• Main Menu

    • Renaming Domains

    An Overview of the Domain Renaming Feature

    With the Windows NT 4 domain model, you had to completely rebuild an existing domain if you wanted to change the names of any of your existing domains. In Windows 2000 domains, you also have to create a new domain but the Active Directory Object Manager can be used to migrate existing users, groups and computers into the new domain. The Active Directory Object Manager plays a vital role in moving the contents of existing Windows 2000 domains into new domain structures. The Active Directory Object Manager is included in the Windows 2000 Support Tools. Although you cannot directly change the DNS and NetBIOS names of a Windows 2000 domain, the Active Directory Object Manager allows you to migrate the objects of an existing domain into a new domain. Windows Server 2003 on the other hand includes a domain rename utility and the capability to rename domains.

    In Windows Server 2003, you can rename a domain in a forest which has domain controllers running Windows Server 2003. You can also move any of your existing domains to a different location in the hierarchy of domains. Lastly, you can rename domain controllers with no longer needing to first demote them. The renaming domain feature of Windows Server 2003 allows you to address changing organization needs such as reorganizations, and mergers because it enables you to change your existing forest structure. You can move a domain to any location within the forest in which it is located. You can also raise a child domain to make it the root of its own domain tree. Renaming domains therefore allows you to create a new forest structure.
    You can also rename domains without actually impacting the trust relationships between existing domains within your Active Directory environment. When you rename domains, you can change the DNS and NetBIOS names of the domain, but the domain GUID and domain SID are left intact. This allows you to rename the domain and all associated child domains without affecting the structure of the domain tree.

    The domain rename utility, Rendom.exe, can be found on the Windows Server 2003 CD-ROM, in the ValueaddMsftMgmtDomren folder. The folder also includes another tool, Gpfixup.exe, which is used to clean up the Global Catalog. You can use Rendom.exe for the following tasks:

    • Change the DNS name and NetBIOS name of the forest root domain.
    • Change the DNS name and NetBIOS name of a tree root domain
    • Change the DNS name and NetBIOS name of parent domains and child domains
    • Change the location of a domain within a forest.

    After you have used Rendom.exe to perform one of the above tasks/processes, your end result should be a well-formed forest. In a well-formed forest, domains in the forest must make up a DNS tree(s) with the forest root domain being one of the trees. In addition to this, the domain directory partition cannot have a parent application directory partition.

    The capabilities available in Windows Server 2003 differ to what you could achieve with Windows 2000 domains using the Active Directory Object Manager. Windows 2000 domains have the following limitations:

    • You cannot join two domains to form one domain as a single task
    • You cannot split an existing domain to form two different domains as one task.
    • You cannot move an existing domain to a different location in a forest using one process.

    Windows Server 2003 also has a few limitations when it comes to restructuring a forest, and renaming domains. These are summarized below:

    • The actual number of domains prior to performing restructuring, and after you have performed restructuring, must be the same. What this means is that during the domain rename process, you cannot add a new domain to the forest, nor can you remove a domain from the forest.
    • Although you can change the DNS and NetBOS name of the forest root domain, you cannot change the actual forest root domain.
    • You also cannot move a domain name from an existing domain to a different domain as a single process.

    The Requirements and Consequences of Domain Renaming

    Before you can use Rendom.exe to perform any domain renaming tasks, you have to ensure the following:

    • The domain controllers must be running Windows Server 2003
    • The forest functional level must be raised to the Windows Server 2003 forest functional level.
    • You need Enterprise Administrator privileges to perform any domain renaming tasks.
    • You have to use a member server to carry out domain renaming tasks – you cannot use a domain controller. The member server becomes your control station for performing the domain rename process.
    • Domain DFS root servers must be running Windows 2000 – SP3 or above
    • Exchange 2000 must not be installed in the domain.

    A few factors on the domain rename process should be kept in mind. These are noted below:

    • The entire forest is unavailable during the domain rename process.
    • If a domain controller(s) cannot be reached, or does not participate in, or finish the domain rename process, you have to remove the domain controller from the forest in order for the process to be finalized.
    • Because some changes are not replicated, and external trust relationships no longer exists, you would have to examine each one of your domain controllers.
    • The DNS host names of the domain controllers are not automatically changed by the Active Directory domain rename feature. This creates the need for you to carry out the domain controller rename process on your domain controllers individually.
    • Although the DNS suffix of your member servers and client workstations will be updated, it might not be instantaneously.
    • Once the domain controllers are rebooted, each client workstation running Windows 2000 or Windows XP has to be rebooted twice.

    Preparing for the Domain Rename Process

    The process of preparing for the domain renaming procedure is discussed in the forthcoming section of this article.

    • One of the initial tasks that need to be performed is to raise the forest functional level to the Windows Server 2003 forest functional level. Before attempting this, ensure that each domain controller is running Windows Server 2003. You can use Active Directory Domains And Trusts to perform this task:
      1. Open the Active Directory Domains And Trusts console
      2. Right-click Active Directory Domains And Trusts in the console tree, and select Raise forest Functional Level from the shortcut menu.
      3. The Raise Domain Functional Level dialog box opens.
      4. Click Raise.
      5. Click OK.
    • You also need to prepare DNS before performing the domain rename process. This involves drawing up the list of DNS zones that need to be created for the new domain name, and then creating the necessary forward lookup zones. The domain controllers will dynamically update each DNS zone once the required DNS zones are created.
    • If you are intending to change the DNS and NetBIOS names of a domain without affecting the trust relationships between existing domains, you need not worry about manually creating shortcut trust relationships between the domains in your forest. However, if you are changing the existing structure of the forest, you have to create shortcut trust relationships between the domains to maintain trusts relationships after you have renamed them. You can use Active Directory Domains And Trusts to create shortcut trust between the domains that you want to relocate and its new parent domain in the forest. This is necessary because parent/child domain trust relationships would not exist after the restructuring of the forest. If you are planning to restructure an existing domain that is both a parent domain and child domain, you have to create the shortcut trust relationship at two locations.
    • Where the domain is going to be a new tree root after the restructuring process, you need to create two one-way transitive trust relationships with the forest root domain before performing the domain renaming operation and restructuring the forest.
    • When domains are renamed, member computers automatically change their primary DNS suffixes if the primary DNS suffixes are defined to update automatically when the domain membership of the computer changes; and if the computer has no assigned group policy that defines a primary DNS suffix.
      You can verify whether member computers will automatically change their primary DNS suffixes via Control Panel.

      1. On the member computer, open Control Panel
      2. Select Computer Name, and then Change
      3. Select More
      4. The Change primary domain suffix when domain membership changes option should be enabled in order for the member computer to change its primary DNS suffix.

      If you want to check whether group policy that defines a primary DNS suffix is assigned for the member computer,

      1. On the member computer, open a command prompt and enter gpresult
      2. View the output to check whether Primary DNS Suffix appears beneath Applied Group Policy objects.
    • Before performing the domain rename process, you also have to prepare certificate authorities so that enterprise certificate management is still supported. For this to take place, the Certificate Authority (CA) should not be installed in any domain controllers, and all CAs should contain LDAP URLs and HTTP URLs in its Authority Information Access (AIA) and Certificate Distribution Point (CDP) extensions.

    The Domain Rename Process

    Before performing any domain rename processes, you should first perform a full backup of the system state data hosted by each domain controller within the forest. All infrastructure components should be backed up.

    The member server which you are going to use to perform the domain rename process from should be identified and prepared. The member server has to be a member of one of the domains that you planning to rename. Remember that you cannot perform the domain rename process from a domain controller. The member server (also called a control station) which you choose has to be running one of the following Windows Server 2003 editions:

    • Windows Server 2003 Standard Edition
    • Windows Server 2003 Enterprise Edition
    • Windows Server 2003 Datacenter Edition

    You also have to install a set of Windows Support tools on the control station/member server that is necessary for the domain rename process. These rename tools are located on the Windows Server 2003 CD-ROM.
    Use the steps below to install the necessary set of rename tools on the control station/member server.

    1. On the control station, create a folder in which the rename tools should be placed.
    2. Place the Windows Server 2003 CD-ROM in the CD-ROM drive.
    3. From the command prompt, copy the rename tools from the ValueaddMsftMgmtDomren folder. Ensure that rendom.exe and gpfixup.exe are copied to the member server
    4. Install the Windows Server 2003 Support tools on the member server as well.
      Ensure that repadmin.exe and dfsutil.exe are installed.

    The following step in the domain rename process is to use rendom.exe to generate a current forest description file. This file will be used as the baseline from which you will work. The forest description file will contain all existing domain directory partitions and application directory partitions within your forest.
    Use the steps below to create a forest description file:

    1. On the member server, using Enterprise Administrator privileges open a command prompt.
    2. Switch to the RenameTools directory.
    3. Enter rendom /list to create the domainlist.xm file. This is the file that lists all the existing domain directory partitions and application directory partitions within your forest. The domainlist.xml file is created in the current directory.
    4. Enter copy domainlist.xml domainlist-save.xml to save the forest description file.

    The next step in the domain rename process is to design the new forest. To do this, use a text editor like Notepad to change the domainlist.xml file. You can change the existing domain names to new domain names, and change the existing application directory partitions’ names to new names. Remember that when you change the name of a domain, you also need to change the associated DNS-specific application directory partition name. When you rename a parent domain that includes child domains, remember to change the names of all associated child domains as well. After completing all changes, verify the contents of the domainlist.xml file. You can use the rendom /showforest command to view the new forest structure in the domainlist.xml file.

    After you have created the changes in the domainlist.xml file, you next have to create the domain rename instructions that will execute on each domain controller so that your changes can be implemented. Your changes are eventually written to the msDS-UpdateScript attribute on the Partitions container object. The Partitions container object is found in the configuration directory partition on the Domain Naming Master for the forest.
    Use the steps below to create the domain rename instructions

    1. From a command prompt, switch to the RenameTools directory
    2. Type the following command to upload the domain rename instructions to Active Directory: rendom /upload.

    The command creates a dclist.xml state file in the RenameTools current directory. This is the file that rendom.exe uses to monitor the domain rename process and the state of the domain controllers within the forest.

    The following step in the domain rename process is to force Active Directory replication so that the domain rename instructions loaded to the Domain Naming Master are pushed to each domain controller within the forest.
    Use the steps below to force Active Directory replication:

    1. From a command prompt, switch to the RenameTools directory
    2. Enter the following command: repadmin /syncall /d /e /P /q DomainNamingMaster (DomainNamingMaster = DNS host name of the existing Domain Naming Master for the particular forest)

    Following this, you need to verify that the DNS records for the new domain have been created. The Net Logon service of each domain controller publishes the SRV resource records to the authoritative DNS servers.
    To verify the DNS records,

    1. Click Start, Programs, Administrative Tools, and then DNS
    2. Proceed to expand the server name, Forward Lookup Zones, and then expand the domain which you want to check.
    3. Check that the following DNS records exist for each domain controller in the domain:
      • One CNAME record associated with each domain controller on all authoritative DNS servers.
      • One SRV record for the PDC FSMO on all authoritative DNS servers
      • One SRV record for one domain controller on all authoritative DNS servers for every domain
      • One SRV record associated with one Global Catalog on all authoritative DNS servers in the forest.

    After verifying that the necessary DNS records exist, you have to verify the status of the domain controllers within the forest. This essentially involves checking the Active Directory database state on each domain controller.

    1. From a command prompt, switch to the RenameTools directory
    2. Enter the following command: repadmin/prepare.
    3. At this point, rendom.exe verifies that the msDS-UpdateScript and msDS-DnsRootAlias attributes are replicated to each domain controller within the forest. It also checks that the servicePrincipalNameattribute is replicated to each domain controller within the domain and the Global Catalog. Rendom.exe checks too that the dclist.xml state file is present in the RenameTools directory. It verifies that the file has an entry for each domain controller in the forest.
    4. The member server/control station sends a Remote Procedure Call (RPC) to each domain controller in the forest as well to check the state of the Active Directory directory copy. The status of the domain controllers is updated in the dclist.xml file state file to the Prepared status. This indicates that the domain controllers are ready to run the domain rename instructions.

    The following step is to execute the domain rename instructions using the rendom utility on the domain controllers. What happens is that the control station/member server sends an RPC to each domain controller. When a domain controller receives its RPC from the control station, it in turn executes the domain rename instructions. The domain controller reboots after this. After all domain controllers have executed the domain rename instructions, you can check the status of the domain controllers in the dclist.xml state file. A status of Done indicates that the domain controller has successfully executed the domain rename process. A status of Error indicates that the domain controller was unable to conclude the domain rename process. Any domain controller that is unable to complete the domain renaming process has to be removed from the forest.

    Use the steps below to execute the domain rename instructions on your domain controllers within the forest. You have to repeat the process until each domain controller is updated or to the point that a particular domain controller could not complete the domain rename process. As mentioned earlier, you can verify the status of the domain controllers in the dclist.xml state file.

    1. From a command prompt, switch to the RenameTools directory
    2. Type the following command: rendom /execute
    3. Proceed to check the status of the domain controllers in the dclist.xml state file.

    You can force the rendom/execute command if you think that a domain controller which has the Error state in the dclist.xml file can be recovered. Forcing the rendom/execute command, results in the control station resending the RPC to the particular domain controller
    To do this,

    1. From a command prompt, switch to the RenameTools directory
    2. In the dclist.xml file, find the Retry> field for the domain controller that you want to force the rendom /execute command for.
    3. Proceed to edit this to Retry>yes for the particular domain controller.
    4. To resend the RPC to the particular domain controller, proceed to enter the rendom /execute command.
    5. Recheck the status of the particular domain controller in the dclist.xml state file. A status of Done would mean that the domain rename process completed successfully on the particular domain controller. If the state is Prepared, try entering the rendom /execute command again. If the state is Error, consider removing the domain controller from the forest.

    Tasks that should be completed after the domain rename process

    • Because the entire forest is unavailable during the domain renaming process, you would need to basically make the forest configuration available again after the domain rename process is completed.
      To do this,

      1. Proceed to reboot the control station/member server two times.
      2. Open a command prompt and switch to the RenameTools directory
      3. Enter the following command: rendom /end.
      4. This action removes the msDS-UpdateScript attribute from the configuration directory partition on the Domain Naming Master for the forest.
    • One of the steps performed when preparing for the domain rename process was to create the appropriate shortcut trust relationships between the domains in the forest. These trustrelationships are automatically created as part of the domain rename process. Any necessary external trust relationships have to be manually created.
    • After the domain rename process is completed, you should examine all your trust relationships to check whether any trust relationships exist that are no longer needed. You can remove these trust relationships through the utilization of the Active Directory Domains and Trusts console.
    • In addition to checking for no longer needed trust relationships, you should check for DNS zones that are no longer required. If you need to remove any DNS zones, use the DNS administration tool.
    • Next, you have to use the gpfixup.exe command-line tool that you downloaded when installing the Windows Server 2003 Support tools to repair the GPOs and their links so that they reflect the correct information in each domain that was renamed. You would have to run Gpfixup.exe on each domain controller within every renamed domain.
    • One of the tools downloaded during the installation of the Windows Server 2003 Support tools on the control station was the dfsutil.exe command-line tool. You should now use the tool to scan the DFS topology and fix any instances of the previous name(s) with the new name(s).
    • To perform an attribute cleanup after the domain rename process, execute the rendom /clean command from a command prompt.
    • Because the domain rename process could result in the renaming of TAPI specific application directory partitions, you would need to republish the service connection points for the application directory partition’s new name. This is necessary for TAPI clients to find the application directory partition that was renamed.
    • You can use the steps below to repair the shortcuts to the Domain Security Policy and Domain Controller Security Policy MMC snap-ins in the Start menu. This process has to be completed on each domain controller in each renamed domain.
      To do this,

      1. Click Start, Programs, Administrative Tools.
      2. Right-click Domain Security Policy and click Properties from the shortcut menu.
      3. Change the Target field (/gpobject: setting ) to reflect the new domain name.
      4. Click OK.
      5. Click Start, Programs, Administrative Tools.
      6. Right-click the Domain Controller Security Policy and choose Properties from the shortcut menu.
      7. Change the Target field (/gpobject: setting ) to reflect the new domain name
      8. Click OK.
    • Each member computer of the renamed domain(s) has to be restarted for the domain membership changes to take effect. You should reboot each member computer two times.
    • It is generally recommended to perform all necessary backups of the domain controllers after the domain rename process because the Active Directory database, Registry and GPOs on each domain controller has since changed. You should perform the following backups:
      1. A full system state backup of all domain controllers within the forest, together with a backup of all data volumes as well.
      2. A backup of all GPOs on each domain controller.

    Renaming Domain Controllers

    Because the DNS host names of domain controllers in the renamed domains do not automatically update during the domain rename process, you have to change the DNS host name. With Windows Server 2003, you no longer have to first demote the domain controller, then rename it, and then re-promote the server to be a domain controller. This was basically the process for Windows 2000 domains.
    In Windows Server 2003, you can rename the domain controller without having to demote it if the domain functional level is raised to the Windows Server 2003 domain functional level. What this basically means is that each domain controller has to be running Windows Server 2003. To raise the domain functional level for domain controllers in the domain, use the Active Dirctory Domains and Trusts console.
    Another task that should be performed before you can rename the domain controllers is to move all Global Catalog and all FSMO roles from the root domain controller to a different domain controller. This task is not necessary if you have manually created these roles within your Active Directory environment.
    The Netdom command-line utility is used to rename domain controllers. The tool is included in the Windows Support Tools on the Windows Server 2003 Setup CD-ROM. The Netdom Computername command is the command used to manage computer names.

    To rename a domain controller, use the steps listed in the following section:

    1. Open a command prompt.
    2. Execute the following domain controller rename command: Netdom Computername OldComputerName /add:NewComputerName.
      • OldComputerName = existing computer name/IP address of the domain controller that you are renaming.
      • NewComputerName = new name for the domain controller
    3. After a while, the computer account should be replicated throughout the domain. All appropriate DNS resource records should also be distributed to all authoritative DNS servers. This is usually after the replication latency time interval.
    4. Enter the following command at the command prompt: netdom computername OldComputerName /makeprimary: NewComputerName.
    5. Reboot the computer.
    6. You can use perform the following tasks to verify that the domain controller was renamed:
      • At the command prompt, enter netdom computername NewComputerName /enumerate. At this point, the domain controller has two names
      • Click Start, Control Panel, and then click System. Check that the name that appears on the Computer Name tab after Full Computer Name is correct. Click Cancel to exit.
    7. You now have to remove the old domain controller name. To do this, enter the following command at the command prompt: netdom computername NewComputerName /remove:OldComputerName.

     

    Rate this article:

    0 / 5 (0 votes)

    Leave a Reply to Jiri Cancel reply

    Your email address will not be published. Required fields are marked *

    One comment

    1. Jiri

      24 October, 2012 at 9:31 pm

      The text “Enter the following command: repadmin /prepare” should be changed to “Enter the following command: rendom /prepare”. Anyway good article 🙂

      Reply
    Microsoft DNS
    177 queries in 0.607 seconds.