Rename a Windows 2008 Domain Controller
Before jumping into this post the following, Implementing Windows Server Core 2008 R2 Domain Controllers and Manage Active Directory Replication provide information for monitoring replication across a domain which is necessary when renaming a Domain Controller. Renaming a Domain Controller is not as straight forward as renaming a member server and it is important to monitor the progress of each step before proceeding to the next. This can be monitored using several tools, Repadmin.exe, DNS record registrations (either the MMC or Dnscmd.exe) and Server Principle Name (SPN) registration and domain replication of the SPN (Adsiedit.msc or ldp.exe).
Note: Domain Controllers configured as a Certificate Authority (CA) cannot be renamed.
A Domain Controller rename is performed using the netdom command, netdom is shipped with Windows Server 2008 as a part of the base OS install, for earlier versions of Windows Server it is available as a download from Microsoft.
The rename consists of 3 steps.
Step 1
Update the Domain Controllers SPN in Active Directory and register the appropriate DNS SRV records for the Domain Controller. It is important following this command to ensure that the new SPN has replicated to all Domain Controllers in the AD domain and also that the DNS Resource Records have also propigated to all authoritative DNS servers for the domain.
Example:
C:\>netdom computername serverdc1.lab.local /add: serverdc21.lab.local Successfully added serverdc21.lab.local as an alternate name for the computer. The command completed successfully.
Once run, it is important to wait at least one replication cycle before proceeding further, use Repadmin to ensure replication of the change has completed domain wide and check DNS to ensure the new resource record registrations have been made and have replicated to all authoritative DNS servers.
Use Adsiedit to ensure the SPN has been registered, to do this navigate the Domain node, OU=Domain Controllers and select properties on the Domain Controller being renamed. In the properties look at the msDS-AdditionalDnsHostName attribute, the new Domain Controller name should be here.
Step 2
Once replication across the domain and DNS has been verified the new name whose SPN was registered in step 1 can be made the primary name. If the following command is run before replication has fully completed it is possible that domain members will be unable to locate the Domain Controller using either the new or the old name. In short, be sure before continuing!
Example:
C:\>netdom computername serverdc1.lab.local /makeprimary: serverdc21.lab.local Successfully made serverdc21.lab.local the primary name for the computer. The computer must be rebooted for this name change to take effect. Until then this computer may not be able to authenticate users and other computers, and may not be authenticated by other computers in the forest. The specified new name was removed from the list of alternate computer names. The primary computer name will be set to the specified new name after the reboot. The command completed successfully.
the computer object attribute msDS-AdditionalDnsHostName will now have the value of the original Domain Controller name, in the above example serverdc1.lab.local.
Reboot the Domain Controller.
Step 3
Following the reboot run
Example:
C:\>netdom computername serverdc21.lab.local /remove: serverdc1.lab.local Successfully removed serverdc1.lab.local as an alternate name for the computer. The command completed successfully.
It is a good idea to instigate domain replication using Repadmin.
Active Directory Users and Computers and Active Directory Sites and Services will now display the new Domain Controller name. The msDS-AdditionalDnsHostName attribute will no longer have a value set.
Run dcdiag on the renamed server and one or two other Domain Controllers (in the same site and in an adjoining site) to ensure there are no problems.
FOLLOW ME
LINKEDIN
RSS FEED
No comments yet.