It’s rare that you would ever want to migrate a Macintosh from one Active Directory domain to another forrest or sub-domain.  In most cases, one forrest or domain should be sufficient for any and all user management needs.  The only time I can think you might ever want to do there is some pressing security need or maybe if your company has acquired another company or division and it needs a new domain.

Apple Enterprise Support wasn’t much help on this and the normal tools you would use, such as Microsoft’s Active Directory Migration tool are of no help with the Macintosh computers and portable home directories on the machine.  The Enterprise engineer I spoke had never heard of anyone doing this and to his knowledge, no at Apple Enterprise Suppot had ever done anything more than an AD-to-OD or OD-to-AD migration.

Here is what I cobbled together to make this work:

AD Migration Process

1.  Have the client log out
2.  If the machine is 10.4 (Tiger), reboot and run applejack first to ensure a clean filesystem.
3.  Run the Microsoft AD Migration Tool using your Domain Admin account and set the user’s password.
4.  Run the script attached to this article to first unbind from old the domain and rebind to the new domain
Run the following through ARD or the Terminal as root
3a.  dscl . list /users ##List the users in order to find the short name
3b.  dscl . -delete /users/migrateduser  ##Deletes the local cached account without deleting the local home directory.  Note:  The lowercase users is not a typo.
3c.  killall loginwindow  ##Refreshes the login Window
3d.  chown -R migrateduser:NEWDOMAIN\users /Users/migrateduser  ##Recursively change the permissions on the local home directory to the user and the new domain group “users”
5. Login using “Other” as migrateduser and click “Create Mobile Account”
6. Verify the Desktop and Dock are as the client had previous to the migration

Leopard Shell Script to Bind to New Domain

Tiger Shell Script to Bind to New Domain