What Is Domain Rename?
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
What Is Domain Rename?
In this section
Domain Rename Constraints and Capabilities
Core Scenarios for Domain Rename
Domain Rename Dependencies and Interactions with Other Technologies
Related Information
You can use the domain rename process to change the names of your domains, and you can also use it to change the structure of the domain trees in your forest. This process involves updating the Domain Name System (DNS) and trust infrastructures as well as Group Policy and service principal names (SPNs).
The ability to rename domains provides you with the flexibility to make important name changes and forest structural changes as the needs of your organization change. Using domain rename, you cannot only change the name of a domain, but you can change the structure of the domain hierarchy and change the parent of a domain or move a domain residing in one domain tree to another domain tree. The domain rename process can accommodate scenarios involving acquisitions, mergers, or name changes in your organization, but it is not designed to accommodate forest mergers or the movement of domains between forests.
Note
Domain rename is intended to be a supported method for renaming domains when domain renames are necessary; it is not intended to make domain rename a routine operation. The domain rename process is complex, and it requires a great deal of care in planning and execution. In addition, the time that is required for a complete domain rename operation is directly proportional to the size of an Active Directory forest in terms of its number of domains, domain controllers, and member computers. Therefore, although domain rename is possible, it should not be undertaken lightly. The domain rename operation is not supported in Microsoft Exchange Server 2007 or Exchange Server 2010. DNS domain rename is supported in Exchange Server 2003. However, renaming of the NetBIOS domain name is not supported in any version of Exchange Server. Other non-Microsoft applications might also not support domain rename. For more information about other Microsoft applications that are incompatible with domain rename, see article 300684 (https://go.microsoft.com/fwlink/?LinkId=185229) in the Microsoft Knowledge Base.
In Windows Server® 2003 and Microsoft Windows® 2000 Server, the directory service is named Active Directory. In Windows Server 2008 R2 and Windows Server 2008, the directory service is named Active Directory Domain Services. The rest of this topic refers to AD DS, but the information is also applicable to Active Directory.
For information about methods of merging forests, see “Windows 2000/2003: Multiple Forests Considerations White Paper” on the Microsoft Web site.
Domain Rename Constraints and Capabilities
The domain rename capabilities provide solutions to some of the problems that are not addressed in Windows 2000 Server. In a Windows 2000 Server forest, you cannot rename domains after the forest structure is in place without moving domain contents or recreating them.
Although you can rename domains in forests that do not include domain controllers that run Windows 2000, there are some important constraints on these operations. The constraints on domain rename in forests with and without Windows 2000 Server are described in the next two sections, followed by a description of the domain rename capabilities in Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2.
Domain Rename Constraints in Windows 2000 Server
The constraints that are associated with changing domain names or restructuring domain trees in Windows 2000 Server Active Directory are prohibitive.
In a Windows 2000 Server forest, you cannot:
Change the DNS name or the network basic input/output system (NetBIOS) name of a domain. Although you cannot rename a domain, you can achieve the same results by moving its contents into a new domain that has the name that you want the existing domain to have. You can use Active Directory Object Manager (MoveTree) in Windows 2000 Server family Support Tools to move directory objects between domains.
Move a domain in a forest in a single operation. You can make copies of items in a domain and move items from a domain, but you cannot move the entire domain itself within a forest.
Split a domain into two domains in a single operation. To split a domain, you must create a new domain and then move users and resources from the existing domain into the new domain.
Merge two domains into a single domain in a single operation. To merge domains, you must move all the contents from one of the domains into the other domain and then demote all domain controllers in the empty domain and decommission it.
In a Windows 2000 Server forest, significant administrative overhead is associated with performing manual move operations to rename one or more domains or to restructure a domain tree.
Domain Rename Constraints in Windows Server 2003 and later
Domain rename is not a trivial operation, and there are important constraints on the domain rename operation in a forest that has domain controllers that run Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. When you decide whether to rename or restructure domains in an existing forest, be sure to consider what you cannot do with domain rename and restructuring. Although a forest has domain rename and restructuring capabilities, certain types of structural changes are not supported.
In a forest with domain controllers that run Windows Server 2003 or later, you cannot:
Change which domain is the forest root domain. Changing the DNS name or the NetBIOS name (or both) of the forest root domain is supported.
Drop domains from the forest or add domains to the forest. The number of domains in the forest before and after the domain rename and restructuring operation must remain the same.
Rename a domain with a name that was taken from another domain in a single domain rename and restructuring operation.
Domain Rename Capabilities in Windows Server 2003 and later
Tools are provided that you can use to safely rename domains to restructure a forest, reapply preexisting Group Policy to the new forest structure, and clean up the old domain names that you will no longer use.
The domain rename process involves making basic changes independently at each domain controller in a forest. You set up an administrative computer from which you issue commands that are executed remotely at each domain controller. These commands update the directory database at each domain controller individually with the changes that are necessary for renaming the domains; that is, the updates that rename the domains do not spread across the forest through AD DS replication.
You use the Rendom tool to carry out the following multiple steps in the domain rename process:
Freeze the current state of the forest so that no changes can occur while a domain rename operation is being performed.
Prepare the contents of the forest for a domain rename operation. Rendom runs multiple scripts that perform this preparation.
Execute a domain rename operation.
Clean up old domain names.
Another tool, Gpfixup, is provided to reinstate Group Policy from the original domains into the newly named domains in the forest.
The Rendom tool, the Gpfixup tool, and the instructions for using them are available on the Windows Server 2003 operating system CD. These tools are also built into domain controllers that run Windows Server 2008 R2 or Windows Server 2008, and they are available in Remote Server Administration Tools (RSAT). You can also download these tools and instructions from Windows Server 2003 Domain Rename Tools on the Microsoft Web site.
Note
The versions of the domain rename tools that are available at the Microsoft Web site are updated to perform domain rename operations in a forest that has Exchange Server 2003 with Service Pack 1 (SP1) deployed. Versions of the tools that are available on the Windows Server 2003 operating system CD do not have this capability.
Core Scenarios for Domain Rename
By using domain rename capabilities, you can make several kinds of changes to an existing forest. For example, you can perform domain rename to:
Rename domains without repositioning any domains in the forest structure.
Create a new domain-tree structure by repositioning domains within a tree.
Create a new tree root.
Create a new domain-tree structure by repositioning domains to a different tree.
Reuse a domain name.
Domain Rename Without Repositioning
You can rename domains without restructuring the forest in terms of the parent-child relationships between existing domains. For example, suppose that an existing cohovineyard.com forest for the Coho Vineyard company has four domains with the following names:
cohovineyard.com (root)
eu.cohovineyard.com
hr.cohovineyard.com
sales.cohovineyard.com
The company decides to expand into wine bottling and distribution and wants to change its name from Coho Vineyard to Coho Winery. The AD DS domain names must now reflect the new company name. As shown in the following figure, the target forest still has four domains with the following new names:
cohowinery.com (root)
eu.cohowinery.com
hr.cohowinery.com
sales.cohowinery.com
By renaming the forest root domain, a condition is created in which all child domains in the tree must be renamed to preserve the original forest structure, as shown in the following figure.
(In the following series of figures, two-way arrows indicate two-way, transitive trust relationships.)
Domain Rename of Four Domains Without Repositioning Domains
Domain Rename with Repositioning in the Same Tree
You can change the structure of a domain tree by renaming a child domain to appear in a different location in the tree. For example, in the cohowinery.com forest, the products.sales.cohowinery.com domain is currently a child of the sales.cohowinery.com domain, placing it two levels below the forest root domain. If the Products division is no longer a subdivision of the Sales organization as a result of an internal reorganization, the company might want to change the domain structure to put the Products organization at the same level as the Sales organization. The following figure shows how changing the parent of products.sales.cohowinery.com results in a restructured domain tree.
Domain Rename to Change the Parent of a Child Domain
Domain Rename with Creation of a New Tree Root
When you restructure a forest, you can move a domain (except the forest root domain) anywhere within the forest in which the domain resides. You can even move a domain so that it becomes the root of its own domain tree. For example, in the cohowinery.com forest, the domain for the European branch of the company, named eu.cohowinery.com, is a child of the forest root domain. Company management determines that the European division’s internal domain name should better reflect its Internet DNS name, cohovineyardandwinery.com. In the target forest structure shown in the following figure, the eu.cohowinery.com domain is moved so that it becomes its own tree-root domain named cohovineyardandwinery.com.
Domain Rename to Create a New Tree Root
Domain Rename with Repositioning to a Different Tree
By renaming domains, you can effectively move a child domain to a different parent, even if the parent is in a different tree. For example, in the current example forest structure, the domain for the Human Resources (hr) organization is a child of cohowinery.com. This domain has domain controllers in the United States. However, changes in the company have prompted the Human Resources organization to move its location to Europe. Company management wants to move the hr.cohowinery.com domain so that it becomes a child of the domain cohovineyardandwinery.com, residing in another domain tree. As shown in the following figure, the hr.cohowinery.com domain is renamed to hr.cohovineyardandwinery.com.
Domain Rename to Move a Domain to a Different Tree
Reusing a Domain Name
As described in Domain Rename Constraints in Windows Server 2003 and later, the domain rename operation cannot rename two or more domains so that one domain gives up its name and another domain assumes the same name in a single forest restructuring operation. For example, in the Current Forest configuration in the preceding figure, you cannot use a single domain rename operation to restructure the current forest so that the cohovineyardandwinery.com domain is named something else and the hr.cohowinery.com domain assumes the name cohovineyardandwinery.com.
However, you can accomplish the desired result by first performing the domain rename operation to rename the cohovineyardandwinery.com domain to something else. When you are absolutely sure that the first domain rename operation is complete, you can then perform the domain rename operation again so that hr.cohowinery.com assumes the domain name cohovineyardandwinery.com.
Domain Rename Dependencies and Interactions with Other Technologies
So that they can interact in a forest structure, AD DS domains require proper configuration and functioning of the following technologies:
DNS: AD DS clients, including domain controllers, use DNS zone data to locate resources in a forest. Without a proper DNS infrastructure, AD DS security and replication services cannot function. In a domain name operation, DNS names of domain controllers and member computers must also change, as follows:
The DNS names of domain controllers must change to match the new domain names by changing the primary DNS suffix.
The DNS names of member computers change automatically in one of two ways: by configuring the primary DNS suffix to change when the domain name change replicates (with a potentially significant replication impact) or by applying Group Policy to configure the primary DNS suffix change before the domain rename.
SPNs: SPNs are used for mutual authentication between domain controllers during replication. To ensure that replication can occur following a domain rename operation, the SPN values must change on the domain controllers.
Trust: Two-way, transitive trust relationships between parent and child domains provide the security infrastructure that is required for resource sharing between domains in the same forest and for delegating management of AD DS objects. To change the structure of a domain tree, you must manually create the trust relationships that enable parent-child relationships in the new structure.
In addition to these basic requirements, when the following features are in effect, they require appropriate changes in the forest in preparation for the domain rename operation:
Distributed File System (DFS): Folder redirection and roaming user profiles can be used to locate the user’s home directory and user profile, respectively, in a network location. When these features are applied using domain-based DFS paths, these paths must change to reflect the new domain names.
Certification authorities (CAs): Management of enterprise certificates through a domain rename procedure requires that CAs not be installed on domain controllers and that they be configured with appropriate Uniform Resource Locators (URLs).
Related Information
The following resources contain additional information that is relevant to this section:
“Windows 2000/2003: Multiple Forests Considerations White Paper” on the Microsoft Web site
Windows Server 2003 Domain Rename Tools (https://go.microsoft.com/fwlink/?linkid=5585) on the Microsoft Web site
“Step-by-Step Guide to Implementing Domain Rename” in Windows Server 2003 Domain Rename Tools on the Microsoft Web site