![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
624 questions
Hello
Thanks for posting in Microsoft Community.
Renaming an Active Directory (AD) domain is a significant operation and, it can be complex and risky. The process involves a lot of changes to the domain and can affect many services, especially if you're running critical infrastructure like DNS, NPS, DHCP, CA, DFS, and monitoring software like Splunk and Backup Exec.
Here's a breakdown of the process and considerations to help you decide whether or not this is the right path, and how to minimize risks if you do proceed.
Key Considerations Before Renaming an AD Domain
Complexity of the Operation:
Renaming an AD domain is supported in Windows Server 2003 and later, but the process is still not trivial and can be prone to failure if not done correctly.
It's particularly risky when you have complex services like DNS, NPS, DHCP, Certificate Authority (CA), DFS, and 3rd party applications (e.g., Backup Exec, Splunk) relying on the domain.
Risk to Critical Infrastructure:
DNS: Your domain name is tightly integrated with DNS, which is used for internal name resolution, so renaming the domain will require extensive updates to DNS records.
NPS (Network Policy Server): Renaming the domain could break any NPS policies if they are using domain names or user attributes tied to the original domain name.
DHCP: DHCP servers will be affected as their lease information is tied to the AD domain.
Certificate Authority (CA): Renaming the domain could cause issues with certificates issued by the CA, as they are domain-dependent.
DFS (Distributed File System): DFS will require updates, especially if your DFS namespace or replication is based on the domain name.
Backup Exec and Splunk: These systems typically depend on the domain name for querying and authentication, so renaming the domain can break integrations or cause them to lose connectivity to the domain.
Domain Renaming Limitations:
Renaming a domain will only change the NetBIOS name and DNS name of the domain (i.e., air-gap.local to newdomain.local), not the internal GUIDs and other domain-wide identifiers.
It will require a forest functional level of at least Windows Server 2003 and ideally Windows Server 2008 or higher.
Forest root domain renaming is supported but requires special handling because this is a more critical change.
Steps for Renaming an AD Domain (If You Decide to Proceed)
If after evaluating the risks and complexities, you decide to proceed with the domain rename, here are the key steps to follow. Always ensure you have a reliable backup of your entire domain before starting, and consider testing this process in a test environment if possible.
- Preparation and Backup
Backup the Active Directory: Use Windows Server Backup or a similar tool to back up the entire domain controller, including system state and any other critical data.
Ensure Replication: Make sure the domain controllers are fully replicated and healthy.
Verify and Clean DNS: Make sure DNS is working correctly and that there are no issues that would interfere with the renaming process. A broken DNS can cause domain name resolution issues post-rename.
- Review All Dependencies
Review Applications: List and verify all applications that rely on the domain, such as Backup Exec, Splunk, NPS, DHCP, CA, etc. Ensure they will be compatible with the new domain name. You may need to reconfigure some settings after the domain rename.
Group Policies: Review Group Policies and check if any settings are reliant on the domain name. For example, mapped drives or security settings that use domain names.
Service Accounts: Service accounts that may be domain-dependent need to be reviewed. These accounts might need to be updated after the domain rename.
- Renaming the Domain
The domain rename process is done using the rendom tool, which is included in Windows Server.
Step 1: Prepare the environment:
Ensure that your forest functional level is at least Windows Server 2003.
Run rendom /list to generate a domain rename list. This will create a file that lists the current domain name.
Step 2: Edit the domain rename file:
Edit the Domainlist.xml file generated by the rendom /list command. Change the old domain name to the new domain name in the file.
Step 3: Generate the domain rename instructions:
Run rendom /prepare to prepare the forest for renaming.
Run rendom /execute to execute the domain rename. This step will apply the new domain name.
Step 4: Reboot and update DNS:
After the domain rename, you will need to reboot the domain controllers.
Manually update any DNS records as needed, including A records, PTR records, and others that may still point to the old domain name.
- Post-Rename Tasks
After renaming the domain, there will be additional steps to ensure everything continues to function:
Update DNS: Ensure that all DNS records reflect the new domain name.
Reconfigure Applications: Update settings in services like Backup Exec, Splunk, NPS, DHCP, and CA to reflect the new domain name.
Recreate Trusts (if any): If your domain has external trusts, those may need to be recreated or adjusted.
Verify Group Policies: Ensure that all Group Policies are correctly applied and check that no old domain references remain.
- Monitor for Issues
After renaming the domain, keep a close eye on:
Active Directory replication: Check replication status using repadmin /replsummary to ensure all domain controllers are replicating the new domain name.
DNS resolution: Make sure all DNS records are properly updated.
Application logs: Monitor the logs of all dependent services like Backup Exec, Splunk, NPS, etc., to catch any errors caused by the domain rename.
I hope the above information is helpful to you.
Best regards
Runjie Zhai