Mac AD Migration from old Domain to New Domain
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-13-2018 01:16 PM
Hi Everyone, I'm reaching out in the need of assistance. I'm currently working on the migration of 300 AD bound macs. The scenario is the following:
-All 300 Macs are joined to old domain with network accounts and need to be migrated to the new domain without deleting their user data and making sure it has the correct permissions. -Currently their is no FileVault enabled. -I've been looking into scripts or some sort of automation that could help me un-join from the old domain, re-join to the new domain and move the user's profile with the same naming convention over to the new domain.
Any help on this would be greatly appreciate it, as I would like to publish this script on self service to do this on all the Macs that need to be migrated.
I'm no expert in JAMF, but I understand the concepts and have been using it for a while now. So detailed explanation would be greatly appreciate it.
Thanks for everyone's time on this threat, thanks in advanced.
Please feel free to have any input, anything would help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-14-2018 04:51 AM
@markhamandstein Are the username's the same on both domains? I've now done 2 full domain migrations (1500+ machines each time).
I got some scripts that can help you out. just need to know if usernames are the same or different.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-14-2018 06:57 AM
@ddcdennisb Thank you very much for your reply on this topic, to answer your question no, they don't have the same naming convention from the old domain to the new, but that will be changing, so after the change and before the migration they will have the same name on both old and new domain.
Thanks again for your help on this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-14-2018 07:21 AM
@markhamandstein So I've got 2 scripts for you, one that could run automated when at the login screen or one that is a little more interactive that can be run via Self Service.
First: (Automated) This one will require you to setup a domain join policy as well as setup some variables in the policy that runs this script. Variables are:
- Username of an account that can disjoin from the old domain
- Password of an account that can disjoin from the old domain
- Old domain (ie. company.int)
- new domain (ie new.company.int)
- New Domain Join Policy trigger
You will also need to change the local administrator account on line 71 to match your local admin account.
Automated Migration
Second: (Self Service Option) this one will also require a domain join policy and setting variables in the script before running.
Self Service Migration
Both scripts assume the username is the same on both domains.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-14-2018 08:18 AM
@ddcdennisb Thank you so for your help on this, I really appreciate it. I'm going to give it a try now, and If I run into any inconvenience, I'll reach back.
Again your time it's much appreciate it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-21-2018 02:20 PM
Hi @ddcdennisb Thanks again for all your help on this. I'm still having some issues, I was wondering what's your take on this.
- It properly unjoins from the old domain. 2.It properly joins to the new domain.
- Right after it shows the following error" Migration Incomplete" -description "The Migration has not completed. There was an issue with your migration, please reach out to Support for help." -button1 "OK"
I apologize if this take much of your time, but your help would be greatly appreciate it.
Here's the script with the modified variables:
!/bin/sh
LoggedInUser=python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'
oldDomain="olddomain.corp.com"
newDomain="newdomain.corp.com"
newDomainTrigger="ADBind"
runMigration ()
{
echo "Unjoining Old Domain"
dsconfigad -remove -force -u user -p pass
sleep 3
prompt for User's username for changing permissions later in the script
un=`/usr/bin/osascript <<EOT
tell application "System Events"
activate
with timeout of 600 seconds
set un to text returned of (display dialog "Please type in Active Directory Username" default answer "" with icon 2)
end timeout
end tell
EOT`
Chcek to see if disjoin worked. If not, a forced disjoin will be done and then joined to new Domain. If the disjoin worked at first it will just join to the new domain.
domain1=$(dsconfigad -show | grep 'Active Directory Domain')
if [[ ${domain1} =~ '$oldDomain' ]]; then
echo "Still on $oldDomain"
dsconfigad -force -remove -u user -p pass
sleep 10
/usr/local/jamf/bin/jamf policy -trigger $newDomainTrigger
else
echo "Looks like unjoin worked. Lets join the $newDomain Domain"
/usr/local/jamf/bin/jamf policy -trigger $newDomainTrigger
sleep 5
fi
sleep 3
Make sure we are on the new domain
echo "first check after bind"
domain2=$(dsconfigad -show | grep 'Active Directory Domain')
Line for recording in Policy Log
echo "results of first check $domain2"
sleep 3
If on the new Domain, reset permissions on home directory to new UUID for first Login
if [[ ${domain2} =~ '$newDomain' ]]; then
echo "Sweet you are on $newDomain You are all set"
echo "Lets clean up your old AD account"
#removing profile but not home dir
dscl . -delete /Users/$un
echo "Lets fix permissions on $un home directory"
#change ownership of home dir to new UUID
chown -R $un /Users/$un
sleep 2
prompt1=`/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "Migration Complete" -description "The Migration has completed successfully.
click OK and reboot your computer." -button1 "OK"`
echo "Results of $prompt1";
if [ "$prompt1" == "0" ]; then
exit 0
fi
else
prompt3=/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "Migration Incomplete" -description "The Migration has not completed. There was an issue with your migration, please reach out to Support for help." -button1 "OK"
echo "Results of $prompt3";
if [ "$prompt3" == "0" ]; then
exit 1
fi
fi
}
if [[ ${LoggedInUser} =~ "admin" ]] || [[ ${LoggedInUser} == "pmcadmin" ]]; then
echo "No normal user is logged in! lets run the migration!"
runMigration
else
echo "$LoggedInUser is logged in and this process will exit"
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "FAIL" -description "You must be logged in as pmcadmin or admin account. Please Logout of $LoggedInUser and login as pmcadmin or admin and run this process again." -button1 "OK"
exit 1
fi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2023 04:28 AM - edited 11-08-2023 04:37 AM
Hi, Do you remember the fix . I am in a similar situation where it errors out with "Migration Incomplete" after properly joining to the new domain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-09-2023 05:21 AM
@itznithinshetty It has been a long time since I did anything with this and don't remember If i was able to help resolve the issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-09-2023 10:30 AM
New macOS devices don't have python installed so that may be part of the issue. I would try replacing the variable LoggedInUser= in the script.
replace
LoggedInUser=python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + " ");'
with
LoggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-10-2023 12:44 AM
Thanks! I have already updated the variable. although the domain bind works fine, it immediately errors after the bind
-first check after bind
results of first check Active Directory Domain = my new domain
Results of 0
Error running script: return code was 1.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-21-2018 05:21 PM
Are you able to send me the results from the script running? If you want to send them to me direct rather then on here, i can provide my email.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-21-2018 07:11 PM
Hi @ddcdennisb yes that would be great, I can gladly provide those to you. Let me know the best way to send those out to you.
Thanks again!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-22-2018 04:07 AM
edit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-22-2018 11:27 AM
Hi @ddcdennisb , I just sent you the logs for you to look over when possible. Thanks again for your help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-02-2018 07:57 AM
@markhamandstein how did this work for you? can you share scripts with me? experiences? I am migrating from one domain to the next as well. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-28-2018 03:00 PM
Hi,
I am new to MAC world and I need to move around 1000 MAC's that are bound to the AD Domain ABC.COM to the AD Domain XYZ.COM.
Does this require JAMF software OR can it work independantly without any software provided that the Admin user has credentials to d
- disjoin the system from ABC.com (source domain)
- join the system from XYZ.com (target domain)
The usernames are different in both the domains. How can we migrate systems, users & their profiles to the new AD domain>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-22-2019 08:19 AM
Hi,
I need this scripts. I have domain migration. For windows it is ok but 200 Mac it is difficult. If there is profile migration in Mac please provide to me.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-22-2019 08:19 AM
Hi,
I need this scripts. I have domain migration. For windows it is ok but 200 Mac it is difficult. If there is profile migration in Mac please provide to me.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-22-2019 09:26 AM
@amleshsingh The scripts are linked above from @ddcdennisb Posted: 2/14/18 at 10:21 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2019 07:53 PM
@ddcdennisb this looks great! I have a question however, will this work if a user is FileVault enabled?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-14-2019 03:57 AM
@coaty.obrien, these scripts were created before the wonderful world of secure tokens. Logic to deal with that is not currently in the scripts but can be added. Most likely wouldn't be able to fully automate the process as you'd need a password prompt unless you have a local admin account that is FV enabled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-10-2019 07:58 AM
Thanks for this. I am trying to modify this for our needs. Do you have a version of the self service one that will prompt for a source account to migrate from? We have many accounts that don't match from one domain to the next.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-10-2019 12:20 PM
@mgorton , its been about a year since i looked at this, but this should still work, or at least get you going.
#!/bin/sh
LoggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
oldDomain="company.com"
newDomain="newCompany.com"
newDomainTrigger="ADBind"
Run_Migration ()
{
#prompt for User's username for changing permissions later in the script
# New Domain Username
newUn=$(/usr/bin/osascript <<EOT
tell application "System Events"
activate
with timeout of 600 seconds
set newUn to text returned of (display dialog "Please type in users $newDomain AD Username" default answer "" with icon 2)
end timeout
end tell
EOT)
# Old Domain username
oldDomainUn=$(/usr/bin/osascript <<EOT
tell application "System Events"
activate
with timeout of 600 seconds
set oldDomainUn to text returned of (display dialog "Please type in users $oldDomain username" default answer "" with icon 2)
end timeout
end tell
EOT)
#Force removed from previous Domain
dsconfigad -r -f -u user -p pass
dsconfigldap -r -f -u user -p pass
sleep 3
#Lets update the home dir folder name to the correct name
mv /Users/$oldDomainUn/ /Users/$newUn
#Lets join the $newDomain Domain
/usr/local/jamf/bin/jamf policy -trigger $newDomainTrigger
sleep 5
#Make sure we are on the new domain
echo "first check after bind"
domain2=$(dsconfigad -show | awk '/Active Directory Domain/{print $NF}')
#Line for recording in Policy Log
echo "results of first check $domain2"
sleep 3
# If on the new Domain, reset permissions on home directory to new UUID for first Login
if [[ ${domain2} == $newDomain ]]; then
echo "Sweet you are on $newDomain You are all set"
echo "Lets clean up your old account"
#removing profile but not home dir
dscl . -delete /Users/$oldDomainUn
echo "Lets fix permissions on $newUn home directory"
#change ownership of home dir to new UUID
chown -R $newUn /Users/$newUn
sleep 2
/usr/local/bin/jamf recon
sleep 2
prompt1=`/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "Migration Complete" -description "The Migration has completed successfully. Please click OK and logout of this account." -button1 "OK"`
echo "Results of $prompt1";
if [ "$prompt1" == "0" ]; then
exit 0
fi
else
prompt3=`/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "Migration Incomplete" -description "The Migration has not completed. There was an issue with your migration, please reach out to Client Engineering on-call." -button1 "OK"`
echo "Results of $prompt3";
if [ "$prompt3" == "0" ]; then
exit 1
fi
fi
}
if [[ ${LoggedInUser} =~ "admin" ]] || [[ ${LoggedInUser} == "pmcadmin" ]]; then
echo "Not regular user logged in, lets run migraiton"
Run_Migration
else
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "FAIL" -description "You must be logged in as pmcadmin or admin account. Please Logout of $LoggedInUser and login as pmcadmin or admin and run this process again." -button1 "OK"
fi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-10-2019 01:29 PM
Awesome, thank you so much. Funny is that I was almost there and just missing the profile move part. Guess I'm starting to get the hang of this. Appreciate your time on this. This script will save quite a bit of time for our Mac support group.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-10-2019 01:41 PM
As an alternative you could consider using NoMAD login and stop binding at all.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-14-2019 07:20 AM
Yeah, I looked into that before working on this script. The issue is that you may be replacing one issue with another down the road. Apple is rather restrictive with 3rd party apps and doesn't play nice with other vendors (as we found out with kernel panics from Carbon Black last year). Not to say that they may break bindings in some way either, but we've actually been rather stable on that front since 10.13 rolled out.
@ddcdennisb As far as this script goes, if the username is different, does the user need to be added as well to the Mac to be allowed to log in? I believe I have mobile account creation allowed in Jamf, but can't seem to log in with the new domain account after the script runs. I suppose I may be confusing how it works for Windows systems and may be missing something.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-14-2019 07:56 AM
If its plugged into your network, you shouldn't have an issue logging in as the new user. Are you getting an error or just a shaking password field?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-14-2019 09:11 AM
Password shaking. No Lan on these, so assuming its network related and trying to figure out how to push a wifi profile that allows the user to log onto wifi before the actual system.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-25-2019 12:26 AM
@ddcdennisb I have a project where I need to move around 110 machines from domain 1 to domain 2. Your scripts assume that the username is the same, but in our case, we are going from the first letter of First + LastName to a FirstName.Lastname Setup. Is there a script that you have or know how to modify your script to allow for this username transition?
adavenport@doamin1.com is now alex.davenport@domain2.com, for example.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-25-2019 12:29 AM
...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-25-2019 04:29 AM
@adavenport321 , as with the script above, this hasn't been used in a while and doesn't take into account for Secure Tokens, but here ya go: Different Name Domain Migration
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-02-2019 01:43 AM
nice!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-27-2020 07:53 AM
Hi All,
New to the whole Jamf environment and I've been tasked to migrate 200+ macs from an old domain to a new one. 90% of the users have the same username and password on both domains. I'm looking to migrate the macs to new domain and allow users to keep their existing mac profiles. Tried using @ddcdennisb script but I'm thrown at the below:
LoggedInUser=python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'
When running the script I get an error stating:
"FAIL You must be logged in as pmcadmin or admin account. Please Logout out of and logging as pmcadmin or admin and run this process again."
If I remove that line from the script I get the same error message.
Any advise/solutions much appreciated
Thanks,
Kishan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-05-2020 10:30 AM
@kishan.hirani I finally got back into my account on here. I just wanted to update the forum here with my answer.
You will want to look for the lines near the end of the script that are an If statement. It should look something like this:
if [[ ${LoggedInUser} =~ “admin” ]] || [[ ${LoggedInUser} == “pmcadmin” ]]; then
echo “Not regular user logged in, lets run migraiton”
Run_Migration
else
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading “FAIL” -description “You must be logged in as pmcadmin or admin account. Please Logout of $LoggedInUser and login as pmcadmin or admin and run this process again.” -button1 “OK”
fi
You would want to either remove the check for the username or change to the admin accounts you want to be able to run the script.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-06-2021 09:55 AM
@DBrowning I cant see the two scripts in Git anymore can you send these over?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-06-2021 11:23 AM