Since Windows Server 2000, the tool to rename domains is the command-line utility called Domain Rename Tool (Rendom). In Windows Server 2000 and Windows Server 2003, Rendom has to be manually installed. Rendom is included on the operating system CD, or available as a free download from Microsoft. In Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2 and future versions of Windows Server, Rendom is built into domain controllers promoted to “Active Directory Domain Services” role, or as part of Remote Server Administration Tools (RSAT). Rendom can be found at %windir%\System32\rendom.exe.
This tutorial provides a simple guide on renaming a domain name, be it FQDN (fully qualified domain name i.e. ad.techjourney.net) or NetBIOS (i.e. TECHJOURNEY) from a Windows Server 2012 which acts as a Control Station. It should works on all Windows Server from Windows Server 2003, Windows Server 2008 / R2, Windows Server 2012 / R2, to future editions such as Windows Server 2014 or Windows Server 2015. It doesn’t matter which versions the domain controllers are running, but if they’re running older Windows Server, it’s recommended to raise forest functional level to latest available.
Before renaming domain, it’s important to review the following documents to better your understanding and make essential preparations ahead of domain rename operations, especially if you have Certification Authorities and Microsoft Exchange servers.
- How Domain Rename Works
- Checklists for the Domain Rename Operation
- Preparing for the Domain Rename Operation
- Performing the Domain Rename Operation
- Completing the Domain Rename Operation
- Verify the existing domain name in System Properties (Control Panel -> System and Security -> System), and that it’s different from the domain name that you want to change to.
- Set up a domain member server in the forest which is NOT a domain
controller (DC) as the administrative Control Station where the entire
domain renaming process will be done. If your AD is simple, i.e. has
only one DC, you may skip this step (at your own risk) and perform the
rest of the rename domain operations directly on the DC itself.
Logon to a non-DC member server, open Server Manager -> Manage -> Add Roles and Features.
Add the Active Directory Domain Services, and also add the features that are required together with the management tools.
IMPORTANT: DO NOT configure and promote the server meant as Control Station to a domain controller after installing the AD DS role. The purpose of installing the role is to make available the rendom.exe and gpfixup.exe utilities essential in domain renaming.
NoteIf you don’t have to install the complete “Active Directory Domain Services” role, it’s possible to just add the AD DS Snap-Ins and Command-Line Tools under Remote Server Administration Tool (RSAT) -> AD DS and AD LDS Tools -> AD ADS Tools which is part of Features. - In Server Manager, click on Tools -> DNS
to open DNS Manager. Note that you may need to perform DNS
configuration in DC if your Control Station does not have DNS Manager installed.
- In the DNS Manager, right click on Forward Lookup Zone and select New Zone
to create the new DNS zone for the new domain, where the new DNS
records will be created in the zone as soon as rename is performed.
-
Select Primary Zone as “Zone Type”.
On the “Active Directory Zone Replication Scope”, select To all DNS servers running on domain controllers in this domain: old-domain.com.
Enter your new domain name, e.g. ad.new-domain.com in the “Zone Name”.
On “Dynamic Update”, select Allow only secure dynamic updates (recommended for Active Directory).
Once the New Zone Wizard is completed, you will be able to see your new DNS zone for your new domain name in the DNS Manager.
- If you are using Folder Redirection or roaming user profiles (and the home directories) on a network location by using a domain-based, Distributed File System (DFS) namespace, considering to relocate the network paths for them before the domain rename operation. The domain name change invalidates the path to this domain-based namespace, and Folder Redirection or roaming user profiles that use this path stop working. Note that you only need to change the path of domain-based DFS namespace if the type of name of domain (i.e. NetBIOS or FQDN fully qualified domain name) used by namespace in the configuration is changed. Refer to TechNet for more information.
- IMPORTANT: Backup all domain controllers before proceeding with renaming the AD domain name.
In the Control Station (domain member server), open a Command Prompt as Administrator.
Then run the following command to instruct rendom to contact DC which
owns the domain naming operations master role to generate a state file
named Domainlist.xml which contains current forest configurations and
domain structures, namely ForestDNSZones, DomainDNSZones and NetBios
details.
rendom /list
Locate Domainlist.xml file and edit it.TipYou can change directory (CD) to a convenient path location to access the files generated by rendom.
Replace all existing domain name with new domain name, including the NetBIOS name if it’s changed. Save the file when done.
Back in the Command Prompt, type the following command to verify the new configuration. The command does not make any changes yet.
rendom /showforestGenerate the directory update instructions specified in Domainlist.xml and upload the resultant domain rename instructions to the configuration directory partition at the domain controller that is currently the domain naming operations master for the forest:
rendom /uploadThe domain rename instructions are replicated to all other domain controllers in the forest through normal replication of the configuration directory partition. If you have multiple DCs, it’s recommended to proceed to execute the rename instructions only after these rename instructions replicate to every domain controller in the forest.
This step will also freeze the forest configuration from certain types of changes, such as addition/removal of domains, addition/removal of DCs and addition/removal of trusts were not allowed within the forest.
You can track the state of all domain controllers in a Domain Rename State File named DcList.xml which is automatically generated and updated by rendom.exe tool. At this point, the state should be Initial.
DcList.xml and DNSRecords.txt files are generated automatically in the folder which rendom.exe command was ran, providing critical info about the domain name change.
DcList.xml provides a list of all domain controllers detected in the forest, and their domren state respectively.
Verify the readiness of every domain controllers in the forest to perform the domain name change. After this command, the State in DcList.xml is changed to “Prepared”. All domain controllers must be in Prepared state before domain renaming can be executed.NoteIf replication is not completed yet, force the synchronization of changes made on domain naming master to all DCs with the following command:
repadmin.exe /syncall /d /e /P /q DomainNamingMaster-HostName
rendom /prepare
Execute the domain name change on all DCs:
rendom /execute
After the execution command is issued, the Active Directory Domain Services may experience interruption. Once the process is completed, the domain controllers will automatically reboot. At the point where execution of domain rename instructions are completed, the state in DcList.xml on the Control Station server for all DC servers is changed to Done.
On some DC servers or when logon to some DC servers, you may see the message that “you’re about to be signed off, the Directory Service is shutting down.” Regardless of whether you click on Close or not, DC will automatically restart.
- After the DC restarted, logon to the DC using the NEW domain name. If you’re seeing the computer is suggesting you that login is done using the old domain name, it’s just the case of remembering the last user account logged in.
- Make the Control Station server (where rendom commands are issued)
aware of the domain name change by logging on and restarting the server
using Power, Shutdown or sign out, or Log Off button twice. Reboot only
after all domain controllers in the forest back up and online. This
allows us to continue working on Control Station server, otherwise it
will continue to perform changes on the old domain instead of new
domain.
When logging into Control Station, use NEW domain name.
TipWhy restart domain member computer twice? You may be puzzled why several steps require you to reboot domain member servers, workstations or computers for two time. The reason is straightforward. First time allows the domain member to detect the domain name change, and change the full computer name and domain itself, while the second time is to register the new computer name in the new DNS zone. - At Control Station, fix the linkages and objects of GPOs to
reference new domain name. Else, Event ID 1006 from GroupPolicy source
will be logged in Event Viewer.
Skip the following step if you’re not renaming FQDN (fully qualified domain name) of the domain, else:
gpfixup /olddns:old-domain.local /newdns:new-domain.com
Skip the following step if you’re not renaming NetBIOS name of the domain, else:
gpfixup /oldnb:OLD-NetBIOS /newnb:NEW-NetBIOS
TipTo sync and replicate group policy fix-up changes that are made on a domain controller instantly, use:
repadmin.exe /syncall /d /e /P /q D DC-HostName NewDomainDNWhere NewDomainName is dc=domain,dc=com. - The hostname (full computer name) and domain of domain controllers
normally do not get automatically renamed by rebooting twice. To rename
domain controllers, use the following commands:
netdom computername old.computer.name /add:new.computer.name netdom computername old.computer.name /makeprimary:new.computer.nameReplace old.computer.name and new.computer.name with FQDN of the server in new domain.
Reboot the domain controller.
Repeat the renaming process for all domain controllers in the forest.
ImportantIt’s not recommended to use the GUI (aka System Properties) to rename the domain controllers - Now it’s time to reboot for TWO (2) times all domain member
computers, workstations and servers that are joined to the renamed
domain. Logging into the computer and restart using Power, Shutdown or
sign out, or Log Off button twice. Perform this step only after all
domain controllers are back up and online.
Rebooting non-DC computers twice ensures that all domain computers
learns the new domain name and also propagates to all applications
running on the computers.
When logging into domain member after restarting or for those just booting up, use NEW domain name.
NoteFor any remote computers that connect to the renamed domain through a remote connection, such as dial-up and virtual private network (VPN), you’ll need to unjoin and then join the new domain. - If you’re using domain-based DFS namespaces, and the domain name change rendered the existing path invalid, then update the orphaned path in roaming user profiles and Folder Redirection.
- Changing Folder Redirection in Group Policy Management.
-
Changing domain-based DFS path in roaming user profiles and Remote Desktop Services profiles in user account properties.
You may see the following messages indicating the pointing to the existing home folders:
The \\new-domain.com\home-folder was not created already exists. Do you want this user to be granted full control of this folder?
The \\new-domain.com\home-folder home directory was not created because it already exists. You might want to select a different name, or make sure that user has full access privileges to the existing one.
NoteAfter the domain name change operation is completed, DFS will automatically update to namespaces to reflect the new NetBIOS and/or FQDN domain name. Just launch the DFS Management, and click on the namespaces once, wait for the changes to be effected. - In Control Station server, clean up the references and attributes of
old domain name from AD, and unfreeze the forest configuration to allow
further changes with the following command:
rendom /clean
Important: If you run rendom /clean command and there are members that have not been rebooted twice you will have to rejoin them to the domain. Once rendom /clean command is executed, old domain name, including all values of ms-DS-DnsRootAlias from the domain name operations master, is removed from Activate Directory rendering those computers inaccessible to the new domain.
Note“rendom /clean” includes all the tasks performed by “rendom /end”, which is to connect to the DC holding the domain naming master role and removes the attribute msDS-UpdateScript on the Partitions container, and then unfreeze the forest configuration. So the later command may be redundant if you don’t require to perform some tasks that require change to forest configuration. - Lastly, open DNS Manager to delete the old domain DNS zone, including _msdcs zone for the old domain that existed as a separate zone, i.e. under Forward Lookup Zones. You can also view the domain member computers re-listed under the new domain.
- Remove the Active Directory Domain Services role and related features and management tools from Control Station if applicable.
- Stop and start the DHCP services running on domain controllers.
- Change all path that is using domain-based DFS namespaces especially in roaming user profiles and Folder Redirection, and etc.
- Change the license servers for Remote Desktop Services to reflect the new domain.
- Fix Citrix XenApp discovery error due to data store’s database connection issue.
- Change or re-add the administrators, configured user accounts
that allowed access to published application, or user accounts used to
filter in policies to reflect new domain users or groups in Citrix
XenApp and etc.
https://techjourney.net/rename-ad-domain-name-in-windows-server-2012/
No comments:
Post a Comment