Discussion:
forest rename
(too old to reply)
Andy Wolsten
2006-06-26 23:53:01 UTC
Permalink
Hi,

Currently planning to rename our forest as it was initially named
domaina.local when created which does not fall in with our real DNS space.

It has been suggested that we leave the domain name as it is and simply
create a new domain mycompany.com which i guess will sit at the top of the
forest along side domaina.local. what are the implications of this? I have
not worked yet with multiple domain scenario's. how will it look in AD Users
and comps

Another suggestion was to leave the domain name as domaina.local but create
a new DNS zone. What are the benefits of doing this. Is it not just more
untidy and complicated to manage. Any advise and doco on this would be great
too
Wong Tuck Wah
2006-06-27 00:18:01 UTC
Permalink
You understand the untidiness and mess in managing a domain name but of no
use. If you create another new domain, it simply function as another tree
root, not forest root, if you want them to be under the same AD (unless it is
a new forest) because there can be only 1 forest root per AD.

Fortunately in Windows 2003 (hope u r using 2003) you can rename your forest
root domain to cater for situation like yours. Please read the link carefully
before you try to attempt. Remember to perform a backup prior to this.

http://www.microsoft.com/technet/downloads/winsrvr/domainrename.mspx

All the best.
Post by Andy Wolsten
Hi,
Currently planning to rename our forest as it was initially named
domaina.local when created which does not fall in with our real DNS space.
It has been suggested that we leave the domain name as it is and simply
create a new domain mycompany.com which i guess will sit at the top of the
forest along side domaina.local. what are the implications of this? I have
not worked yet with multiple domain scenario's. how will it look in AD Users
and comps
Another suggestion was to leave the domain name as domaina.local but create
a new DNS zone. What are the benefits of doing this. Is it not just more
untidy and complicated to manage. Any advise and doco on this would be great
too
Andy Wolsten
2006-06-27 00:38:01 UTC
Permalink
thanks very much.

What would be the implications of creating a new DNS zone mycompany.com and
adding this domain suffix to each client, as well as the domaina.local suffix.

I beleive the domain rename tool is lots of work and preperation?
Post by Wong Tuck Wah
You understand the untidiness and mess in managing a domain name but of no
use. If you create another new domain, it simply function as another tree
root, not forest root, if you want them to be under the same AD (unless it is
a new forest) because there can be only 1 forest root per AD.
Fortunately in Windows 2003 (hope u r using 2003) you can rename your forest
root domain to cater for situation like yours. Please read the link carefully
before you try to attempt. Remember to perform a backup prior to this.
http://www.microsoft.com/technet/downloads/winsrvr/domainrename.mspx
All the best.
Post by Andy Wolsten
Hi,
Currently planning to rename our forest as it was initially named
domaina.local when created which does not fall in with our real DNS space.
It has been suggested that we leave the domain name as it is and simply
create a new domain mycompany.com which i guess will sit at the top of the
forest along side domaina.local. what are the implications of this? I have
not worked yet with multiple domain scenario's. how will it look in AD Users
and comps
Another suggestion was to leave the domain name as domaina.local but create
a new DNS zone. What are the benefits of doing this. Is it not just more
untidy and complicated to manage. Any advise and doco on this would be great
too
Kevin D. Goodknecht Sr. [MVP]
2006-06-27 03:10:38 UTC
Permalink
Post by Andy Wolsten
thanks very much.
What would be the implications of creating a new DNS zone
mycompany.com and adding this domain suffix to each client, as well
as the domaina.local suffix.
The most notable implication is that is will make your local DNS server
authoritative over the domain, so it will no longer forward any name under
this zones name. You'll have to create records for each name in the public
zone, like www, ftp and mail. The clients can register in this zone just as
they do in the .local zone through the Connection DNS suffix, which can be
assigned by DHCP.
Post by Andy Wolsten
I beleive the domain rename tool is lots of work and preperation?
Not to mention what a domain rename can do to your digestive tract. Domain
renames should not be taken lightly and depending on your infrastructure can
blow away the better part of a full weekend. I wouldn't do a domain rename
just to change the TLD from local to something else, unless the .local TLD
is causing other issues. If you domain were a single-label DNS name then
performing the rename becomes more of a necessity.

All this said, if for instance you are wanting to change the domain TLD in
order to change the UPN logon name ***@domain.local to ***@domain.com
there is an easy way to do this and not have to perform a domain rename.
Win2k3 added the ability to change the UPN suffix on multiple objects
simultaneously by selecting multiple objects and choose properties for the
objects.
HOW TO Add UPN Suffixes to a Forest:
http://support.microsoft.com/kb/243629/EN-US/
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
Andy Wolsten
2006-06-27 07:33:02 UTC
Permalink
thanks kevin, for the informative reply. The rename is very much for
aesthetic reasons however in the future may become more of an issues since we
are incorporating an increased amount of web applications.

Our company so far is fairly small (2 DC's, 1 exchange) so the rename would
seem a great idea at the moment before we grow to a complicated level. I
would very much like to atleast attempt a test at this before the impending
headache some time in the future.

Do you know of any step by step guides on a) how to run through the process
of rename b) technical considerations before the rename and c) some things to
test before we run the rename. One of my main concerns would be how to
properly recover from a failed attempt.
Post by Kevin D. Goodknecht Sr. [MVP]
Post by Andy Wolsten
thanks very much.
What would be the implications of creating a new DNS zone
mycompany.com and adding this domain suffix to each client, as well
as the domaina.local suffix.
The most notable implication is that is will make your local DNS server
authoritative over the domain, so it will no longer forward any name under
this zones name. You'll have to create records for each name in the public
zone, like www, ftp and mail. The clients can register in this zone just as
they do in the .local zone through the Connection DNS suffix, which can be
assigned by DHCP.
Post by Andy Wolsten
I beleive the domain rename tool is lots of work and preperation?
Not to mention what a domain rename can do to your digestive tract. Domain
renames should not be taken lightly and depending on your infrastructure can
blow away the better part of a full weekend. I wouldn't do a domain rename
just to change the TLD from local to something else, unless the .local TLD
is causing other issues. If you domain were a single-label DNS name then
performing the rename becomes more of a necessity.
All this said, if for instance you are wanting to change the domain TLD in
there is an easy way to do this and not have to perform a domain rename.
Win2k3 added the ability to change the UPN suffix on multiple objects
simultaneously by selecting multiple objects and choose properties for the
objects.
http://support.microsoft.com/kb/243629/EN-US/
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
http://www.oehelp.com/OEBackup/Default.aspx
===================================
Jorge Silva
2006-06-27 10:18:42 UTC
Permalink
Hi

Before considering a domain rename you should be aware of the consequences
of that action.

Domain Rename can be a complicate process depending on your network/forest
environment.

A domain rename will affect every domain controller in your forest and is a
thorough multistep process that requires a detailed understanding of the
operation. Before considering a Domain rename check the some documentation
and some of the most important topics:



Support WebCast: Microsoft Windows Server 2003: Implementing an Active
Directory Domain Rename Operation

http://support.microsoft.com/default.aspx?scid=kb;EN-US;819145

Windows Server 2003 Active Directory Domain Rename Tools and guides

http://www.microsoft.com/technet/downloads/winsrvr/domainrename.mspx

How Domain Rename Works

http://technet2.microsoft.com/WindowsServer/en/Library/4d0c3b6e-e6f5-4ab3-9d81-106ae3a715491033.mspx?mfr=true



----------------------------------------------------------------------

Check:



- Setup a Lab and test all procedures before going to Domain rename on
production environment. Test a recovery process in case of something goes
wrong.

- Perform a full system state backup of all domain controllers in the
forest.

- Document your entire forest.

- You may have to delete and recreate existent trusts.



----------------------------------------------------------------------



- The following conditions are required to be in effect before you can begin
a domain rename procedure:



*Active Directory forest functional must be set to Windows Server 2003.



*The domain rename procedure requires Enterprise Admins privileges to
perform the various steps in the procedure.



*DFS root servers: In order to be able to rename a domain with domain-based
DFS roots, all DFS root servers must be running Windows 2000 with Service
Pack 3 or a higher release of the Windows server.



*A computer running any edition of Windows Server 2003 that is to be used as
the control station during a domain rename operation



----------------------------------------------------------------------



- Before undertaking a domain rename operation, it is imperative that you
fully understand the following conditions and effects that are inherent in
the process and that you are willing and able to fully accommodate them:



*The forest is out of service for a short period of time. Forest service is
interrupted during the time it takes for each domain controller to perform
the directory database updates that are necessary for the domain rename and
to then reboot.



*All domain controllers must either complete the domain rename operation
successfully or be eliminated from the forest.



*Each member computer that is joined to a renamed domain must be rebooted
twice after all domain controllers are updated. Computers running Windows NT
4.0 must be unjoined and then rejoined to the renamed domain instead of
being rebooted



*If you want DNS host names of domain controllers to match a new domain
name, you must perform domain controller rename procedures after the domain
rename operation is complete. The DNS host names of domain controllers are
not changed automatically by the domain rename operation to reflect the new
domain name. In other words, the primary DNS suffix of a domain controller
will not match the new domain DNS name after the domain has been renamed.



*Having the host name of a domain controller decoupled from its domain name
has no impact on forest service. However, domain controller rename requires
a separate, multistep procedure after the domain rename operation is
complete.



*The DNS suffix of host names for member computers in a domain that is being
renamed might not match the new DNS name of the domain for a period of time.
By default, the DNS suffix portion of member computer names is updated
automatically when the domain to which the computers are joined changes (as
happens when you rename a domain). In general, the period of time during
which the DNS name of the domain does not match the DNS suffix of member
computer names is proportional to the number of computers in the domain. In
some cases, you might want to configure the computers to keep the computer
names from being updated automatically.



*If you want DNS host names of domain controllers to match the new domain
name, you must perform domain controller rename procedures following domain
rename. The DNS host names of the domain controllers are not changed
automatically by the domain rename operation to reflect the new domain name.



----------------------------------------------------------------------



- Although a Windows Server 2003 forest has forest restructuring capability,
certain types of structural changes are not supported.



- In a Windows Server 2003 forest, you cannot:



*Change which domain is the forest root domain. Changing the DNS or the
NetBIOS name of the forest root domain, or both, is supported.



*Drop domains from the forest or add domains to the forest. The number of
domains in the forest before and after the rename/restructure operation must
remain the same.



*Rename a domain with the same name that another domain gave up in a single
forest restructure operation.

----------------------------------------------------------------------



- And if you have Exchange Server in your forest?

*Exchange 2003 SP1: If your Active Directory forest contains only Exchange
2003 SP1 servers, you can run the domain rename operation, but you must also
use the Exchange Domain Rename Fix-up Tool to update Exchange attributes.

*Domain rename does not rename e-mail domains

*Domain rename doesn't change any e-mail domain in Exchange doesn't change
any recipient policy. *You must change your recipient policy after domain
rename.

*Domain rename does not rename the Exchange Organization

*You cannot rename the Exchange Organization with the domain rename tool.

*Domain rename does not merge Exchange Organizations

*It is not possible with domain rename to merge two Exchange organizations
into a single Exchange organization.

*The account you use must also have Full Exchange Administrator permissions.

*Exchange 2003 is required
*The domain rename tools are supported in Exchange 2003; all Exchange
servers in the organization must be running Exchange 2003.

* The domain rename operation is not supported in an Active Directory forest
that contains Exchange 2000 or Exchange 5.5 servers.

*Exchange must not be installed on domain controllers (. If a domain
controller is running Exchange, move the Exchange data off of the domain
controller and uninstall Exchange.



Exchange Links:

TechNet Support WebCast: Renaming domains when Microsoft Exchange Server
2003 is in the Active Directory

http://support.microsoft.com/default.aspx?scid=kb;en-us;838623

Downloads for Exchange Server 2003

http://www.microsoft.com/technet/prodtechnol/exchange/downloads/2003/default.mspx

Supplemental steps for using the Exchange Server Domain Rename Fixup tool
together with the Windows Server 2003 domain rename tools

http://support.microsoft.com/?id=842116

Domain Rename - Rename a Windows 2003 Forest with Exchange 2003 installed

http://www.msexchange.org/tutorials/Domain-Rename.html

Microsoft Exchange Server Domain Rename Fixup (XDR-Fixup)

http://www.microsoft.com/downloads/details.aspx?FamilyId=24B47D4A-C4B9-4031-B491-29839148A28C&displaylang=en

Exchange System Attendant does not start after you rename a Windows Server
2003 domain

http://support.microsoft.com/?id=822590



----------------------------------------------------------------------



- And CAs what's Up?

- Management of enterprise certificates can continue during a domain rename
procedure when the following requirements are in effect before domain
rename:

*The CAs are not installed on domain controllers.

*As a best practice, all the CAs should include both Lightweight Directory
Access Protocol (LDAP) and Hypertext Transfer Protocol (HTTP) Uniform
Resource Locators (URLs) in their Authority Information Access (AIA) and
certificate revocation list (CRL) distribution point extensions.



*Note

If any certificate that is issued by a CA has only one of these URL types,
the certificate may or may not work. Depending on the complexity of your
domain configuration, the steps described in the "Step-by-Step Guide to
Implementing Domain Rename" (in Windows Server 2003 Domain Rename Tools)
might not be sufficient for proper management of CAs after the domain rename
operation. Anyone who undertakes domain rename in an environment that uses
certificates must have considerable expertise in managing Microsoft CAs.



- If one or more of the following conditions exist at the time of domain
rename, CA management is not supported:



*The CA is configured to have only LDAP URLs for its CRL distribution point
or AIA. Because the old LDAP extensions are invalid after the domain rename
operation, all the certificates that are issued by the CA are no longer
valid. As a workaround, you have to renew the existing CA hierarchy and all
issued End Entity certificates.



*An interdomain trust relationship is based on cross-certification with name
constraints. After the domain rename operation, the name constraints might
not be valid. As a workaround, you have to reissue cross-certificates with
appropriate name constraints.



*An e-mail name in the style of Request for Comments (RFC) 822, "Standard
for the Format of ARPA Internet Text Messages," is used in the Active
Directory user account. If the CA (or the certificate template) is
configured to include RFC 822-type e-mail names and this e-mail name style
is used in the certificates that are issued, these certificates will contain
an incorrect e-mail name after a domain rename operation. You should change
any such Active Directory user accounts before any certificates are issued.
--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator
Post by Andy Wolsten
Hi,
Currently planning to rename our forest as it was initially named
domaina.local when created which does not fall in with our real DNS space.
It has been suggested that we leave the domain name as it is and simply
create a new domain mycompany.com which i guess will sit at the top of the
forest along side domaina.local. what are the implications of this? I have
not worked yet with multiple domain scenario's. how will it look in AD Users
and comps
Another suggestion was to leave the domain name as domaina.local but create
a new DNS zone. What are the benefits of doing this. Is it not just more
untidy and complicated to manage. Any advise and doco on this would be great
too
Continue reading on narkive:
Loading...