How to Rename an Active Directory Domain
Changing the name of an Active Directory domain is something few AD administrators have ever done. The domain renaming process itself is fairly straightforward, but needs to be carefully planned so as not to break the entire corporate infrastructure.
The need to change an AD domain name usually arises in the context of a corporate acquisition, rebranding, M&A consolidation of multiple business units.
Preparation for an AD Domain Rename
Before you proceed to change your domain name, check the basic requirements:
- AD schema version at least Windows Server 2003;
- If the domain Certificate Authority (CA) is deployed in domain, make sure it is properly prepared (Prepare certification authorities for domain rename);
- Domains with on-premises Exchange Server (except 2003 versions) are incompatible with domain renaming. Migrating your users, groups, and computers to a new AD forest with Exchange using ADMT is the only solution in this case;
- There are some other Microsoft and non-Microsoft applications that do not support domain renaming renames (check your application’s documentation);
- You need to create a primary DNS zone for the new domain name in your AD;
- If your DFS namespaces, redirected folders, roaming user profiles, etc. are implemented in your infrastructure, gather all the relevant information for them and schedule a migration immediately after the domain name change.
In this post, we will rename an existing contoso.com domain with AD controllers running Windows Server 2019 to theitbros.com.
Note. Be sure to backup your AD before you start renaming your domain.
The first step is to create a primary DNS zone for the new domain on your DNS server:
- Connect to DC and open the DNS Manager console (dnsmgmt.msc);
- Expand the Forward Lookup Zones node;
- Select New zone;
- Create a new primary AD-integrated zone called theitbros.com with enabled Allow only secure dynamic updates option. Wait for the new zone to replicate all the DNS servers in the forest.
Renaming AD Domain Using RenDom Tool
In order to change the AD domain name, you must use the rendom console tool, which is available on any domain controller. The C:\Windows\System32\rendom.exe command allows you to perform all the necessary actions for a domain renaming operation.
Sign-in to the DC and open the command prompt as an administrator.
Run the following command to generate an XML file containing your domain configuration:
rendom /list
Open the Domainlist.xml with notepad:
notepad Domainlist.xml
Use the Edit > Replace option to find the old domain name in the file and replace it with the new one. Manually change the value in the NetBiosName field.
Save the changes to the Domainlist.xml file.
Verify the new configuration (command makes no changes yet):
rendom /showforest
Upload a new configuration file to the DC running the Domain Naming Operations Master FSMO role:
rendom /upload
Wait for the file containing the domain renaming instructions to be replicated to all other domain controllers in the forest. You can force the synchronization of changes made on the Domain Naming Master to all DCs:
repadmin.exe /syncall /d /e /P /q DomainNamingMaster_DC_HostName
This creates a DCclist.xml file that is used to track the progress and status of each domain controller in the forest for the domain rename operation. At this point, the Rendom freezes your Active Directory forest from making any changes to its configuration (such as adding/removing DCs, configuring domain trusts, etc.).
Check if the domain is ready to accept changes (checks the availability of all DCs):
rendom /prepare
If this command returns no errors, you can run the rename operation:
rendom /execute
This command automatically reboots all domain controllers.
All the domain-joined workstations and member servers must be rebooted twice for the changes to take effect. The first reboot allows the domain member to detect the domain change and change the full computer name. The second is used to register the new computer name in the new DNS zone.
Note. If there are any remote computers that connect to your domain via VPN, you will need to unjoin them from the old domain and rejoin the new domain.
Now your users can log on to computers using their old usernames and passwords.
After that, you need to manually rename all domain controllers (they won’t automatically change their names to reflect the new domain).
Use the following command to rename each DC:
netdom computername DC01.contoso.com /add:DC01.theitbros.com netdom computername DC01.contoso.com /makeprimary:DC01.theitbros.com
Reboot the domain controller to apply the changes.
Now you need to rebind the Group Policy Objects to the new domain name:
gpfixup /olddns:contoso.com /newdns:theitbros.com
Then run the command to fix the NetBIOS name of the domain in the GPOs:
gpfixup /oldnb:CONTOSO /newnb:THEITBROS
Remove links to the old domain:
rendom /clean
You can now complete the domain rename and unfreeze the AD forest:
rendom /end
Make sure that the rename was successful. Check if all Active Directory domain controllers can be contacted, users can sign in to the new domain; check if applications work correctly, and check AD replication and errors on DCs.
Now change paths in DFS namespaces, roaming profiles, redirected folders, etc. if used.