Wednesday, July 22, 2015

Change your AD domain name

"Domain name is an important part of the Active Directory Domain Services (AD DS), the directory service provided by Microsoft Windows Server for Windows domain networks. However, in some circumstances, it’s warranted to change the name of the domain. For example, when corporate underwent merger or takeover, change of company name, wanted to match AD domain name with Internet FQDN (fully qualified domain name) or simply wanted to keep up with best practice to manage the Active Directory.

Since Windows Server 2000, the tool to rename domains is the command-line utility called Domain Rename Tool (Rendom). In Windows Server 2000 and Windows Server 2003, Rendom has to be manually installed. Rendom is included on the operating system CD, or available as a free download from Microsoft. In Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2 and future versions of Windows Server, Rendom is built into domain controllers promoted to “Active Directory Domain Services” role, or as part of Remote Server Administration Tools (RSAT). Rendom can be found at %windir%\System32\rendom.exe.

This tutorial provides a simple guide on renaming a domain name, be it FQDN (fully qualified domain name i.e. ad.techjourney.net) or NetBIOS (i.e. TECHJOURNEY) from a Windows Server 2012 which acts as a Control Station. It should works on all Windows Server from Windows Server 2003, Windows Server 2008 / R2, Windows Server 2012 / R2, to future editions such as Windows Server 2014 or Windows Server 2015. It doesn’t matter which versions the domain controllers are running, but if they’re running older Windows Server, it’s recommended to raise forest functional level to latest available.
Before renaming domain, it’s important to review the following documents to better your understanding and make essential preparations ahead of domain rename operations, especially if you have Certification Authorities and Microsoft Exchange servers.
In this tutorial, we’ll rename a domain name in AD forest with domain controller running Windows Server 2012. BACKUP the domain controllers before proceeding, and ensure that you can restore domain controllers to original state if something goes wrong. If your DCs are running in virtual machines powered by Hyper-V or VMWare, take snapshots.
  1. Verify the existing domain name in System Properties (Control Panel -> System and Security -> System), and that it’s different from the domain name that you want to change to. Domain Name in System Properties
  2. Set up a domain member server in the forest which is NOT a domain controller (DC) as the administrative Control Station where the entire domain renaming process will be done. If your AD is simple, i.e. has only one DC, you may skip this step (at your own risk) and perform the rest of the rename domain operations directly on the DC itself. Logon to a non-DC member server, open Server Manager -> Manage -> Add Roles and Features.
    Add Roles and Features
    Add the Active Directory Domain Services, and also add the features that are required together with the management tools.
    Control Station with AD DS
    IMPORTANT: DO NOT configure and promote the server meant as Control Station to a domain controller after installing the AD DS role. The purpose of installing the role is to make available the rendom.exe and gpfixup.exe utilities essential in domain renaming.
    Install Control Station for Renaming Domain
    Note
    If you don’t have to install the complete “Active Directory Domain Services” role, it’s possible to just add the AD DS Snap-Ins and Command-Line Tools under Remote Server Administration Tool (RSAT) -> AD DS and AD LDS Tools -> AD ADS Tools which is part of Features.
  3. In Server Manager, click on Tools -> DNS to open DNS Manager. Note that you may need to perform DNS configuration in DC if your Control Station does not have DNS Manager installed.DNS Manager
  4. In the DNS Manager, right click on Forward Lookup Zone and select New Zone to create the new DNS zone for the new domain, where the new DNS records will be created in the zone as soon as rename is performed. New DNS Zone
  5. Select Primary Zone as “Zone Type”.
    New Primary DNS Zone
    On the “Active Directory Zone Replication Scope”, select To all DNS servers running on domain controllers in this domain: old-domain.com.
    AD Zone Replication Scope
    Enter your new domain name, e.g. ad.new-domain.com in the “Zone Name”.
    New DNS Zone Name
    On “Dynamic Update”, select Allow only secure dynamic updates (recommended for Active Directory).
    DNS Dynamic Update
    Once the New Zone Wizard is completed, you will be able to see your new DNS zone for your new domain name in the DNS Manager.
    New DNS Zone
  6. If you are using Folder Redirection or roaming user profiles (and the home directories) on a network location by using a domain-based, Distributed File System (DFS) namespace, considering to relocate the network paths for them before the domain rename operation. The domain name change invalidates the path to this domain-based namespace, and Folder Redirection or roaming user profiles that use this path stop working. Note that you only need to change the path of domain-based DFS namespace if the type of name of domain (i.e. NetBIOS or FQDN fully qualified domain name) used by namespace in the configuration is changed. Refer to TechNet for more information.
  7. IMPORTANT: Backup all domain controllers before proceeding with renaming the AD domain name. In the Control Station (domain member server), open a Command Prompt as Administrator. Then run the following command to instruct rendom to contact DC which owns the domain naming operations master role to generate a state file named Domainlist.xml which contains current forest configurations and domain structures, namely ForestDNSZones, DomainDNSZones and NetBios details.
    rendom /list
    rendom /list
    Tip
    You can change directory (CD) to a convenient path location to access the files generated by rendom.
    Locate Domainlist.xml file and edit it.
    Edit Domanlist.xml
    Replace all existing domain name with new domain name, including the NetBIOS name if it’s changed. Save the file when done.
    Domainlist.xml
    Back in the Command Prompt, type the following command to verify the new configuration. The command does not make any changes yet.
    rendom /showforest
    Generate the directory update instructions specified in Domainlist.xml and upload the resultant domain rename instructions to the configuration directory partition at the domain controller that is currently the domain naming operations master for the forest:
    rendom /upload
    The domain rename instructions are replicated to all other domain controllers in the forest through normal replication of the configuration directory partition. If you have multiple DCs, it’s recommended to proceed to execute the rename instructions only after these rename instructions replicate to every domain controller in the forest.
    This step will also freeze the forest configuration from certain types of changes, such as addition/removal of domains, addition/removal of DCs and addition/removal of trusts were not allowed within the forest.
    You can track the state of all domain controllers in a Domain Rename State File named DcList.xml which is automatically generated and updated by rendom.exe tool. At this point, the state should be Initial.
    DcList.xml and DNSRecords.txt
    DcList.xml and DNSRecords.txt files are generated automatically in the folder which rendom.exe command was ran, providing critical info about the domain name change.
    DcList.xml
    DcList.xml provides a list of all domain controllers detected in the forest, and their domren state respectively.
    Note
    If replication is not completed yet, force the synchronization of changes made on domain naming master to all DCs with the following command:
    repadmin.exe /syncall /d /e /P /q DomainNamingMaster-HostName
    Verify the readiness of every domain controllers in the forest to perform the domain name change. After this command, the State in DcList.xml is changed to “Prepared”. All domain controllers must be in Prepared state before domain renaming can be executed.
    rendom /prepare
    Rendom /ShowForest /Upload /Prepare
    Execute the domain name change on all DCs:
    rendom /execute
    Rendom /Prepare /Execute
    After the execution command is issued, the Active Directory Domain Services may experience interruption. Once the process is completed, the domain controllers will automatically reboot. At the point where execution of domain rename instructions are completed, the state in DcList.xml on the Control Station server for all DC servers is changed to Done.
    On some DC servers or when logon to some DC servers, you may see the message that “you’re about to be signed off, the Directory Service is shutting down.” Regardless of whether you click on Close or not, DC will automatically restart.
    You're About to Be Signed Off
  8. After the DC restarted, logon to the DC using the NEW domain name. If you’re seeing the computer is suggesting you that login is done using the old domain name, it’s just the case of remembering the last user account logged in.
  9. Make the Control Station server (where rendom commands are issued) aware of the domain name change by logging on and restarting the server using Power, Shutdown or sign out, or Log Off button twice. Reboot only after all domain controllers in the forest back up and online. This allows us to continue working on Control Station server, otherwise it will continue to perform changes on the old domain instead of new domain. When logging into Control Station, use NEW domain name.
    Tip
    Why restart domain member computer twice? You may be puzzled why several steps require you to reboot domain member servers, workstations or computers for two time. The reason is straightforward. First time allows the domain member to detect the domain name change, and change the full computer name and domain itself, while the second time is to register the new computer name in the new DNS zone.
  10. At Control Station, fix the linkages and objects of GPOs to reference new domain name. Else, Event ID 1006 from GroupPolicy source will be logged in Event Viewer. Skip the following step if you’re not renaming FQDN (fully qualified domain name) of the domain, else:
    gpfixup /olddns:old-domain.local /newdns:new-domain.com
    GPFixUp DNS
    Skip the following step if you’re not renaming NetBIOS name of the domain, else:
    gpfixup /oldnb:OLD-NetBIOS /newnb:NEW-NetBIOS
    GPFixUp NetBIOS

    Tip
    To sync and replicate group policy fix-up changes that are made on a domain controller instantly, use:
    repadmin.exe /syncall /d /e /P /q D DC-HostName NewDomainDN
    Where NewDomainName is dc=domain,dc=com.
  11. The hostname (full computer name) and domain of domain controllers normally do not get automatically renamed by rebooting twice. To rename domain controllers, use the following commands:
    netdom computername old.computer.name /add:new.computer.name
    netdom computername old.computer.name /makeprimary:new.computer.name
    Replace old.computer.name and new.computer.name with FQDN of the server in new domain.
    Rename Domain Controller with Netdom
    Reboot the domain controller.
    Repeat the renaming process for all domain controllers in the forest.

    Important
    It’s not recommended to use the GUI (aka System Properties) to rename the domain controllers
  12. Now it’s time to reboot for TWO (2) times all domain member computers, workstations and servers that are joined to the renamed domain. Logging into the computer and restart using Power, Shutdown or sign out, or Log Off button twice. Perform this step only after all domain controllers are back up and online. Rebooting non-DC computers twice ensures that all domain computers learns the new domain name and also propagates to all applications running on the computers.
    When logging into domain member after restarting or for those just booting up, use NEW domain name.
    Note
    For any remote computers that connect to the renamed domain through a remote connection, such as dial-up and virtual private network (VPN), you’ll need to unjoin and then join the new domain.
  13. If you’re using domain-based DFS namespaces, and the domain name change rendered the existing path invalid, then update the orphaned path in roaming user profiles and Folder Redirection.
  14. Changing Folder Redirection in Group Policy Management.Roaming User Profile and Remote Desktop Services Profile
  15. Changing domain-based DFS path in roaming user profiles and Remote Desktop Services profiles in user account properties.
    You may see the following messages indicating the pointing to the existing home folders:
    The \\new-domain.com\home-folder was not created already exists. Do you want this user to be granted full control of this folder?
    Home Folder Already Exists
    The \\new-domain.com\home-folder home directory was not created because it already exists. You might want to select a different name, or make sure that user has full access privileges to the existing one.
    Home Directory Was Not Created
    Note
    After the domain name change operation is completed, DFS will automatically update to namespaces to reflect the new NetBIOS and/or FQDN domain name. Just launch the DFS Management, and click on the namespaces once, wait for the changes to be effected.
  16. In Control Station server, clean up the references and attributes of old domain name from AD, and unfreeze the forest configuration to allow further changes with the following command:
    rendom /clean
    Rendom /Clean
    Important: If you run rendom /clean command and there are members that have not been rebooted twice you will have to rejoin them to the domain. Once rendom /clean command is executed, old domain name, including all values of ms-DS-DnsRootAlias from the domain name operations master, is removed from Activate Directory rendering those computers inaccessible to the new domain.

    Note
    “rendom /clean” includes all the tasks performed by “rendom /end”, which is to connect to the DC holding the domain naming master role and removes the attribute msDS-UpdateScript on the Partitions container, and then unfreeze the forest configuration. So the later command may be redundant if you don’t require to perform some tasks that require change to forest configuration.
  17. Lastly, open DNS Manager to delete the old domain DNS zone, including _msdcs zone for the old domain that existed as a separate zone, i.e. under Forward Lookup Zones. You can also view the domain member computers re-listed under the new domain.
  18. Remove the Active Directory Domain Services role and related features and management tools from Control Station if applicable.
Based on your Active Directory Domain Services configuration and system environment, you may need to perform more steps and troubleshoot some issues. Here are some common issues and tasks:
  • Stop and start the DHCP services running on domain controllers.
  • Change all path that is using domain-based DFS namespaces especially in roaming user profiles and Folder Redirection, and etc.
  • Change the license servers for Remote Desktop Services to reflect the new domain.
  • Fix Citrix XenApp discovery error due to data store’s database connection issue.
  • Change or re-add the administrators, configured user accounts that allowed access to published application, or user accounts used to filter in policies to reflect new domain users or groups in Citrix XenApp and etc. Add Users to the Published Applications in XenApp
But basically, the domain rename is concluded, and you should have a working AD on new domain name.
https://techjourney.net/rename-ad-domain-name-in-windows-server-2012/

No comments:

Post a Comment