You can use the domain rename process to change the names of your domains, and you can also use it to change the structure of the domain trees in your forest. This process involves updating the Domain Name System (DNS) and trust infrastructures as well as Group Policy and service principal names (SPNs).
Because the domain rename process involves updating the DNS and trust infrastructures as well as Group Policy and SPNs, a domain rename operation affects every domain controller in the forest. Domain rename is a multistep process that results in updates to the directory and in other side effects. This section provides details about the domain rename process and its interactions with Active Directory Domain Services (AD DS), DNS, Group Policy, and security.
Domain Rename Processes and Interactions
Domain rename is implemented in a monitored, step-by-step process that ensures that every domain controller in the forest completes its changes one step at a time — that is, the next step in the process cannot occur until the current step is complete at every domain controller in the forest.
The Domain Rename Tool (Rendom)
Rendom.exe is the command-line utility for renaming domains. Rendom is included on the Windows Server 2003 operating system CD. However, an updated version of Rendom is available for download in Windows Server 2003 Domain Rename Tools on the Microsoft Web site. This version of Rendom makes domain rename possible in forests that have Exchange Server 2003 with SP1 deployed.
Rendom.exe is built into domain controllers that run Windows Server 2008 R2 and Windows Server 2008. It is also available in Remote Server Administration Tools (RSAT).
The Domain Rename State File
When you issue the first command to begin the domain rename process, Rendom generates an XML-structured text file, called a state file, which contains a list of all the domain controllers in the forest. As domain controllers progress through the various steps in the procedure, Rendom updates the state file to track the state of each domain controller relative to the completion of the domain rename process.
As you perform each step in the domain rename operation, Rendom automatically updates the state file. By using the state file to monitor the state of completion of each domain controller in the state file, you receive the information that you need to issue the next Rendom command in the sequence.
Domain Controller States
Rendom records four states of completion for each domain controller in the state file:
- Initial: Each domain controller that is reachable during the domain rename procedure starts out from the Initial state.
- Prepared: When the domain rename instructions that are written by Rendom have been verified by a domain controller independently, it advances to the Prepared state.
- Final: From the Prepared state, a domain controller advances to one of two Final states. The domain rename process stops when every domain controller in the forest has reached either of the following states:
- Done: This state signifies that the domain rename is complete at that domain controller.
- Error: This state implies that some irrecoverable error has occurred, and further progress on the domain rename is deemed to be impossible at that domain controller.
The steps in the domain rename procedure that attempt to take a domain controller from the Initial state to the Prepared state and from the Prepared state to a Final state can be executed only after every domain controller in the forest has reached the required state. A step can be executed multiple times for any domain controllers that cannot be reached in an initial attempt. Each such additional execution of the same step attempts to contact only those domain controllers that have not achieved the required state.
Requirements for Domain Rename
Before a domain rename operation begins, the following requirements must be met:
- The forest functional level must be Windows Server 2003 or higher.
- If the position of domains will change, trust relationships must be created to provide trust between any domain that will be renamed (and therefore repositioned) and the domain that is to be its parent in the new structure.
- DNS zones must exist for the new domains.
- Domain-based Distributed File System (DFS) folder redirection paths must be redirected to a server-based path.
- Domain-based roaming user profiles must be relocated to a server-based share or stand-alone DFS path.
- Computers in the to-be-renamed domains must be configured to change their host names to reflect the new domain names.
- Certification authority (CA) requirements must be met.
Preparing Domain Controllers for Domain Rename
When you run the rendom /upload command, certain changes occur on the domain naming operations master in preparation for the actual execution of domain rename. On the domain naming master, the XML-encoded script that contains the domain rename instructions is written to the single-valued, octet-string attribute msDS-UpdateScript on the Partitions container object (cn=partitions,cn=configuration,dc=ForestRootDomain) in the configuration directory partition. The Partitions container can be updated only on the domain controller that is the domain naming master for the forest; therefore, themsDS-UpdateScript attribute is necessarily changed on the domain controller that holds the domain naming operations master role (also known as the flexible single master operations (FSMO) role). From this source domain controller, the script that is stored in the msDS-UpdateScript attribute replicates to all domain controllers in the forest through normal replication of the configuration directory partition.
Executing Domain Rename Instructions
In the final step of the domain rename process, the directory database at each domain controller in the forest is updated individually to implement the new forest structure. This process does not rely on AD DS replication. Rather, the action component of the script in msDS-UpdateScript performs the required modifications to the directory database locally on each domain controller as a single update transaction. The action component of the script is the actual update of the domain name. The rendom /execute command performs this final update step.
- The actions that are performed at this step make the actual domain name changes effective at each domain controller. This step causes a brief interruption in service. Before this point in the process, forest service is not disrupted.