Migrating from Open Directory to Active Directory

If you install the Centrify DirectControl Agent for Mac in an environment where existing Mac users and computers are managed with Open Directory, you may need to migrate the account information and home directories for those users from the Open Directory environment to Centrify Active Directory. Open Directory and Active Directory support three types of users:

  • Local users
  • Network home users
  • Portable home, or mobile home, users

For example, you may need to migrate existing mobile user accounts from Open Directory to Active Directory or migrate local home directories to a network share.

To migrate users with existing mobile accounts from Open Directory to Active Directory:

  1. Create a copy of the user’s local home directory in a temporary location if you have enough disk space to do so. This copy can serve as a backup to restore the user’s home directory if you run into any synchronization problems.
  2. Log on to the Mac client as an administrator.
  3. Disable the LDAP service.

    Open the Directory Utility and select the Services tab; then deselect LDAPv3 and click Apply.

  4. Open a Terminal window and run the following Directory Service command to delete the user’s record:

    dscl /Local/Default -delete /Users/userName

    where userName is a local user; for example, to delete the record for cain:

    dscl /Local/Default -delete /Users/cain
  5. Navigate to the /Users/user_name/Library/Mirrors directory and delete this folder.

  6. Join the Mac computer to an Active Directory domain and restart the computer to shut down and restart services.

  7. Create an Active Directory user account for the Open Directory user account, if one does not already exist.

    If you are creating a new Active Directory user, use Active Directory Users and Computers to add the user account.

  8. Add the Active Directory user to the Mac computer’s zone and define the Centrify Profile for the user:

    • Use the same user name, UID, and GID as the Open Directory user account. You can change this information later with the adfixid program, but for migration you must use the same values.

    • Set the home directory for the user to the appropriate network share using the /SMB/share/path or /AFP/share/path syntax. For example, /SMB/cain/server2003.myDomain.com/Users/cain.

    Note:   For synchronizing new mobile user accounts, the empty home directory must exist on the network share. If the user home directories are on the same network share as you previously used with Open Directory, logging on with the new Active Directory account should not affect the files available on the share.

    Because GID values of 0 to 99 are usually reserved for system accounts, you may see a warning message when you save the user’s profile if the user’s primary GID value is less than 99.

If you have Open Directory users that do not have mobile accounts or portable home directories and you want to synchronize their local home directories with their network home, you should first use the Workgroup Manager to create mobile accounts for those users to establish a portable home directory. You can then follow the steps above to synchronize the portable home directories with their network home directory. If you don’t want to synchronize the local home directory with the home directory on the network share, you can simply create Active Directory accounts for the Open Directory users and remove the local user records; see Mapping local user accounts to Active Directory for information about removing local user records.