BLOG ������

Windows Server 2012 - Rename AD Domain Name

In this tutorial, we’ll rename a domain name in AD forest with domain controller running Windows Server 2012. BACKUP the domain controllers before proceeding, and ensure that you can restore domain controllers to original state if something goes wrong. If your DCs are running in virtual machines powered by Hyper-V or VMWare, take snapshots.

1. Verify the existing domain name in System Properties (Control Panel -> System and Security -> System), and that it’s different from the domain name that you want to change to.

   

2. Set up a domain member server in the forest which is NOT a domain controller (DC) as the administrative Control Station where the entire domain renaming process will be done. If your AD is simple, i.e. has only one DC, you may skip this step (at your own risk) and perform the rest of the rename domain operations directly on the DC itself.

   Logon to a non-DC member server, open Server Manager -> Manage -> Add Roles and Features.

   

   Add the Active Directory Domain Services, and also add the features that are required together with the management tools.

   

   IMPORTANT: DO NOT configure and promote the server meant as Control Station to a domain controller after installing the AD DS role. The purpose of installing the role is to make available the rendom.exe and gpfixup.exe utilities essential in domain renaming.

   

   Note

   If you don’t have to install the complete “Active Directory Domain Services” role, it’s possible to just add the AD DS Snap-Ins and Command-Line Tools under Remote Server Administration Tool (RSAT) -> AD DS and AD LDS Tools -> AD ADS Tools which is part of Features.
3. In Server Manager, click on Tools -> DNS to open DNS Manager. Note that you may need to perform DNS configuration in DC if your Control Station does not have DNS Manager installed.

   

4. In the DNS Manager, right click on Forward Lookup Zone and select New Zone to create the new DNS zone for the new domain, where the new DNS records will be created in the zone as soon as rename is performed.

   

   Select Primary Zone as “Zone Type”.

   

   On the “Active Directory Zone Replication Scope”, select To all DNS servers running on domain controllers in this domain: old-domain.com.

   

   Enter your new domain name, e.g. ad.new-domain.com in the “Zone Name”.

   

   On “Dynamic Update”, select Allow only secure dynamic updates (recommended for Active Directory).

   

   Once the New Zone Wizard is completed, you will be able to see your new DNS zone for your new domain name in the DNS Manager.

   

5. If you are using Folder Redirection or roaming user profiles (and the home directories) on a network location by using a domain-based, Distributed File System (DFS) namespace, considering to relocate the network paths for them before the domain rename operation. The domain name change invalidates the path to this domain-based namespace, and Folder Redirection or roaming user profiles that use this path stop working.

   Note that you only need to change the path of domain-based DFS namespace if the type of name of domain (i.e. NetBIOS or FQDN fully qualified domain name) used by namespace in the configuration is changed. Refer to TechNet for more information.

6. IMPORTANT: Backup all domain controllers before proceeding with renaming the AD domain name.

   In the Control Station (domain member server), open a Command Prompt as Administrator. Then run the following command to instruct rendom to contact DC which owns the domain naming operations master role to generate a state file named Domainlist.xml which contains current forest configurations and domain structures, namely ForestDNSZones, DomainDNSZones and NetBios details.

   rendom /list

   

   Tip

   You can change directory (CD) to a convenient path location to access the files generated by rendom.

   Locate Domainlist.xml file and edit it.

   

   Replace all existing domain name with new domain name, including the NetBIOS name if it’s changed. Save the file when done.

   

   Back in the Command Prompt, type the following command to verify the new configuration. The command does not make any changes yet.

   rendom /showforest

   Generate the directory update instructions specified in Domainlist.xml and upload the resultant domain rename instructions to the configuration directory partition at the domain controller that is currently the domain naming operations master for the forest:

   rendom /upload

   The domain rename instructions are replicated to all other domain controllers in the forest through normal replication of the configuration directory partition. If you have multiple DCs, it’s recommended to proceed to execute the rename instructions only after these rename instructions replicate to every domain controller in the forest.

   This step will also freeze the forest configuration from certain types of changes, such as addition/removal of domains, addition/removal of DCs and addition/removal of trusts were not allowed within the forest.

   You can track the state of all domain controllers in a Domain Rename State File named DcList.xml which is automatically generated and updated by rendom.exe tool. At this point, the state should be Initial.

   
   DcList.xml and DNSRecords.txt files are generated automatically in the folder which rendom.exe command was ran, providing critical info about the domain name change.

   
   DcList.xml provides a list of all domain controllers detected in the forest, and their domren state respectively.

   Note

   If replication is not completed yet, force the synchronization of changes made on domain naming master to all DCs with the following command:

   repadmin.exe /syncall /d /e /P /q DomainNamingMaster-HostName

   Verify the readiness of every domain controllers in the forest to perform the domain name change. After this command, the State in DcList.xml is changed to “Prepared”. All domain controllers must be in Prepared state before domain renaming can be executed.

   rendom /prepare

   

   Execute the domain name change on all DCs:

   rendom /execute

   

   After the execution command is issued, the Active Directory Domain Services may experience interruption. Once the process is completed, the domain controllers will automatically reboot. At the point where execution of domain rename instructions are completed, the state in DcList.xml on the Control Station server for all DC servers is changed to Done.

   On some DC servers or when logon to some DC servers, you may see the message that “you’re about to be signed off, the Directory Service is shutting down.” Regardless of whether you click on Close or not, DC will automatically restart.

   

7. After the DC restarted, logon to the DC using the NEW domain name.

   If you’re seeing the computer is suggesting you that login is done using the old domain name, it’s just the case of remembering the last user account logged in.

8. Make the Control Station server (where rendom commands are issued) aware of the domain name change by logging on and restarting the server using Power, Shutdown or sign out, or Log Off button twice. Reboot only after all domain controllers in the forest back up and online. This allows us to continue working on Control Station server, otherwise it will continue to perform changes on the old domain instead of new domain.

   When logging into Control Station, use NEW domain name.

   Tip

   Why restart domain member computer twice? You may be puzzled why several steps require you to reboot domain member servers, workstations or computers for two time. The reason is straightforward. First time allows the domain member to detect the domain name change, and change the full computer name and domain itself, while the second time is to register the new computer name in the new DNS zone.
9. At Control Station, fix the linkages and objects of GPOs to reference new domain name. Else, Event ID 1006 from GroupPolicy source will be logged in Event Viewer.

   Skip the following step if you’re not renaming FQDN (fully qualified domain name) of the domain, else:

   gpfixup /olddns:old-domain.local /newdns:new-domain.com

   

   Skip the following step if you’re not renaming NetBIOS name of the domain, else:

   gpfixup /oldnb:OLD-NetBIOS /newnb:NEW-NetBIOS

   

   Tip

   To sync and replicate group policy fix-up changes that are made on a domain controller instantly, use:

   repadmin.exe /syncall /d /e /P /q D DC-HostName NewDomainDN

   Where NewDomainName is dc=domain,dc=com.

10. The hostname (full computer name) and domain of domain controllers normally do not get automatically renamed by rebooting twice. To rename domain controllers, use the following commands:

    netdom computername old.computer.name /add:new.computer.name
    netdom computername old.computer.name /makeprimary:new.computer.name

    Replace old.computer.name and new.computer.name with FQDN of the server in new domain.

    

    Reboot the domain controller.

    Repeat the renaming process for all domain controllers in the forest.

    Important

    It’s not recommended to use the GUI (aka System Properties) to rename the domain controllers
11. Now it’s time to reboot for TWO (2) times all domain member computers, workstations and servers that are joined to the renamed domain. Logging into the computer and restart using Power, Shutdown or sign out, or Log Off button twice. Perform this step only after all domain controllers are back up and online.

    Rebooting non-DC computers twice ensures that all domain computers learns the new domain name and also propagates to all applications running on the computers.

    When logging into domain member after restarting or for those just booting up, use NEW domain name.

    Note

    For any remote computers that connect to the renamed domain through a remote connection, such as dial-up and virtual private network (VPN), you’ll need to unjoin and then join the new domain.
12. If you’re using domain-based DFS namespaces, and the domain name change rendered the existing path invalid, then update the orphaned path in roaming user profiles and Folder Redirection.

    
    Changing Folder Redirection in Group Policy Management.

    
    Changing domain-based DFS path in roaming user profiles and Remote Desktop Services profiles in user account properties.

    You may see the following messages indicating the pointing to the existing home folders:

    The \\new-domain.com\home-folder was not created already exists. Do you want this user to be granted full control of this folder?

    

    The \\new-domain.com\home-folder home directory was not created because it already exists. You might want to select a different name, or make sure that user has full access privileges to the existing one.

    

    Note

    After the domain name change operation is completed, DFS will automatically update to namespaces to reflect the new NetBIOS and/or FQDN domain name. Just launch the DFS Management, and click on the namespaces once, wait for the changes to be effected.
13. In Control Station server, clean up the references and attributes of old domain name from AD, and unfreeze the forest configuration to allow further changes with the following command:

    rendom /clean

    

    Important: If you run rendom /clean command and there are members that have not been rebooted twice you will have to rejoin them to the domain. Once rendom /clean command is executed, old domain name, including all values of ms-DS-DnsRootAlias from the domain name operations master, is removed from Activate Directory rendering those computers inaccessible to the new domain.

    Note

    “rendom /clean” includes all the tasks performed by “rendom /end”, which is to connect to the DC holding the domain naming master role and removes the attribute msDS-UpdateScript on the Partitions container, and then unfreeze the forest configuration. So the later command may be redundant if you don’t require to perform some tasks that require change to forest configuration.
14. Lastly, open DNS Manager to delete the old domain DNS zone, including _msdcs zone for the old domain that existed as a separate zone, i.e. under Forward Lookup Zones.

    You can also view the domain member computers re-listed under the new domain.

15. Remove the Active Directory Domain Services role and related features and management tools from Control Station if applicable.

Based on your Active Directory Domain Services configuration and system environment, you may need to perform more steps and troubleshoot some issues. Here are some common issues and tasks:

• Stop and start the DHCP services running on domain controllers.
• Change all path that is using domain-based DFS namespaces especially in roaming user profiles and Folder Redirection, and etc.
• Change the license servers for Remote Desktop Services to reflect the new domain.
• Fix Citrix XenApp discovery error due to data store’s database connection issue.
• Change or re-add the administrators, configured user accounts that allowed access to published application, or user accounts used to filter in policies to reflect new domain users or groups in Citrix XenApp and etc.

  

But basically, the domain rename is concluded, and you should have a working AD on new domain name.

Post your comment:

Post your comment by Guest :

Verify Code :