Varonis debuts trailblazing features for securing Salesforce. Learn More

Introducing Athena AI our new generative AI layer for the Varonis Data Security Platform.

Learn more

Risks of Renaming Your Domain in Active Directory

3 min read
Last updated June 30, 2022

As a sysadmin, there might be moments where you’ll find the need to change, merge, or rename your domain. Hopefully you name your domain well the first time, but there are still many reasons why you might need to rename a domain, for instance: an organizational restructuring, merger, buyout or expansion. Keep in mind that a rename is not designed to accommodate forest mergers or the movement of domains between forests.

With long checklists, constraints and precautions, renaming a domain is not a simple undertaking, and the time required to complete a domain rename is proportional to the deployed AD forest – in terms of domain count, domain controllers and computers. There are also no step-by-step instructions for domain renames (that I could find), therefore the key to renaming a domain successfully is to do all the necessary prep work and to understand what areas might be affected.

When renaming your domain, here are, in my opinion, two major considerations:

  1. The risk of locking out users if steps in the process are missed
  2. Applications that are incompatible with the domain rename

Get the Free PowerShell and Active Directory Essentials Video Course

Users Will Not Be Able to Log In

There are a couple of steps at the end of the domain rename process, if not planned and executed properly, that will impact your users greatly – i.e., they will not be able to log in. Here’s what you’ll need to review (probably multiple times):

During the Domain Rename: Local vs Remote

When you are performing the domain rename operation, connect as many workstations via wired LAN. Any remote computers that connect to the new domain through a remote connection such as a VPN will need to unjoin the old domain and rejoin the new domain.

Reboot Workstations Twice

Once the domain rename is complete, each user’s computer that is joined to the renamed domain must be rebooted twice AFTER all domain controllers are back up. Rebooting twice ensures that each user’s computer learns the new domain name and also propagates to all applications running on the user’s computer. Each computer must be restarted by logging into the computer and using the Shutdown/Restart option. Do not restart the computer by turning the computer power off and then turning it back on.

Remove the Old Domain

Once the domain members are updated, perform the rendom /clean command which removes the old domain names from Active Directory. If you run rendom /clean command and there are members that have not been rebooted twice you will have to rejoin them to the domain.

Also, if you execute rendom /clean before all the machines in the domain get rebooted twice, they won’t be able to access the domain because random / clean removes the old domain name from Active Directory, including “removing all values of ms-DS-DnsRootAlias from the domain name operations master.1

Applications Incompatible with Domain Renaming

With Exchange 2003 and 2008, the Active Directory DNS name can change, however, there are a number of Exchange applications that are incompatible with domain renaming, including:

  • Microsoft Exchange 2000 Server
  • Microsoft Exchange Server 2007
  • Microsoft Exchange Server 2010
  • Microsoft Exchange Server 2013

There are also non-Exchange applications that may be impacted, but Exchange is emphasized because email is often the most utilized form of communication and would be impacted most if you were to perform a domain rename.  Also, renaming the NetBIOS domain name is not supported in any version of the Exchange Server. Lastly, keep in mind that non-Microsoft applications may also not support a domain rename.

If you perform an AD rename with an unsupported version of Exchange, you will need to create a new AD forest, install Exchange into the new forest, and migrate all the objects. However, this process is very time intensive and many not be realistic to undertake.

Workaround: When Exchange is Incompatible with a Domain Rename

You might find yourself in a situation where your Exchange application is incompatible with a domain rename but you’re tasked with creating a new external domain name for emailing purposes. Here’s what you’ll need to do:

  1. Register your new domain name
  2. Create a redirect so that emails sent to the old email addresses will be automatically forwarded to the new email address

When you follow this procedure, everyone will know you by your new name because of your awesome new email address, your AD domain won’t need to be renamed, and users won’t be impacted.


What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
Azure Managed Identities: Definition, Types, Benefits + Demonstration
Use this guide to learn about Azure managed identities: What they are, how many types there are, and what benefits they offer, plus how they work.
Group Policy Objects (GPOs): How They Work & Configuration Steps
Group Policy Objects (GPOs) let system admins control and implement cybersecurity measures from a single location. Learn about GPOs and how they work here.
12 Group Policy Best Practices: Settings and Tips for Admins
Group Policy configures settings, behavior, and privileges for user and computers. In this article, you’ll learn best practices when working with Group Policy.
Securing Azure Blob Storage: Set-Up Guide
Security is vital in today’s cloud-first environment. Cloud services are often enabled to solve an issue quickly, but no one goes back to verify if security best practices have been…