DOMAIN RENAME

11/23/19 - activedirectory,windows,kb

Foreword:

• If AD Connect/DirSync is installed, and there is an active sync to Azure AD/Office 365, uninstall it.
  • Take some notes of which OUs are actively being synced
• Make sure you have a backup of DNS/ADDS
• While this COULD be done from a DC, or a domain-joined server, it may be easier to do this from a domain-joined workstation – even one which is spun up only for this purpose.
  • You will need some of the RSAT tools installed for ADDS, DNS, and GPM
  • Wherever you choose to do this, this system will be referenced as the Control System from this point forward

Steps:

1. From the Control System, install the following RSAT tools:
   • RSAT: Active Directory Domain Services and Lightweight Directory Services Tools
   • RSAT: DNS Server Tools
   • RSAT: Group Policy Management Tools
2. Go to Control Panel > Admin Tools
   1. Open the DNS Management tool, connect to the Operations Naming Schema Master DC
      • FSMO role owners can be verified with
        netdom query fsmo
   2. In DNS Management:
      1. Expand the connected server, and the Forward Lookup Zones
      2. Right-click Forward Lookup Zones, and click New Zone
      3. Walk through the New Zone Wizard with these settings:
         1. Primary Zone, Store the zone in Active Directory (default)
         2. To all DNS servers running on domain controllers in this domain (default)
         3. Enter your new domain name under Zone Name
         4. Allow only secure dynamic updates (default)
         5. Click Finish
      4. Your new Zone will show up next to your current/old one. Expanding it will show that it is mostly empty, aside from the SOA and NS records.
3. Open an elevated Command Prompt
   1. CD to – and if necessary, create – a convenient path or folder
      • In my example, I used
        c:\rendom\
   2. Run:
      rendom /list
      • This will generate a file in the directory your Command Prompt was currently in when the command was executed.
   3. Open the generated file, Domainlist.xml, and change all references from the old domain name and NetBIOS name to the new ones. Save your changes.
   4. Run:
      rendom /showforest
      • This will verify the format of the file is correct, and what will be changed.
      • At this point, nothing will be changed.
   5. Run:
      rendom /upload
      • This will upload the changes to the Domain Naming Operations Master, and will then begin replication to all DCs.
      • rendom will generate files in the same directory Domainlist.xml was created, and where you are running the command from. You can use these files to follow the status of the DC’s with the file DcList.xml. At this point, they should show as Initial.
      • Replication can be forced with:
        repadmin.exe /syncall /d /e /P /q DomainNamingMaster-Hostname
   6. Run:
      rendom /prepare
      • This will prepare the domain controllers in the forest.
      • Verifying DcList.xml, their state should reach Prepared before continuing.
      • In a 2 DC domain, this step took less than 15 seconds.
      • If you ran the command too soon, and one of the DCs comes back with error 1753, then you tried before changes were fully replicated to the other servers. Just wait a little bit, maybe verify the state of the other DCs with DcList.xml, then try again.
4. Do NOT move to the next step until you are absolutely ready.
   • This WILL freeze domain activity, such as new GPOs, new DCs, new users, etc.
   • It is possible to roll back without a full migration, but you have to reach the /end command before you can come back, safely.
5. Run:
   rendom /execute
   • The DC’s will automatically reboot once /execute has finished.
   • You must wait for the DC’s to come back up before continuing to the next step.
   • Reviewing DcList.xml should now show the statuses as Done.
6. Log into all DC’s, ensuring you’re using the NEW domain name
   • You may notice, when reviewing the System Properties of the DC, that it is still named using the old domain name, while the new domain name is showing appropriately under the Domain field. This is normal, due to how the DCs hold the domain name, and will be addressed further down the list.
   • At this point, you can verify in AD Users and Computers that everything is showing under the new domain name, including default suffixes.
   • GPO’s will not be working at this point.
7. Reboot your Control System.
   1. On the login screen, ensure you log in using the new domain name.
   2. Verify in System Properties that the Control System has detected the new domain name, and has updated.
   3. Reboot your Control System a second time.
   4. After logging back in, ping the domain name to verify resolution.
      • If you get an error during the second login about the security database, wait a moment and try again.
8. On your Control System, in an elevated Command Prompt:
   1. Domain:
      gpfixup /olddns:old.local /newdns:new.zone
   2. NetBIOS:
      gpfixup /oldnd:OLDNET /newnb:NEWBIOS
   3. Replication can be forced with
      repladmin.exe /syncall /d /e /P /q D dc=new,dc=zone
9. On the DCs:
   • One at a time, update the hostname for the DCs to reflect the new domain, and reboot. Don’t do this from the GUI, as it’s not recommended.
   • netdom computername dc0.old.local /add:dc0.new.zone
   • netdom computername dc0.old.local /makeprimary:dc0.new.zone
   • As you do this, you may notice the DCs beginning to show up in DNS Management under the new domain name in Forward Lookup Zones
   • When logging back into the DCs after this rename, verify the domain in System Properties
10. After the DCs have been renamed, rebooted, logged back in, and GPOs fixed, it is time to catch the rest of the domain members up. Each device will have to be rebooted and logged in under the new domain name TWICE
    • On first reboot and login, the system picks up the new domain name and renames itself.
    • On the second reboot and login, it will properly register with AD
    • A quick ping to the domain name after the second login can help force DNS to see the client system.
11. Only AFTER all the devices have been verified under the new domain name, continue to the next step.
    • If systems are missed, they will manually have to be connected to the new domain.
12. On the Control System in an elevated Command Prompt:
    • Run:
      rendom /clean
      • This will remove references to the old domain, and unfreeze Active Directory.
      • Once this is done, any missed systems will need to be manually joined to the new domain
13. In DNS Management, you can now delete the old Zone.

If AD Connect/DirSync was uninstalled prior to this, reinstall and reconfigure to point to the same OUs as last time. Verify the user accounts still have the appropriate domain listed, but accounts are tied to an Anchor ID within their attributes.

Comments Section

There's nothing here, yet. Feel free to submit your own comment below.

Submit a Comment

Name

Comment

All comments are queued for review before being posted.

Submit