Domain Rename in Server 2003

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi

Next week at work, I need to carry out a domain rename on a server 2003 domain. Its a fairly simple setup, in that we will have one domain controller, and a member server, which will be used as the control station, and will be promoted afterwards to DC, and have DHCP and WDS installed. The reason the domain is so simple is that we are migrating from one domain to another, and have set up and tested migrating user accounts, and all our clients will be re-imaged soon after anyway.

I've carried out the procedure in a test lab a few times, and created a document detailing the required steps. However, I'm feeling a little apprehensive about this, I don't know why, as the testing has gone well. I'm just wondering if anyone has done this before, and if so, is there any 'gotchas' waiting to trip us up.

Many thanks


Maria

 

Sorry, I've explained that quite badly. Basically, we have our existing domain, which was installed a while back, before my time, by an outside company, who shall remain nameless. This domain is a Server 2003 domain, but includes some of this companies 'tools', which are meant to help up manage the clients. This company also provided us with a support contract, for a hefty fee.

However, we have to update our server hardware, and at the same time, we are going to do away with this companies helpful tools, support contract (which has been worse than useless), rather than pay these people loads to come in and just install a DC, install their stuff, and demote the existing DC.

For various reasons, we have settled upon the ADMT approach. To achieve this, we have installed a DC on one of our nice shiny new servers, set up our OU's, group policies, file structure ect. We have also set up and carried out a successful migration of some user accounts for users who have left, including password export, and tested it.

The problem comes with the domain rename. We need the new domain to have the same name as the old one. At present, in order to create the necessary trust relationship that we need, we have called the new domain domainnamenew.com.

The plan is to carry out the rest of the user migration next week, when our users are not in, then unplug the old domain, and then rename our new domain to what it should be.

I know this is a long winded process, and adding one of the new servers as a DC, seizing the FSMO roles, and demoting the old domain controller would be simpler, but the existing domain is a bit of a mess, with replication errors, dodgy scripts, and lost roles.

Hope this clears it up a bit

Maria

 

The current domain is pretty bad. The domain naming master and also the schema master roles have gone. Also, this software that the third party installed gets in everywhere, and can be pretty tough to uninstall, from what I've heard.

Unfortunately, we have to retain the domain name, I'm not entirely sure why, as we don't yet host any internet facing servers. Well, we do, but not part of this domain. I think the domain name was assigned to us by our local education authority, who can be quite finnicky about these things.

As for clients, we have about 700 - 800, including about 200 Macs. We need to reimage them all anyway, as the third party software includes a bulky client component, which we need to remove manually, and we tend to reimage systems at this time of year anyway, as they take a bit of a battering through the year. We've got about 6 weeks with no users about to do this, so I'm not too concerned.

Maria

 

OK Email - not an issue. I know that exchange, and mx records in general complicate domain rename, but our current mail solution is a web based option, provided externally. We may be adding our own mail system later, possibly exchange, possibly kerios mail server, but at present we don't have that problem.

If we were to carry out the domain rename, is there anything that you know of that we should keep any eye out for. We've already established what rendom commands we need to make, in the correct order, and when to run the gpfixup command. Also, we know that we need to change the shortcuts on the start menu for default domain policy and default domain controllers policy to point to the new domain name, and that we need to repoint gpmc.msc to look for the new domain name. I'm just wondering if there is anything else that could trip us up, now or later down the line. Have you ever carried out a domain rename?

I'll bear in mind your suggestion that we create the domain with the correct name first off, then use csvde to migrate users, and then migrate files and shares. We have had the new domain up and running for a while now though, and it's been happy. Ultimately the decision is not mine to make.

On a side note, we found ADMT to be not as difficult as we first thought, at least for user accounts anyway. Groups weren't really an issue, as we are restructuring them anyway. The benefit of migrating passwords for us is huge, as having 1500 users, and only three support staff, redistributing passwords becomes problematic. Setting all passwords the same would have been an issue as well, as being kids, they'd soon work out each others passwords and log in as other people, to not get caught out by our internet tracking software.

Thanks for your help


Maria

 

Thanks for the help. I'll put this forward to my manager on Monday.

I'm now thinking, ASR backup before the domain rename, then give it a try. If it all goes belly up, we can roll back. Having a simple domain at this point should go in our favour, and at least we have some time to test and get things right.

If all things go well, I'll let you know.

Many thanks for your help.


Maria

 

Have you thought about setting the new domain up as sparky suggested but just on an isolated network, then after all the set up you can just unplug the old one?

 

Hi

Just to update you, we performed the domain rename today, and its all looking good. We thought we had hit a problem when we run the rendom /prepare command, having recieved an error 5. However, this was my fault, as I had inadvertently logged on to the control station as the local admin, rather than logged on to the domain. Once we got round that, all went well.

We found we had to edit the SOA records for the domain controller - just the responsible person field, but this was no big deal. Other than that, DNS is happy. It helps that at this point we only had the DC, the control station - as a member server, and our test client, so there wasn't loads of DNS records to check.

We migrated all users and passwords yesterday, along with their files, and set their new groups appropriately. The fact that we were able to migrate passwords was the decision maker for us, as only having a three person team, and about 1500 users, even if we were to script password resets, we would still need to distribute them, and at a hectic time of year, this would be near to impossible.

We're going to leave the servers overnight, and check the logs tomorrow, as well as join some machines to the new network, and if this is fine, we'll crack on with the rest of the network.

We were lucky in that we had very little to lose at this point. No users in, new hardware to migrate to, and backup plans if it all fell apart. If I had to do this with a 'live' network, with users coming back in the morning, to log on to already installed clients, I don't know if i'd have dared to go ahead.

Thanks for your help. If its of use to anyone, I can tidy up the notes I made and make them available, assuming everything goes OK tomorrow.

Right, DHCP, DNS, DCPromo and WDS to set up on the second server tomorrow, as well as binding our Mac server to the new domain (luckily not my area), so I'm off to relax for a while.

Nugget: we really wanted to have a trust relationship between the old domain and the new, so we could use ADMT and the Password Export Server service to move our user objects across.

Maria

 

Well done, Maria! Notes, would be great, thanks.

Simon

 

Not a problem, I just need to give them a bit of a tidy up, and de-personalise them a bit. I'll attach them in a bit.

 

Great, thanks.

 

OK, notes attached. I'll apologise in advance for any bad spelling. grammar and dull writing style.

Enjoy

Maria

 

Great stuff Maria, thanks for posting your notes