Risks of Renaming Your Domain in Active Directory

As a sysadmin, there might be moments where you’ll find the need to change, merge, or rename your domain. Hopefully you name your domain well the first time, but there…
Michael Buckbee
3 min read
Last updated June 30, 2022

As a sysadmin, there might be moments where you’ll find the need to change, merge, or rename your domain. Hopefully you name your domain well the first time, but there are still many reasons why you might need to rename a domain, for instance: an organizational restructuring, merger, buyout or expansion. Keep in mind that a rename is not designed to accommodate forest mergers or the movement of domains between forests.

With long checklists, constraints and precautions, renaming a domain is not a simple undertaking, and the time required to complete a domain rename is proportional to the deployed AD forest – in terms of domain count, domain controllers and computers. There are also no step-by-step instructions for domain renames (that I could find), therefore the key to renaming a domain successfully is to do all the necessary prep work and to understand what areas might be affected.

When renaming your domain, here are, in my opinion, two major considerations:

  1. The risk of locking out users if steps in the process are missed
  2. Applications that are incompatible with the domain rename

Get the Free PowerShell and Active Directory Essentials Video Course

Users Will Not Be Able to Log In

There are a couple of steps at the end of the domain rename process, if not planned and executed properly, that will impact your users greatly – i.e., they will not be able to log in. Here’s what you’ll need to review (probably multiple times):

During the Domain Rename: Local vs Remote

When you are performing the domain rename operation, connect as many workstations via wired LAN. Any remote computers that connect to the new domain through a remote connection such as a VPN will need to unjoin the old domain and rejoin the new domain.

Reboot Workstations Twice

Once the domain rename is complete, each user’s computer that is joined to the renamed domain must be rebooted twice AFTER all domain controllers are back up. Rebooting twice ensures that each user’s computer learns the new domain name and also propagates to all applications running on the user’s computer. Each computer must be restarted by logging into the computer and using the Shutdown/Restart option. Do not restart the computer by turning the computer power off and then turning it back on.

Remove the Old Domain

Once the domain members are updated, perform the rendom /clean command which removes the old domain names from Active Directory. If you run rendom /clean command and there are members that have not been rebooted twice you will have to rejoin them to the domain.

Also, if you execute rendom /clean before all the machines in the domain get rebooted twice, they won’t be able to access the domain because random / clean removes the old domain name from Active Directory, including “removing all values of ms-DS-DnsRootAlias from the domain name operations master.1

Applications Incompatible with Domain Renaming

With Exchange 2003 and 2008, the Active Directory DNS name can change, however, there are a number of Exchange applications that are incompatible with domain renaming, including:

  • Microsoft Exchange 2000 Server
  • Microsoft Exchange Server 2007
  • Microsoft Exchange Server 2010
  • Microsoft Exchange Server 2013

There are also non-Exchange applications that may be impacted, but Exchange is emphasized because email is often the most utilized form of communication and would be impacted most if you were to perform a domain rename.  Also, renaming the NetBIOS domain name is not supported in any version of the Exchange Server. Lastly, keep in mind that non-Microsoft applications may also not support a domain rename.

If you perform an AD rename with an unsupported version of Exchange, you will need to create a new AD forest, install Exchange into the new forest, and migrate all the objects. However, this process is very time intensive and many not be realistic to undertake.

Workaround: When Exchange is Incompatible with a Domain Rename

You might find yourself in a situation where your Exchange application is incompatible with a domain rename but you’re tasked with creating a new external domain name for emailing purposes. Here’s what you’ll need to do:

  1. Register your new domain name
  2. Create a redirect so that emails sent to the old email addresses will be automatically forwarded to the new email address

When you follow this procedure, everyone will know you by your new name because of your awesome new email address, your AD domain won’t need to be renamed, and users won’t be impacted.


1http://technet.microsoft.com/en-us/library/cc738208(v=ws.10).aspx

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

5-fsmo-roles-in-active-directory
5 FSMO Roles in Active Directory
FSMO roles give you confidence that your domain will be able to perform the primary functions of authenticating users and permissions. Learn more today. 
active-directory-domain-controller-(ad-dc)-could-not-be-contacted-[solved]
Active Directory Domain Controller (AD DC) Could Not Be Contacted [SOLVED]
Sometimes clients report an error “An Active Directory Domain Controller (AD DC) for the domain could not be contacted.” Read on to learn how to troubleshoot and resolve this issue.
what-is-a-domain-controller,-when-is-it-needed-+-set-up
What is a Domain Controller, When is it Needed + Set Up
Domain controllers are common targets of attackers. Learn how to protect and secure your domain controllers to prevent data breaches.
exchange-vulnerability:-how-to-detect-domain-admin-privilege-escalation
Exchange Vulnerability: How to Detect Domain Admin Privilege Escalation
Researchers recently uncovered a vulnerability in Exchange that allows any domain user to obtain Domain admin privileges that allow them to compromise AD and connected hosts. Here’s how the attack...