Inside Out Security Blog   /  

Risks of Renaming Your Domain in Active Directory

As a sysadmin, there might be moments where you’ll find the need to change, merge, or rename your domain. Hopefully you name your domain well the first time, but there are still many reasons why you might need to rename a domain, for instance: an organizational restructuring, merger, buyout or expansion. Keep in mind that a rename is not designed to accommodate forest mergers or the movement of domains between forests.

With long checklists, constraints and precautions, renaming a domain is not a simple undertaking, and the time required to complete a domain rename is proportional to the deployed AD forest – in terms of domain count, domain controllers and computers. There are also no step-by-step instructions for domain renames (that I could find), therefore the key to renaming a domain successfully is to do all the necessary prep work and to understand what areas might be affected.

When renaming your domain, here are, in my opinion, two major considerations:

  1. The risk of locking out users if steps in the process are missed
  2. Applications that are incompatible with the domain rename

Get the Free PowerShell and Active Directory Essentials Video Course

Users Will Not Be Able to Log In

There are a couple of steps at the end of the domain rename process, if not planned and executed properly, that will impact your users greatly – i.e., they will not be able to log in. Here’s what you’ll need to review (probably multiple times):

During the Domain Rename: Local vs Remote

When you are performing the domain rename operation, connect as many workstations via wired LAN. Any remote computers that connect to the new domain through a remote connection such as a VPN will need to unjoin the old domain and rejoin the new domain.

Reboot Workstations Twice

Once the domain rename is complete, each user’s computer that is joined to the renamed domain must be rebooted twice AFTER all domain controllers are back up. Rebooting twice ensures that each user’s computer learns the new domain name and also propagates to all applications running on the user’s computer. Each computer must be restarted by logging into the computer and using the Shutdown/Restart option. Do not restart the computer by turning the computer power off and then turning it back on.

Remove the Old Domain

Once the domain members are updated, perform the rendom /clean command which removes the old domain names from Active Directory. If you run rendom /clean command and there are members that have not been rebooted twice you will have to rejoin them to the domain.

Also, if you execute rendom /clean before all the machines in the domain get rebooted twice, they won’t be able to access the domain because random / clean removes the old domain name from Active Directory, including “removing all values of ms-DS-DnsRootAlias from the domain name operations master.1

Applications Incompatible with Domain Renaming

With Exchange 2003 and 2008, the Active Directory DNS name can change, however, there are a number of Exchange applications that are incompatible with domain renaming, including:

  • Microsoft Exchange 2000 Server
  • Microsoft Exchange Server 2007
  • Microsoft Exchange Server 2010
  • Microsoft Exchange Server 2013

There are also non-Exchange applications that may be impacted, but Exchange is emphasized because email is often the most utilized form of communication and would be impacted most if you were to perform a domain rename.  Also, renaming the NetBIOS domain name is not supported in any version of the Exchange Server. Lastly, keep in mind that non-Microsoft applications may also not support a domain rename.

If you perform an AD rename with an unsupported version of Exchange, you will need to create a new AD forest, install Exchange into the new forest, and migrate all the objects. However, this process is very time intensive and many not be realistic to undertake.

Workaround: When Exchange is Incompatible with a Domain Rename

You might find yourself in a situation where your Exchange application is incompatible with a domain rename but you’re tasked with creating a new external domain name for emailing purposes. Here’s what you’ll need to do:

  1. Register your new domain name
  2. Create a redirect so that emails sent to the old email addresses will be automatically forwarded to the new email address

When you follow this procedure, everyone will know you by your new name because of your awesome new email address, your AD domain won’t need to be renamed, and users won’t be impacted.


We're Varonis.

We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.

How it works