Delan Azabani

Renaming Active Directory domains

 359 words 1 min  attic

Last night I tried to implement DNSSEC on azabani.com without any prior knowledge. That went badly, and I lost mail for at least a few hours. I've separated my experimental Active Directory domain off onto azabani.org, where I can safely try DNSSEC again without losing mail, but the migration process wasn't straightforward.

In the past, to rename the AD domain home.azabani.com to azabani.com, I simply set up the domain controller from scratch, then reimaged clients. However, this requires a lot of unnecessary time, as well as much manual correction of user profile and registry permissions.

To summarise, renaming an AD domain is as follows:

  1. Create a new forward lookup DNS zone for the new root domain name. 
  2. rendom /list
  3. Edit Domainlist.xml to use the new root domain name. 
  4. rendom /showforest
rendom /upload
rendom /prepare
rendom /execute
  5. Reboot the domain controller. 
  6. gpfixup /olddns:azabani.com /newdns:azabani.org
rendom /clean
rendom /end

However, that doesn't actually rename the domain contoller's FQDN itself. While Microsoft says that doing so is optional, it seems like a good idea to do anyway, as azabani.com is now being used elsewhere, and the domain controller will otherwise not resolve externally.

Again to summarise what Microsoft has to say about this: 

  1. netdom computername OLDFQDN /add:NEWFQDN
netdom computername OLDFQDN /makeprimary:NEWFQDN
  2. Reboot the domain controller. 
  3. netdom computername NEWFQDN /remove:OLDFQDN

That's not all, in fact. If you're like me and use the domain controller as a DHCP server, it will continue to distribute the old root FQDN as the default DNS search suffix. To correct this in the DHCP snap-in, for each scope's options, change 015 DNS Domain Name as necessary.

I've omitted a few steps that are required for those with multiple domain controllers, those who are renaming the NetBIOS domain name, and/or those who are renaming the leaf computer name of the domain controller, so follow the links above if you have a more complex migration situation, as this'll probably be incomplete.

Strangely enough, without rebooting any clients, they all immediately became a member of the "new" domain (technically the same AD domain, with a new root FQDN), and their fully qualified computer names updated as well. I'll consider myself impressed.