Migrating AD Domains, best solution?

New Contributor II

Understandably most of you will recommend not binding to AD. However in our environment its necessary due to a variety of factors. My question is, what's the best way to do an AD migration for our end users?

All of our Machines are FV enabled, and are spilt between macOS 10.12.6 and 10.14.3 (We're in the process of upgrading to Mojave). I'm aware of the FV changes and the secure token in Mojave. The user name will stay the same from the old to the new.

Would it be easier to convert the mobile accounts to local & then back again, or does it make more sense to update the UID after unbinding/rebinding? I'm try to figure out what would be the easiest workflow so that this could be published as a self service policy as well as managing FV.


Valued Contributor III

I went through this 4 years ago when our company had a spin-off. If I had to do it now, I would convert everything to local accounts and use Jamf Connect or similar instead of mobile accounts, which Apple is all but deprecating.

Your biggest problem is probably FV. What I did was capture the user's password, create an escrow account with FV access temporarily, then delete and re-add the user to FV after the system changed domains (since their UID will no longer match). This was before the Secure Token era, so that might make things harder, or maybe fdesetup is actually better these days. It might be easier.

New Contributor III

Hi so what i done over the last week is i ran three policies 1 unbind and then rebind to the new domain 2 convert the account to local
3 deploy nomad with a config profile that checks the kerbros password

i wouldn't convert the account back to mobile after this task