Friday, September 28, 2012

Domain Rename in Windows2003/2008

Prerequisites for a domain rename in a simple single domain forest for windows 2003/2008:
  • Enterprise Administrator credentials are required.
  • The domain should be well formed and healthy. Ran dcdiag /q and repadmin /replsum to check for any errors and fix the same before you proceed. Ran gpotool can check all the policies are OK.
  • The forest functional level must be Windows Server 2003 or 2008, and all DC’s running at least Server 2003.
  • A DNS zone for the new domain must be in place.
 The Rendom and Gpfixup tools must be copied to a domain member workstation to perform the rename operations. The operations should not be initiated from a domain controller.
See the TechNet link below for details on requirements if you’re using DFS redirection, roaming profiles, running a CA, or Exchange Server.
The domain rename is performed using the Rendom tool, which is installed with Active Directory when running dcpromo. Once this process is started, you must ensure that no changes are made to the forest configuration until complete. The steps are as follows.
1.       To generate the current forest description file
Run “rendom /list” to generate a state file named Domainlist.xml. This file contains the current forest configuration.
2.       To edit the domainlist.xml file
Using a simple text editor such as notepad, edit the state file, changing the <DNSname> and <NetBiosName> fields to the desired values for the new domain name.
3.       To review the new forest description in domainlist.xml
 Run “rendom /showforest” to show the potential changes; this step does not actually make any changes.
4.       To generate the domain rename instructions and upload them to the domain naming master
Run “rendom /upload” to upload the rename instructions to the configuration directory partition on the domain controller holding the domain naming operations master role. The instructions are then replicated to all other DC’s in the forest. Once replicated to all DC’s, the rename instructions are ready to be carried out. You can force replication by running the “repadmin /syncall” command.
 5.       To verify the readiness of domain controllers in the forest
Run “rendom /prepare” to verify the readiness of each domain controller in the forest to carry out the rename instructions. This should contact all DC’s successfully and return no errors before proceeding.
 6.       To execute the domain rename instructions on all domain controllers
Run “rendom /execute”, this verifies readiness of all DC’s, then performs the rename action on each one. There will be a service interruption during this period. Upon completion domain controllers will be rebooted. If an error occurs on a DC during this phase, the entire transaction is rolled back. Any DC’s that don’t complete successfully after this phase must be demoted and removed from service.
 7.       To fix up Group Policy in every renamed domain
 Run “gpfixup” to refresh all intradomain references and links to group policy objects.
For example,
Gpfixup / / /oldnb: xyz /newnb: abc /
 8.       Reboot client computers and member servers twice to obtain new domain name.
Because the GUID’s of the domain remain the same during the rename process, domain membership is not affected. The DNS suffix of the client machines will also be updated assuming the default option of “Change primary DNS suffix when domain membership changes” is enabled.
 9.       To perform attribute clean up after domain rename
Run “rendom /clean” to remove references of the old domain name from Active Directory.
 10.   To unfreeze the forest configuration
 Run “rendom /end” to unfreeze the forest configuration and allow further changes. This was frozen during the rendom /upload step.
Should you have any problems with clients recognizing the new domain name, you can remove them by running “netdom remove <machine-name> /Domain :< old-domain> /Force”, rebooting, and then rejoining the new domain. Once the rename is complete, there is one final change required on domain controllers. The DNS suffix of a DC is not changed as part of this process. This must be changed manually or the DC’s will have a DNS suffix that differs from the AD domain name.
For further details on renaming Server 2008 domains, reference this TechNet article:

Original Post: