II

@markhamandstein Are the username's the same on both domains? I've now done 2 full domain migrations (1500+ machines each time).

I got some scripts that can help you out. just need to know if usernames are the same or different.

markhamandstein
New Contributor II

@ddcdennisb Thank you very much for your reply on this topic, to answer your question no, they don't have the same naming convention from the old domain to the new, but that will be changing, so after the change and before the migration they will have the same name on both old and new domain.

Thanks again for your help on this.

DBrowning
Valued Contributor II

@markhamandstein So I've got 2 scripts for you, one that could run automated when at the login screen or one that is a little more interactive that can be run via Self Service.

First: (Automated) This one will require you to setup a domain join policy as well as setup some variables in the policy that runs this script. Variables are:
- Username of an account that can disjoin from the old domain
- Password of an account that can disjoin from the old domain
- Old domain (ie. company.int)
- new domain (ie new.company.int)
- New Domain Join Policy trigger You will also need to change the local administrator account on line 71 to match your local admin account.
Automated Migration

Second: (Self Service Option) this one will also require a domain join policy and setting variables in the script before running.
Self Service Migration

Both scripts assume the username is the same on both domains.

markhamandstein
New Contributor II

@ddcdennisb Thank you so for your help on this, I really appreciate it. I'm going to give it a try now, and If I run into any inconvenience, I'll reach back.

Again your time it's much appreciate it.

markhamandstein
New Contributor II

Hi @ddcdennisb Thanks again for all your help on this. I'm still having some issues, I was wondering what's your take on this.

  1. It properly unjoins from the old domain. 2.It properly joins to the new domain.
  2. Right after it shows the following error" Migration Incomplete" -description "The Migration has not completed. There was an issue with your migration, please reach out to Support for help." -button1 "OK"

I apologize if this take much of your time, but your help would be greatly appreciate it.

Here's the script with the modified variables:

!/bin/sh

LoggedInUser=python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + " ");'

oldDomain="olddomain.corp.com"
newDomain="newdomain.corp.com"
newDomainTrigger="ADBind"

runMigration ()
{

echo "Unjoining Old Domain"

dsconfigad -remove -force -u user -p pass

sleep 3

prompt for User's username for changing permissions later in the script

un=`/usr/bin/osascript <<EOT
tell application "System Events" activate with timeout of 600 seconds set un to text returned of (display dialog "Please type in Active Directory Username" default answer "" with icon 2) end timeout
end tell
EOT`

Chcek to see if disjoin worked. If not, a forced disjoin will be done and then joined to new Domain. If the disjoin worked at first it will just join to the new domain.

domain1=$(dsconfigad -show | grep 'Active Directory Domain')
if [[ ${domain1} =~ '$oldDomain' ]]; then echo "Still on $oldDomain" dsconfigad -force -remove -u user -p pass sleep 10 /usr/local/jamf/bin/jamf policy -trigger $newDomainTrigger
else echo "Looks like unjoin worked. Lets join the $newDomain Domain" /usr/local/jamf/bin/jamf policy -trigger $newDomainTrigger sleep 5
fi
sleep 3

Make sure we are on the new domain

echo "first check after bind"
domain2=$(dsconfigad -show | grep 'Active Directory Domain')

Line for recording in Policy Log

echo "results of first check $domain2"
sleep 3

If on the new Domain, reset permissions on home directory to new UUID for first Login

if [[ ${domain2} =~ '$newDomain' ]]; then echo "Sweet you are on $newDomain You are all set" echo "Lets clean up your old AD account" #removing profile but not home dir dscl . -delete /Users/$un echo "Lets fix permissions on $un home directory" #change ownership of home dir to new UUID chown -R $un /Users/$un sleep 2
prompt1=`/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "Migration Complete" -description "The Migration has completed successfully. click OK and reboot your computer." -button1 "OK"` echo "Results of $prompt1"; if [ "$prompt1" == "0" ]; then exit 0 fi

else prompt3=/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "Migration Incomplete" -description "The Migration has not completed. There was an issue with your migration, please reach out to Support for help." -button1 "OK" echo "Results of $prompt3"; if [ "$prompt3" == "0" ]; then exit 1 fi
fi
}
if [[ ${LoggedInUser} =~ "admin" ]] || [[ ${LoggedInUser} == "pmcadmin" ]]; then echo "No normal user is logged in! lets run the migration!" runMigration
else echo "$LoggedInUser is logged in and this process will exit" /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "FAIL" -description "You must be logged in as pmcadmin or admin account. Please Logout of $LoggedInUser and login as pmcadmin or admin and run this process again." -button1 "OK" exit 1
fi

Hi, Do you remember the fix . I am in a similar situation where it errors out with "Migration Incomplete" after properly joining to the new domain.

@DBrowning 

@itznithinshetty It has been a long time since I did anything with this and don't remember If i was able to help resolve the issue.

New macOS devices don't have python installed so that may be part of the issue.  I would try replacing the variable LoggedInUser= in the script. 
replace 


LoggedInUser=python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + " ");'

with 

LoggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`

Thanks! I have already updated the variable. although the domain bind works fine, it immediately errors after the bind

-first check after bind
results of first check Active Directory Domain = my new domain
Results of 0

Error running script: return code was 1.

DBrowning
Valued Contributor II

@markhamandstein

Are you able to send me the results from the script running? If you want to send them to me direct rather then on here, i can provide my email.

markhamandstein
New Contributor II

Hi @ddcdennisb yes that would be great, I can gladly provide those to you. Let me know the best way to send those out to you.

Thanks again!

DBrowning
Valued Contributor II

edit

markhamandstein
New Contributor II

Hi @ddcdennisb , I just sent you the logs for you to look over when possible. Thanks again for your help!

wmateo
Contributor

@markhamandstein how did this work for you? can you share scripts with me? experiences? I am migrating from one domain to the next as well. Thanks!

shann1976
New Contributor

Hi,

I am new to MAC world and I need to move around 1000 MAC's that are bound to the AD Domain ABC.COM to the AD Domain XYZ.COM.

Does this require JAMF software OR can it work independantly without any software provided that the Admin user has credentials to d

  1. disjoin the system from ABC.com (source domain)
  2. join the system from XYZ.com (target domain)

The usernames are different in both the domains. How can we migrate systems, users & their profiles to the new AD domain>

amleshsingh
New Contributor

Hi,

I need this scripts. I have domain migration. For windows it is ok but 200 Mac it is difficult. If there is profile migration in Mac please provide to me.

amleshsingh
New Contributor

Hi,

I need this scripts. I have domain migration. For windows it is ok but 200 Mac it is difficult. If there is profile migration in Mac please provide to me.

merps
Contributor III

@amleshsingh The scripts are linked above from @ddcdennisb Posted: 2/14/18 at 10:21 AM

coaty_obrien
New Contributor II

@ddcdennisb this looks great! I have a question however, will this work if a user is FileVault enabled?

DBrowning
Valued Contributor II

@coaty.obrien, these scripts were created before the wonderful world of secure tokens. Logic to deal with that is not currently in the scripts but can be added. Most likely wouldn't be able to fully automate the process as you'd need a password prompt unless you have a local admin account that is FV enabled.

mgorton
New Contributor III

Thanks for this. I am trying to modify this for our needs. Do you have a version of the self service one that will prompt for a source account to migrate from? We have many accounts that don't match from one domain to the next.

DBrowning
Valued Contributor II

@mgorton , its been about a year since i looked at this, but this should still work, or at least get you going.

#!/bin/sh

LoggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

oldDomain="company.com"
newDomain="newCompany.com"
newDomainTrigger="ADBind"

Run_Migration ()
{
#prompt for User's username for changing permissions later in the script
# New Domain Username
newUn=$(/usr/bin/osascript <<EOT
tell application "System Events"
    activate
    with timeout of 600 seconds
        set newUn to text returned of (display dialog "Please type in users $newDomain AD Username" default answer "" with icon 2)
    end timeout
end tell
EOT)
# Old Domain username
oldDomainUn=$(/usr/bin/osascript <<EOT
tell application "System Events"
    activate
    with timeout of 600 seconds
        set oldDomainUn to text returned of (display dialog "Please type in users $oldDomain username" default answer "" with icon 2)
    end timeout
end tell
EOT)
#Force removed from previous Domain
dsconfigad -r -f -u user -p pass
dsconfigldap -r -f -u user -p pass
sleep 3
#Lets update the home dir folder name to the correct name
mv /Users/$oldDomainUn/ /Users/$newUn
#Lets join the $newDomain Domain
/usr/local/jamf/bin/jamf policy -trigger $newDomainTrigger
sleep 5
#Make sure we are on the new domain
echo "first check after bind"
domain2=$(dsconfigad -show | awk '/Active Directory Domain/{print $NF}')
#Line for recording in Policy Log
echo "results of first check $domain2"
sleep 3
# If on the new Domain, reset permissions on home directory to new UUID for first Login
if [[ ${domain2} == $newDomain ]]; then
    echo "Sweet you are on $newDomain You are all set"
    echo "Lets clean up your old account"
    #removing profile but not home dir
    dscl . -delete /Users/$oldDomainUn
    echo "Lets fix permissions on $newUn home directory"
    #change ownership of home dir to new UUID
    chown -R $newUn /Users/$newUn
    sleep 2

    /usr/local/bin/jamf recon
    sleep 2

prompt1=`/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "Migration Complete" -description "The Migration has completed successfully.  Please click OK and logout of this account." -button1 "OK"`
    echo "Results of $prompt1";
        if [ "$prompt1" == "0" ]; then
            exit 0
        fi

else
    prompt3=`/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "Migration Incomplete" -description "The Migration has not completed.  There was an issue with your migration, please reach out to Client Engineering on-call." -button1 "OK"`
    echo "Results of $prompt3";
        if [ "$prompt3" == "0" ]; then
            exit 1
        fi
fi
}
if [[ ${LoggedInUser} =~ "admin" ]] || [[ ${LoggedInUser} == "pmcadmin" ]]; then
    echo "Not regular user logged in, lets run migraiton"
    Run_Migration
else
    /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "FAIL" -description "You must be logged in as pmcadmin or admin account.  Please Logout of $LoggedInUser and login as pmcadmin or admin and run this process again." -button1 "OK"
fi

mgorton
New Contributor III

Awesome, thank you so much. Funny is that I was almost there and just missing the profile move part. Guess I'm starting to get the hang of this. Appreciate your time on this. This script will save quite a bit of time for our Mac support group.

marklamont
Contributor III

As an alternative you could consider using NoMAD login and stop binding at all.

mgorton
New Contributor III

Yeah, I looked into that before working on this script. The issue is that you may be replacing one issue with another down the road. Apple is rather restrictive with 3rd party apps and doesn't play nice with other vendors (as we found out with kernel panics from Carbon Black last year). Not to say that they may break bindings in some way either, but we've actually been rather stable on that front since 10.13 rolled out.

@ddcdennisb As far as this script goes, if the username is different, does the user need to be added as well to the Mac to be allowed to log in? I believe I have mobile account creation allowed in Jamf, but can't seem to log in with the new domain account after the script runs. I suppose I may be confusing how it works for Windows systems and may be missing something.

DBrowning
Valued Contributor II

If its plugged into your network, you shouldn't have an issue logging in as the new user. Are you getting an error or just a shaking password field?

mgorton
New Contributor III

Password shaking. No Lan on these, so assuming its network related and trying to figure out how to push a wifi profile that allows the user to log onto wifi before the actual system.

adavenport321
New Contributor II

@ddcdennisb I have a project where I need to move around 110 machines from domain 1 to domain 2. Your scripts assume that the username is the same, but in our case, we are going from the first letter of First + LastName to a FirstName.Lastname Setup. Is there a script that you have or know how to modify your script to allow for this username transition?

adavenport@doamin1.com is now alex.davenport@domain2.com, for example.

adavenport321
New Contributor II

...

DBrowning
Valued Contributor II

@adavenport321 , as with the script above, this hasn't been used in a while and doesn't take into account for Secure Tokens, but here ya go: Different Name Domain Migration

pei
New Contributor

nice!

Kishan_H
New Contributor II

Hi All,
New to the whole Jamf environment and I've been tasked to migrate 200+ macs from an old domain to a new one. 90% of the users have the same username and password on both domains. I'm looking to migrate the macs to new domain and allow users to keep their existing mac profiles. Tried using @ddcdennisb script but I'm thrown at the below:

LoggedInUser=python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + " ");'

When running the script I get an error stating:
"FAIL You must be logged in as pmcadmin or admin account. Please Logout out of and logging as pmcadmin or admin and run this process again."

If I remove that line from the script I get the same error message.

Any advise/solutions much appreciatedlink text

Thanks,
Kishan

DBrowning
Valued Contributor II

@kishan.hirani I finally got back into my account on here. I just wanted to update the forum here with my answer.

You will want to look for the lines near the end of the script that are an If statement. It should look something like this:

if [[ ${LoggedInUser} =~ “admin” ]] || [[ ${LoggedInUser} == “pmcadmin” ]]; then
    echo “Not regular user logged in, lets run migraiton”
    Run_Migration
else
    /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading “FAIL” -description “You must be logged in as pmcadmin or admin account.  Please Logout of $LoggedInUser and login as pmcadmin or admin and run this process again.” -button1 “OK”
fi

You would want to either remove the check for the username or change to the admin accounts you want to be able to run the script.

Jack_Turner
New Contributor II

@DBrowning I cant see the two scripts in Git anymore can you send these over?