Home > Active Directory, DeployStudio, Mac administration, Mac OS X, Scripting > Using DeployStudio as an Active Directory domain migration tool

Using DeployStudio as an Active Directory domain migration tool

As part of a domain migration project, I was recently tasked with figuring out a way to handle migrating the Macs from one AD domain to another. I had the following requirements:

  1. Unbind the Mac from the old AD domain
  2. Bind the Mac to the new AD domain
  3. Migrate the user’s data from the old AD domain to the new AD domain

Preferably, it would be a procedure that anybody could use. That way, anyone on the team could be perform the migration process regardless of their personal skill level with Macs.

I had a pre-existing interactive script that I could modify and use to fulfill requirement 3, but I needed a way to fulfill requirements 1 and 2.

With some help from DeployStudio, I was able to develop an unbind / rebind procedure that fulfilled requirements 1 and 2. It also gave me the following features:

  1. Anyone on our helpdesk team could do it, regardless of familiarity with Macs or Active Directory.
  2. Potential for human error was minimized
  3. Reboots (generally a good idea when making directory service changes) were a built-in part of the migration process.

For details, see below the jump.

To perform the migration process, I built a new workflow in DeployStudio. For the purposes of this example, the workflow is named as follows:

Rename and Re-bind a Company Mac to the new AD Domain

The workflow has the following components:

1. Set the system time using a network time server.

Screen Shot 2013-11-26 at 4.17.41 PM

The reason for this step is to ensure that the system clock is set to the correct time before binding the Mac to the new AD domain. If the time is off, the AD bind will fail.

2. Name the Mac (in case a name change is needed as part of the domain change.)

Screen Shot 2013-11-26 at 4.17.45 PM

Screen Shot 2013-11-26 at 4.17.49 PM

3. Force unbind the Mac from the old AD domain

Screen Shot 2013-11-26 at 4.17.54 PM

For this step, I use a payload-free package based on a script available from my GitHub repo.

This script uses a username and password that won’t exist in AD, so the AD computer object won’t be removed from the domain that this Mac is migrating from. However, this domain is being retired so leaving behind the computer object didn’t matter in this case.

4. Bind the Mac to the new AD domain

Screen Shot 2013-11-26 at 4.17.58 PM

5. Re-set the time server settings

Screen Shot 2013-11-26 at 4.18.02 PM

The reason for this last step is that setting the system clock in step 1 removes the Mac’s previous time server settings. I use a payload-free package based on this script to set the Mac’s time server settings back to what they should be.

Once the workflow was built, here’s the process to migrate the Mac.

1. Boot the Mac you want to migrate to DeployStudio.

Screen Shot 2013-11-27 at 9.36.21 AM

2. Log in and select the Rename and Re-bind a Company Mac to the new AD Domain workflow.

Screen Shot 2013-11-27 at 9.36.28 AM
Screen Shot 2013-11-27 at 9.37.45 AM

3. Select the boot drive of the Mac being migrated as the target volume.

Screen Shot 2013-11-27 at 9.37.50 AM

4. Run the workflow

Screen Shot 2013-11-27 at 9.37.50 AM

Screen Shot 2013-11-27 at 9.38.18 AM

Screen Shot 2013-11-27 at 9.38.23 AM

Screen Shot 2013-11-27 at 9.38.27 AM

Screen Shot 2013-11-27 at 9.38.30 AM

5. Once the workflow finishes, select Quit when prompted. Your Mac should reboot at this point.

Screen Shot 2013-11-27 at 9.38.38 AM

On restart, the Mac will automatically unbind itself from the old AD domain, bind itself to the new AD domain and re-set the time server settings.

Screen Shot 2013-11-26 at 4.33.11 PM

Screen Shot 2013-11-26 at 4.33.41 PM

Once the Mac has been finished running the DeployStudio workflow tasks, it will reboot again. The Mac should now be bound to the new AD domain.

Screen Shot 2013-11-26 at 4.34.38 PM

Once the Mac has been bound to the new AD domain, the next step is to migrate the existing AD accounts on the Mac. I recommend using the previously-mentioned interactive script to migrate the users’ data from the old AD account to the equivalent account on the new AD domain.

  1. March 31, 2014 at 6:52 pm

    Is there an easy way to do this in Casper? I don’t (yet) have a DeployStudio environment in my new spot. I see that you did this on bootup? Thank you!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: