How to Perform Active Directory Rename


Userlevel 7
Badge +9

This article was birthed by the following article shared in the community which by @Viperian. Kindly take a look at the comment section of this post as they are very informative as well.

I see a lot of environments shared online with the .local suffix and this made me create a blog post on how to set up a Domain Controller as Recommended by Microsoft. There are numerous articles on this topic on the blog but I have decided to share the latest that was prompted by the above concern.

But then, this is a new Active Directory environment. The issue has not been solved for existing AD environments with the .local suffix. Hence, this guide was developed to tackle this problem. Please see  “how to change Active Directory Domain name from dot local to dot com” for more information.

 

Note: I would recommend backing up your AD environment before making any changes to your domain controllers. I would recommend using Veeam Backup and Replication for AD protection. This ensures that you can recover in case of unexpected issues during the rename process.

 

Some reasons to change Rename Active Directory from .local to .com

 

Changing the Active Directory domain name from “.local” to “.com” is recommended to enhance compatibility and align with best practices when setting up a new AD environment.

The .local top-level domain (TLD) is not intended for global use in the Domain Name System (DNS). Instead, it is utilized by multicast DNS (mDNS) to facilitate the resolution of hostnames to IP addresses within small networks, eliminating the necessity for a dedicated DNS server etc.

 

Prerequisite to renaming Active Directory (AD)

Renaming an Active Directory (AD) domain is a complex process that requires careful planning and execution. 

Before deciding to rename an AD domain, consider the following factors:

  • Renaming the AD domain can have a significant impact on services and applications that rely on AD. Ensure that all systems and services are compatible with the new domain name.
  • Some applications and services may have hard-coded references to the current domain name. Verify the compatibility of all applications and update configurations accordingly.

Before proceeding with these steps, endeavor to back up your AD environment before making any changes. I would recommend using Veeam Backup and Replication for AD protection. This ensures that you can recover in case of unexpected issues during the rename process.

 

Note: Before you begin the domain rename operation, ensure that the certificate revocation lists (CRLs) and the CA certificates will not expire soon. If you find that they are close to expiration, complete the following tasks as described in the Microsoft guide before the domain rename operation.

Active Directory Rename Process

Note: : While this renaming process is technically possible, it’s generally considered best practice to avoid renaming AD domains whenever possible due to the potential for disruption and data loss if not executed correctly. Therefore, evaluate the potential impact of renaming the domain name in a test environment before replicating it in your production environment.

Create a New Forward Lookup Zone

To do this, you can right-click on the forward lookup zone or select it and right to select the New Zone on the right pane.

Select the “Primary Zone” since this going to be the first DC server. Click on Next after selecting.

This option will replicate to all DNS servers running in this domain. Click Next to proceed.
 

Enter the New Zone Name

Select allow only secure dynamic updates

Complete forward zone creation

 

New Zone successfully created

 

Install Active Directory Domain Rename Tool

Note: It is recommended to install and run the Active Directory Domain Rename Tool on a member server rather than directly on a domain controller. This helps to minimize potential disruptions to Active Directory operations and avoids unnecessary risks associated with running administrative tools directly on DCs.

Note: Remote Server Administration Tools for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) are installed by default on Windows Server. But let me show you the process if you were to have it installed.

Login to a member server with my domain credentials. Launch Add Roles and Features

Select Role based installation

 

Skip the Server Roles and on the Features Window, ensure the remote Server Administration Tools by Server manager is selected. Ensure you you select AD DS and AD LDS tools under the RSAT. Since these requirements are met, I will stop here. Else, you should ensure they are installed.

 

Run Active Directory Domain Rename Tool

Microsoft provides the Active Directory Domain Rename Tool (rendom.exe) for renaming domains. First, we will create a report that explains the current forest setup. To do that type the below and press enter.

rendom /list

 

Open the Domainlist.xml file. In my case, I will be using Notepad++

 

You will need to edit the file to match with the new domain name. Make sure you save the file after edits. I am done editing this file

 

Next, type the command below command from same folder path. This command will execute the rendom /upload command to upload the rename instructions to Active Directory.

 rendom /upload

To check the domain readiness before the rename process type rendom /prepare

 

Once its pass with no errors, execute rendom /execute to proceed with rename. It will reboot the domain controller automatically.

 

Note: While we wait for the command to complete successfully. You can already take a look at the DC and some of the renaming has happened.

 

Our command have completed successfully without errors

 

You will have to reboot all devices in your environment to apply changes. Username and password will not change, but the domain name will as shown above.

Let’s verify member server. The image below is before the AD rename

As you can see, the member server has been corrected updated.

 

As you can see above, the rename process could not rename the domain controllers. This has to be done manually.

To do this, run the command below

netdom computername techdirectarchive.techdirectarchive.local /add:techda02.techdirectarchive.com

To make the “techda02.techdirectarchive.com” the primary name for this server. Please run the command below.

netdom computername techdirectarchive.techdirectarchive.local /makeprimary:techda02.techdirectarchive.com

 

Active Directory Rename Cleanup

Once you’re confident that the rename process was successful and all systems are functioning as expected, perform cleanup tasks such as removing the old domain name from DNS records and updating any external references to the domain name

First, launch the DNS Manager and remove the following DNS Server

 

When you launch the Group Policy Management  console, you would notice the following error “Group Policy: The specified Domain Controller could not be contacted. This affects the following console”.

Use the command below to initiate the Gpfixup new Group Policy link

gpfixup /olddns:techdirectarchive.local /newdns:techda02.techdirectarchive.com

 

Execute the rendom /clean command to remove the rename metadata

Run is rendom /end to stop the rename process and unfreeze the DC activity

 

In order to start working with our Group Policy Management again, we need to add the new forest. To do this, click on Action and select Add Forest.

 

You should continue monitoring other services to ensure all errors associated with the rename process is eliminated.

 

Let’s see if this name change is reflected in Active Directory Users and Computers console.

 

Lastly, If your domain has trusts with other domains or forests, update them as needed. Also, consider external dependencies such as firewalls, DNS, DHCP, etc. Update certificates and service principal names (SPNs) to match the new domain name.


11 comments

Userlevel 7
Badge +7

Fantastic post @Iams3le ! 👍

Userlevel 7
Badge +9

Fantastic post @Iams3le ! 👍

Thank you @marco_s 

Userlevel 7
Badge +21

This is a great guide for sure.  I use .lab in my homelab.

Userlevel 7
Badge +21

@Madi.Cristil @safiya can you change this to a content post. To me it is not a question.

Userlevel 7
Badge +9

This is a great guide for sure.  I use .lab in my homelab.

Thanks! … now is a good time to change that 

Userlevel 7
Badge +9

Hey guys, this article has been updated with the steps and images for renaming Active Directory Domain Name. This ensures you do not have to leave this “resource hub” to any other platform to complete your own Lab or Production AD renaming process.

Userlevel 7
Badge +21

This is a great guide for sure.  I use .lab in my homelab.

Thanks! … now is a good time to change that 

Why would I want to change the domain from .lab?  It is not using .local which the article is about and it is only my homelab which does not sync to Azure AD or anything like that.

Great additions to this article by the way with the pictures and details.  Love it! 😎

Userlevel 7
Badge +9

This is a great guide for sure.  I use .lab in my homelab.

Thanks! … now is a good time to change that 

Why would I want to change the domain from .lab?  It is not using .local which the article is about and it is only my homelab which does not sync to Azure AD or anything like that.

Great additions to this article by the way with the pictures and details.  Love it! 😎

Then you have a good reason not to perform the above steps! There are ways around those issues as well whenever you wish to integrate with Azure or M365. BTW, these steps apply to all suffixes and not just .local.

Userlevel 7
Badge +21

This is a great guide for sure.  I use .lab in my homelab.

Thanks! … now is a good time to change that 

Why would I want to change the domain from .lab?  It is not using .local which the article is about and it is only my homelab which does not sync to Azure AD or anything like that.

Great additions to this article by the way with the pictures and details.  Love it! 😎

Then you have a good reason not to perform the above steps! There are ways around those issues as well whenever you wish to integrate with Azure or M365. BTW, these steps apply to all suffixes and not just .local.

Gotcha.  Yeah I will never integrate my homelab domain with either of those so will just keep it as is.  Might look at it in the future maybe. 😁

Userlevel 7
Badge +10

@Iams3le  great! Impressive 😎
thank you

Userlevel 7
Badge +9

@Iams3le  great! Impressive 😎
thank you

You are welcome 

Comment