Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2010-10-09) Should You Do A Domain Rename Or Not – That’s The Question?

Posted by Jorge on 2010-10-09


A friend of mine asked me if a domain rename is something that should/could be used or not within an organization. What I answered him is more or less explained in this blogpost. Information about performing a domain rename can be found through the following links:

Instead of performing a domain rename [1], you could also create a new domain in an existing AD forest or new AD forest and migrate [2] everything into that new AD domain. To determine which to use ([1] or [2]), you must know the AD forest environment very very well! With "AD forest environment" I mean: the size of the environment, number of DCs per AD domain/site (location), number of AD sites (locations) with DCs, the AD forest/domain structure, the version of AD, version of AD aware/enabled apps (e.g. exchange, ocs, etc.), versions of member server and member client operating systems, which client/servers apps (e.g. SQL, Citrix, etc.) exist and their versions, what the remote possibilities are to connect to the DCs (including when the DCs are booting) and the dependency of such a solution with AD, where support personnel is available and where not, etc, etc. As you can see, doing your homework is the very first step to take before anything else! Doing this homework should help you in determining how much technical and logistical pain you may experience during such as exercise. The impact of doing a domain rename is HUGE! In a test environment I do not have any issues with doing a domain rename, but in a production environment I would never do this that easily and probably I would never do it. Domain rename impacts ALL DCs in the AD forest at the same time and therefore not just the DCs in the AD domain for which you want to rename the NetBIOS Name and/or the FQDN. If you still think domain rename is still a viable option to check out, then make sure you have a very representative test environment with all applications to see where things might go wrong. Also check with the vendor of the app/system if it supports domain rename at all. Create a plan of your own and test, test, test, test, test, test, test, test, test, test, test, test! Also make sure to have an up-to-date and tested disaster recovery plan as a fallback plan when the shit hits the fan!

An example: assume your AD forest has 3 AD domains and each AD domain has 100 DCs. So in total you have 300 DCs in the AD forest. At a certain point in time (check the domain rename manual from Microsoft) ALL those DCs in the AD forest will reboot AT THE SAME TIME. It would scare the crap out of me rebooting 300 DCs at the same time! A simple test before performing a domain rename is to reboot each and every DC kust to make sure it return in normal mode without any issue.

After the domain rename, you most likely have to fix all kinds of applications in some way. Some apps/systems might not work until certain repairs have been done. It is still possible that domain rename is not possible or even not supported by Microsoft. For example, if you have Exchange in your AD environment, then this will play a very important role in determining if it is even possible to perform a domain rename.

The biggest disadvantage of a domain rename is the huge impact on the environment and the impossibility of doing it in a phased manner.

The other option that can be used, instead of a domain rename, which does not impact the environment that heavily and does allow a phased manner and with much lower risks, is a domain migration.

Remember though that if you have multiple AD domains in a specific AD forest, that this is far from a best practice. You might also want to think about consolidation your AD domains within that AD forest as much as possible. Much organizations do not do this (consolidation) because the benefits do not outweight the costs involved

The following was taken from MS-KBQ300864:

Examples of applications that are incompatible with domain rename include, but are not limited to, the following products:

  • Microsoft Exchange 2000 Server
  • Microsoft Exchange Server 2007
  • Microsoft Internet Security and Acceleration (ISA) Server 2004
  • Microsoft Live Communications Server 2005
  • Microsoft Operations Manager 2005
  • Microsoft SharePoint Portal Server 2003
  • Microsoft Systems Management Server (SMS) 2003
  • Microsoft Office Communications Server 2007

With regards to a domain rename I found the following questions to which I or others responded

#################

[Q]

OK, I have raised domain functional level to windows server 2003 and also set functional level to windows server 2003. Now how do I rename my domain name? Next steps, please advice.

[A1]

I hope you are kidding! You want to do a domain rename and are asking for the steps here? That means you did not do any homework, correct? IMHO that’s the most NOT RECOMMENDED action to take. Microsoft provides documents about the domain rename. You should read it, understand it, TEST it and decide if you really want to do it. Domain Rename has a HUGE impact on the environment and is NOT something to think easy of.

My suggestion as next step. start reading domain rename docs:

http://technet.microsoft.com/en-us/windowsserver/bb405948.aspx

http://technet.microsoft.com/en-us/library/cc738208.aspx

#################

[Q]

Does anyone know the Domain Rename Supported combinations of Windows and Exchange

For example:

W2K3 AD with E2K3SP1 = supported

W2K8 AD with E2K3SP1 = supported

W2K3 AD with E2K7 RTM/SP1 = NOT supported

W2K8 AD with E2K7 RTM/SP1 = NOT supported

How about:

W2K3 AD with E2K3SP2 = ???

W2K8 AD with E2K3SP2 = ???

[A1]

With regards to W2K8 please read http://technet.microsoft.com/en-us/library/cc816848.aspx. it says:

"The Windows Server 2008 domain rename operation is not supported in an Active Directory forest that contains Exchange Server 2003, Exchange Server 2003 SP2, Exchange Server 2007, or Exchange Server 2007 SP1.". So I guess 2nd scenario is not supported. The http://msexchangeteam.com/archive/2004/08/30/222719.aspx link has info on W2K3. It says "All Exchange servers in the org must be Exchange 2003 SP1 + " . So I guess first scenario is OK. Might be worth posting a comment on the exchange product group’s blog in case there have more recent info.

[A2]

I know about that article and what is stated there. That was the reason WHY I asked my question. I was wondering if Exchange 2003 WITH SP2 supports Domain Rename in both w2k3 and w2k8 AD. It looks like:

Domain Rename W2K3 AD with E2K3SP2 = OK

Domain Rename W2K8 AD with E2K3SP2 = NOT OK

[A3]

Windows Server 2008 Answer? –> http://technet.microsoft.com/en-us/library/cc794909.aspx

The Windows Server 2008 domain rename operation is not supported in an Active Directory forest that contains Exchange Server 2003, Exchange Server 2003 Service Pack 2 (SP2), Exchange Server 2007, or Exchange Server 2007 Service Pack 1 (SP1).

[A4]

Same info, different article. Two sources mention this… does anyone know *WHY*:

W2K3 AD + E2K3 SP2 = OK

W2K8 AD + E2K3 SP2 = NOT OK

[A5]

I found this snippet.

As part of PrepareAD, the Exchange Server 2007 setup tool stamps the Active Directory with a number of server names in GUID and fully-qualified domain name (FQDN) formats. This is to enable Exchange Server 2007 to fulfill a much-requested feature: don’t require WINS. Unfortunately, from a Domain Rename perspective, this means that once PrepareAD has occurred, it’s too late to go back. At that time, the ONLY option for a domain rename is to remove ALL Exchange servers. That includes any Exchange 2000 Servers or Exchange Server 2003 servers which may be in the environment. The goal is to be able to remove the Organization container in Active Directory (which removing the last Exchange server in a forest will do). Having an updated schema is not an issue. Once the Organization container is gone, a domain can be renamed and Exchange re-installed. But that’s a very very dangerous option. Doing a full active directory migration to a new forest may be safer. Consider yourself informed! Until next time…

As always, if there are items you would like me to talk about, please drop me a line and let me know!

http://theessentialexchange.com/blogs/michael/archive/2008/04/04/exchange-2007-and-domain-rename.aspx

[A6]

Got word. They never tested it (W2K8AD+E2K3SP2). Reason for that people almost choose migration over rename. Third-party apps most of the time do not support rename.

#################

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

One Response to “(2010-10-09) Should You Do A Domain Rename Or Not – That’s The Question?”

  1. […] the location by GUID when an AD domain has been renamed (more info about domain rename can be found here). To accommodate locating domain controllers by server type or by GUID (abbreviated […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: