It’s rare that you would ever want to migrate a Macintosh from one Active Directory domain to another forrest or sub-domain.  In most cases, one forrest or domain should be sufficient for any and all user management needs.  The only time I can think you might ever want to do there is some pressing security need or maybe if your company has acquired another company or division and it needs a new domain.

Apple Enterprise Support wasn’t much help on this and the normal tools you would use, such as Microsoft’s Active Directory Migration tool are of no help with the Macintosh computers and portable home directories on the machine.  The Enterprise engineer I spoke had never heard of anyone doing this and to his knowledge, no at Apple Enterprise Suppot had ever done anything more than an AD-to-OD or OD-to-AD migration.

Here is what I cobbled together to make this work:

AD Migration Process

1.  Have the client log out
2.  If the machine is 10.4 (Tiger), reboot and run applejack first to ensure a clean filesystem.
3.  Run the Microsoft AD Migration Tool using your Domain Admin account and set the user’s password.
4.  Run the script attached to this article to first unbind from old the domain and rebind to the new domain
Run the following through ARD or the Terminal as root
3a.  dscl . list /users ##List the users in order to find the short name
3b.  dscl . -delete /users/migrateduser  ##Deletes the local cached account without deleting the local home directory.  Note:  The lowercase users is not a typo.
3c.  killall loginwindow  ##Refreshes the login Window
3d.  chown -R migrateduser:NEWDOMAIN\users /Users/migrateduser  ##Recursively change the permissions on the local home directory to the user and the new domain group “users”
5. Login using “Other” as migrateduser and click “Create Mobile Account”
6. Verify the Desktop and Dock are as the client had previous to the migration

Leopard Shell Script to Bind to New Domain

Tiger Shell Script to Bind to New Domain

Insert this script inside of the root directory containing all of the files and folders that contain illegal characters.

Run this command:  find -d . -print0 | xargs -0 /Users/$HOME/Desktop/rename_for_windows (or whatever you named your file)

The script:

#!/usr/bin/perl -w

# This script renames all the files supplied as command-line args
# where necessary so that the filename is acceptable to MS Windows
# Cameron Hayne (macdev@hayne.net), June 2004

use strict;

chomp(@ARGV = <STDIN>) unless @ARGV;

# The Microsoft document at
# http://support.microsoft.com/default…b;EN-US;100108
# says that the following characters are not allowed in filenames
# in each of the specified filesystems:
# FAT:   .  “  /  \  [  ]  |  :  ;  ,  =
# NTFS:  ?  “  /  \  <  >  |  :  *

# We don’t do anything with the dot (.) since it clearly is allowable
# in spite of what that document says.
# And we don’t do anything with the slash (/) since that character
# will not occur in OS X filenames and modifying it would cause
# troubles when a file path (with directories) is specified.
# The changing of the filenames is done via the ‘tr’ statements below.
# Each occurence of a character in the first curly brackets
# is replaced by the character in the second curly brackets.

foreach my $filename (@ARGV)
{
my $orig_filename = $filename;

$filename =~ tr{\\}{-};
$filename =~ tr{*?}{X};
$filename =~ tr{”><[]|:;,’=}{_};

unless ($filename eq $orig_filename)
{
print “About to rename $orig_filename to $filename\n”;
if (-e $filename)
{
print “Oops, there already exists a file named $filename\n”;
print “Skipping the rename - you will have to do it manually\n”;
}
else
{
rename($orig_filename, $filename);
}
}
}