AD
DS in Windows Server 2008 R2 gives domain designers the flexibility to
rename their domain namespace and/or splice domains in a forest to
different locations within a forest. This capability gives AD DS great
new functionality because design changes can be made because of
corporate mergers or organizational changes.
Domain rename supports
renaming either the AD DS namespace (for example, companyabc.com) or the
NetBIOS (legacy NT) domain name or both. The procedure is a rather
brute-force process, however, and should not be considered to be a
routine operation.
The domain rename
functionality in Windows Server 2008 R2 is mainly a psychological factor
because the prerequisites for deploying domain rename make it unlikely
to be widely performed,
at least in the initial stages of Windows Server 2008 R2 adoption.
Domain rename offers long-term answers to the previous barriers to AD DS
adoption, which revolved around the fact that organizations did not
want to be locked in to any decisions that could not be changed. Because
a Windows 2000 AD DS namespace decision was irreversible, this
effectively put many decision makers on edge, as they did not want to
“paint themselves into a corner,” so to speak. Domain rename removes
this stipulation and makes AD DS adoption much more palatable to
decision makers within an organization.
Domain Rename Limitations
Domain rename has several
limitations. It is important to understand the following restrictions
before considering a domain rename operation:
Cannot reduce the number of domains in a forest—
The domain rename tool cannot be used to drop additional domains from a
forest. For example, if a forest is composed of four domains, there
must be four domains remaining after the procedure is complete. This
type of domain consolidation role can be performed only through the use
of other tools, such as the Active Directory Migration Tool.
The current root domain cannot be demoted—
Although the domain rename tool can splice and transplant domains from
one portion of an AD DS namespace to another, it cannot fundamentally
change the root domain in a tree. A root domain can be renamed, however.
Cannot transfer current domain names in one cycle—
A production domain cannot be named the same as another production
domain that exists in a forest. You need to run the domain rename
procedure twice to achieve this type of desired functionality.
Outlining Domain Rename Prerequisites
In addition to the
limitations of the domain rename tool, specific prerequisites for domain
rename must be met before a domain can be renamed. These prerequisites
are as follows:
The entire forest must be at least Windows Server 2003 functional level—
All domain controllers in the domain must be first upgraded or replaced
with Windows Server 2003, 2003 R2, 2008, or 2008 R2 and the forest
functional level raised to at least Windows Server 2003 functional
level.
New DNS zones must be created—
The DNS server(s) for a domain must have a zone added for the new
domain namespace to which the domain will be renamed. The exception is
if the domain rename procedure will be renaming only the NetBIOS domain
name.
Domain rename must run from a console server—
A member Windows Server 2008 R2 computer (not a domain controller) must
serve as the console server for the domain rename procedure. All domain
rename operations are run from this one box.
Shortcut trust relationships might need to be created—
Any domains that will be “spliced” into a new location in the AD DS
forest will need to have a shortcut trust established between itself and
the parent domain where it will be transplanted.
Renaming a Domain
The
domain rename procedure, from the back end, is not extremely complex.
Most of the barriers to domain renaming, aside from the limitations and
prerequisites listed in the preceding section, come in the form of the
disruption to the forest that is caused by the reboots applied to all
the computers in the forest.
After the prerequisites
have been satisfied, the domain rename process can proceed. The entire
domain rename process is accomplished through six basic steps. As
previously mentioned, however, this routine is rather harsh on the
network because it causes downtime to a network infrastructure and
should not be considered to be a common operation.
Step 1: List Current Forest Description
The tool used for domain
rename is known as Rendom. Rendom has several flags that are used in
import and export operations. The first procedure run from the console
server is rendom /list, which locates the domain controllers for a
domain and parses all domain-naming information into an XML document
named Domainlist.xml.
This XML document can easily
be modified by any text editor such as Notepad and, as will become
evident, is central to the domain rename procedure.
Step 2: Modify Forest Description with New Domain Name(s)
The XML file generated by
the /list flag must be modified with the new domain-naming information.
For example, if CompanyABC is changing its name to CompanyXYZ, all
references to companyabc in the XML list are changed to companyxyz. This
includes the NetBIOS and DNS names.
Step 3: Upload Rename Script to DCs
After the XML document is
updated with the new domain information, it can be uploaded to all
domain controllers in a forest through the use of the rendom /upload
command. This procedure copies the instructions and new domain
information up to all domain controllers within a forest.
Step 4: Prepare DCs for Domain Rename
Domain rename is a
thorough process because it is absolutely necessary that all domain
controllers in a forest receive the update information. It is,
therefore, necessary to run rendom /prepare to initiate a preparation
process that checks to see if every single domain controller listed in
AD DS responds and signifies that it is ready for the migration. If
every single domain controller does not respond, the prepare function
fails and must be restarted. This precaution exists to keep domain
controllers that are powered down, or not accessible across the network,
from coming up at a later time and attempting to service clients on the
old domain name.
Step 5: Execute Domain Rename Procedure
After all domain
controllers respond positively to the prepare operation, you can
initiate the actual domain rename by running the rendom /execute command
from the console server. Before the execute command is run, there are
actually no changes made to the production environment. However, as the
command is run, all domain controllers execute the
changes and automatically reboot. You then must establish a method of
rebooting all member servers, workstations, and other client machines
and then reboot them all a second time to ensure that all services
receive the domain-naming change.
Step 6: Post-Rename Tasks
The final step in the Rendom
task is to run the rendom /clean operation, which will remove temporary
files created on the domain controller and return the domain to a normal
operating state.
In addition to the
cleanup tasks, you need to effectively rename each domain controller, to
change its primary DNS suffix. Each domain controller needs to go
through this operation, which you run via the netdom command-line
utility. The following steps outline the renaming of a domain
controller:
1. | Open a Command Prompt window (choose Start, Run, and then type cmd.exe).
|
2. | Type netdom computername OldServerName /add:NewServerName.
|
3. | Type netdom computername OldServerName /makeprimary:NewServerName.
|
4. | Restart the server.
|
5. | Type netdom computername NewServerName /remove:OldServerName.
|
You run all the preceding
commands from the command line. Replace the generic designators
OldServerName and NewServerName with the entire DNS name of the old
server and the new server, such as server1.companyabc.com and server1.companyxyz.com.