Last night I tried to implement DNSSEC on azabani.com
without
any prior knowledge. That went badly, and I lost mail for at least a few hours.
I've separated my experimental Active Directory domain off onto azabani.org
, where I can safely try DNSSEC again without losing mail,
but the migration process wasn't straightforward.
In the past, to rename the AD domain home.azabani.com
to azabani.com
, I simply set up the domain controller from scratch, then
reimaged clients. However, this requires a lot of unnecessary time, as well as
much manual correction of user profile and registry permissions.
To summarise, renaming an AD domain is as follows:
- Create a new forward lookup DNS zone for the new root domain name.
rendom /list
- Edit
Domainlist.xml
to use the new root domain name. -
rendom /showforest rendom /upload rendom /prepare rendom /execute
- Reboot the domain controller.
-
gpfixup /olddns:azabani.com /newdns:azabani.org rendom /clean rendom /end
However, that doesn't actually rename the domain contoller's FQDN itself.
While Microsoft says that doing so is optional, it seems like a good idea to do
anyway, as azabani.com
is now being used elsewhere, and the domain
controller will otherwise not resolve externally.
Again to summarise what Microsoft has to say about this:
-
netdom computername OLDFQDN /add:NEWFQDN netdom computername OLDFQDN /makeprimary:NEWFQDN
- Reboot the domain controller.
-
netdom computername NEWFQDN /remove:OLDFQDN
That's not all, in fact. If you're like me and use the domain controller as
a DHCP server, it will continue to distribute the old root FQDN as the default
DNS search suffix. To correct this in the DHCP snap-in, for each scope's
options, change 015 DNS Domain Name
as necessary.
I've omitted a few steps that are required for those with multiple domain controllers, those who are renaming the NetBIOS domain name, and/or those who are renaming the leaf computer name of the domain controller, so follow the links above if you have a more complex migration situation, as this'll probably be incomplete.
Strangely enough, without rebooting any clients, they all immediately became a member of the "new" domain (technically the same AD domain, with a new root FQDN), and their fully qualified computer names updated as well. I'll consider myself impressed.