View Single Post
Old 10-27-2004, 10:46 AM   #5 (permalink)
bendsley
Professional Loafer
 
bendsley's Avatar
 
Location: texas
Quote:
OK, it can be done, but a better question is why would you want to change it?
Why a Domain Rename? Good question Watson!

There are several reasons why a domain rename is necessary. Some examples:

* Fear of making irreversible decisions about domain names and forest structure
* Delay any deployment while striving for “perfect” forest structure and domain names
* Changes in geography
* DNS structure change
* Unforeseen business dynamics necessitating domain name changes
* Company merger or acquisition
* Business unit reorganization

The Windows Server 2003 Active Directory Domain Rename Tool (RENDOM) provides a supported methodology to rename one or more domains in an Active Directory forest. The DNS name and the NetBIOS name of a domain can be changed using the domain rename procedure. Note that implementing domain rename is a complex undertaking that requires thorough planning and a good understanding of the domain rename procedure.

Supported Operations

The following operations are supported by RENDOM

* Rename the DNS name of a domain
* Rename the NetBIOS name of a domain
* Restructure a domain
* Move any non-root domain under a new parent domain in the same forest
* Move any non-root domain to a new tree in the same forest
* Simple rename without repositioning any domains in the forest structure
* Create a new domain-tree structure by repositioning domains within a tree
* Create new tree

Limitations

No good product without limitations and drawbacks. It is not possible to do all renaming operations with RENDOM. The following limitations exist:

* The forest root domain is the root of one of these trees
* Forest must be well formed after the domain rename operation
* The DNS names of the domains comprising the forest form one or more trees
* Cannot have a domain whose domain name is subordinate to the domain name of an Application Directory Partition root
* The forest root domain can be renamed, but must remain the forest root

Requirements for domain rename

* Windows Server 2003 forest functional level
* Account must be a member of the Enterprise Administrators group
* A single computer running any edition of Windows Server 2003 that is to be used as the control station during a domain rename operation
* Latest domain rename tools published at the domain rename Web site: http://go.microsoft.com/fwlink/?LinkId=5585
* DFS root servers running a minimum of Windows 2000 SP3 or later

Error Message of RENDOM when the Forest functional level is not Windows 2003



The domain rename Tool

Rendom.exe is the command-line utility for renaming domains in Windows Server 2003 forests. Rendom is used to carry out the multiple steps in the domain rename procedure. You precede the domain rename process by using Rendom to prepare a list of domains in the forest. You begin the domain rename process by using Rendom to generate a script (Forest description file) that contains the instructions for renaming domains in the forest. You use Rendom again to verify that all DCs are adequately prepared (RENDOM /PREPARE) to make the necessary updates to rename the domains. Finally, you use Rendom to execute (RENDOM /EXECUTE) the actual domain rename instructions on every DC. Following the domain rename procedure, you use Rendom to remove all metadata written to the directory by the domain rename operation.

You can download the domain rename Tools here: http://www.microsoft.com/windowsserv...ainrename.mspx

Attention:
The RENDOM.EXE tool from the web doesn’t work with Exchange installed. Use the version from the Windows 2003 CD. An updated version of RENDOM.EXE is suspected in the future.

The installation of RENDOM is simple.

Doubleclick DOMAINRENAME.EXE. The process extracts two files:

* RENDOM.EXE
* GPFIXUP.EXE

Rendom has several command line switches:


The Domain Rename State File


As a result of the first command (RENDOM /LIST) you issue to begin the domain rename process, Rendom creates an XML file called the state file, which contains the list of all DCs in the forest. As DCs progress through the various steps in the procedure, Rendom updates the state file to track the state of each DC relative to the completion of the domain rename process.

As you perform each step in the domain rename operation, Rendom automatically updates the state file. By monitoring the states of completion of each DC in the state file, you receive the information you need to issue the next Rendom command in the sequence. You can edit the state file to temporary exclude some DC for domain renaming procedure.

Current Domain Names — Generating the Forest Description File

The RENDOM /LIST command generates the current forest description and writes it to an output file (DOMAINLIST.XML) using an XML-encoded structure. This file contains a list of all domains and application directory partitions in the forest, along with the corresponding DNS and NetBIOS names.

Each domain and application directory partition is also identified by a globally unique identifier (GUID), which does not change with domain rename. To simplify specifying the new forest structure, Rendom gathers and compiles the current forest structure automatically such that the new forest structure can be overlaid on top of it.

Simply replace the old ForestDNSZones and DomainDNSZones names with the new domain name. You can (but not must) change the NetBIOSName. For large organizations I recommend to use the search and replace function of your editor.

GPFIXUP

When the DNS name of a domain changes, any references to Group Policy Objects (GPOs) within the renamed domain through Group Policy links (the gpLink attribute) on sites, domains, and organizational units is rendered invalid because they are based on the old domain name. Furthermore, the optional attribute gpcFileSysPath on a GPO that holds a uniform naming convention (UNC) path to a Group Policy templates folder located in the sysvol volume of the renamed domain will also be rendered invalid because the path uses the old domain DNS name. To correct the severed Group Policy links and the invalid UNC paths in GPOs within the renamed domain, you can use the Group Policy fix-up tool gpfixup.exe to refresh the Group Policy links and the UNC paths in GPOs based on the new domain name.

The Group Policy fix-up tool should be run once for every renamed domain soon after the actual domain rename operation has been completed and before another domain rename operation is performed.

The fix-up tool gpfixup refreshes all intradomain GPO references/links (that is, where the link and the target GPO are within the same domain) in the renamed domain. However, cross-domain references to GPOs in the renamed domain, where the link is in a different domain from the domain containing the GPO, will not be automatically rebuilt by this tool. For them to work, these cross-domain links will need to be repaired manually by deleting the old Group Policy links and re-establishing new links.

Preparatory Steps

It is not possible to explain every preparatory Step. For a detailed description see the domain rename Whitepaper.

* Verify application and service compatibility
* Verify domain controller and replication health (Keyword: REPADMIN, DCDIAG, REPLMON)
* Prepare trusts (Keyword: Create trusts as necassary)
* Prepare DNS zones Publishing (Keyword: Two Sets of Locator SRV Resource Records in DNS)
* Prepare domain-based DFS paths (Keyword: DFS RootTarget)
* Prepare PKI (Keyword: CDP und AIA)
* Prepare member computers for host name changes
* Communicate with the user base (Keyword: inform every user before and after domain rename)

WARNING:
Rendom.exe tool versions before version 1.2 did not detect Exchange 2000 and incorrectly permitted domain rename operations. The actual version as I wrote this article was version 1.3.

The RENDOM.EXE tool from the web doesn’t work with Exchange installed. Use the version from the Windows 2003 CD. An updated version of RENDOM.EXE is suspected in the future.

Procedures of the Original Windows Server 2003 domain rename tool

--Step 1
*Back up all domain controllers

--Step 2
*Set up the control station

--Step 3
*Generate the current forest description (rendom /list)

--Step 4
*Specify the new forest description

--Step 5
*Generate domain rename instructions (rendom /upload)

--Step 6
*Push domain rename instructions to all domain controllers and verify DNS

--Step 7
*Verify readiness of domain controllers (rendom /prepare)

--Step 8
*Execute domain rename instructions (rendom /execute)

--Step 9
*Unfreeze the forest configuration

--Step 10
*Re-establish external trusts

--Step 11
*Fix Distributed file system (Dfs) topology

--Step 12
*Fix group policy objects and links (gpfixup.exe)

After the domain rename procedure
*Verify certificate security after domain rename
*Miscellaneous tasks
*Back up domain controllers
*Restart member computers
*New: Verify the Exchange rename
*New: If applicable, update Active Directory Connector (ADC)
*Attribute clean up after domain rename
*Rename domain controllers (optional)
*New: Domain Controller Rename Follow-Up Steps
----------------------------------------------------------------
Conclusion

As you can see in this article it is not so easy to do a domain rename with Windows 2003 and Exchange 2003.

Note that implementing domain rename is a complex process that requires thorough planning and a good understanding of the domain rename procedure.

I have tested domain rename only in a Lab environment and I cannot recommend doing a domain rename in a production environment.

Related Links

*Windows 2003 Domain Rename information

http://www.microsoft.com/windows2000...me/default.asp

http://support.microsoft.com/default...b;EN-US;819145

*Windows 2003 Domain Rename Tools

http://www.microsoft.com/windowsserv...ainrename.mspx

*Exchange Server Domain Rename Fixup

http://www.microsoft.com/downloads/d...displaylang=en

http://support.microsoft.com/?id=838623
__________________
"You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane."

Last edited by bendsley; 10-27-2004 at 10:58 AM..
bendsley is offline  
 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360