Delan Azabani

Renaming Active Directory domains

Last night I tried to implement DNSSEC on without any prior knowledge. That went badly, and I lost mail for at least a few hours. I've separated my experimental Active Directory domain off onto, where I can safely try DNSSEC again without losing mail, but the migration process wasn't straightforward.

In the past, to rename the AD domain to, I simply set up the domain controller from scratch, then reimaged clients. However, this requires a lot of unnecessary time, as well as much manual correction of user profile and registry permissions.

To summarise, renaming an AD domain is as follows:

  1. Create a new forward lookup DNS zone for the new root domain name.
  2. rendom /list
  3. Edit Domainlist.xml to use the new root domain name.
  4. rendom /showforest
    rendom /upload
    rendom /prepare
    rendom /execute
  5. Reboot the domain controller.
  6. gpfixup / /
    rendom /clean
    rendom /end

However, that doesn't actually rename the domain contoller's FQDN itself. While Microsoft says that doing so is optional, it seems like a good idea to do anyway, as is now being used elsewhere, and the domain controller will otherwise not resolve externally.

Again to summarise what Microsoft has to say about this:

  1. netdom computername OLDFQDN /add:NEWFQDN
    netdom computername OLDFQDN /makeprimary:NEWFQDN
  2. Reboot the domain controller.
  3. netdom computername NEWFQDN /remove:OLDFQDN

That's not all, in fact. If you're like me and use the domain controller as a DHCP server, it will continue to distribute the old root FQDN as the default DNS search suffix. To correct this in the DHCP snap-in, for each scope's options, change 015 DNS Domain Name as necessary.

I've omitted a few steps that are required for those with multiple domain controllers, those who are renaming the NetBIOS domain name, and/or those who are renaming the leaf computer name of the domain controller, so follow the links above if you have a more complex migration situation, as this'll probably be incomplete.

Strangely enough, without rebooting any clients, they all immediately became a member of the "new" domain (technically the same AD domain, with a new root FQDN), and their fully qualified computer names updated as well. I'll consider myself impressed.