2

I'm working with a site that needs an internal DNS domain rename. It currently has a DNS name of domain.abc.com and NT name of ABC. I'm trying to get to a DNS name of abctrading.com and NT name of ABCTRADING. Split DNS would be used.

The site originally ran from a single Windows 2000 domain controller hosting AD, file, print, DHCP and DNS services. There was no Exchange system in the environment. The 50 client PCs are all Windows XP with a handful of users using roaming profiles. All users are in a single OU and there are no group policy/GPOs.

I'm a Linux engineer, but have been trying to guide another group of consultants to reach a more suitable setup. With the help of this group, we were able to move the single Windows 2000 system to a set of Windows 2008 R2 servers separated into domain controller and file/print systems (virtualized). We are also trying to add an Exchange 2010 system to this mix. The Windows 2000 server was demoted and is no longer in the picture.

This is the tricky part, as client wants the domain renamed and the consultants aren't quite sure how to get through it without another 32-40 hours of testing/implementation. THey say that there's considerable risk to do the rename without a completely isolated test environment. However, this rename has to be done before installing Exchange. So we're stuck at this point.

I'd like to know what's involved in renaming the domain at this point. We're on Windows Server 2008. The AD is healthy now. Coming from a Linux background, it seems as though there should be a reasonable path to this. Also, since the original domain appears to be a child/subdomain, would that be a problem here.

I'd appreciate any guidance.

ewwhite
  • 197,159
  • 92
  • 443
  • 809
  • 1
    (Now that I've calmed down...) I'd urge you to STRONGLY consider not using the same domain name for your public DNS presence and your Active Directory domain. Split DNS provides no advantages and only creates work. Worse, there are some situations (see http://serverfault.com/questions/241649/active-directory-dns-change-entry-only-on-one-site for an example) where your split DNS and the default behavior of AD DNS will cause actual "impossible" situations. There is no loss of functionality by having your AD domain name and public DNS using different names. – Evan Anderson Mar 01 '11 at 14:59
  • Suppose I went to `abctrading.local` and eliminated the split dns portion. The rest of the question remains valid. Is a domain name change still reasonable at that point? Is 32-40 billable hours still a reasonable number? – ewwhite Mar 01 '11 at 16:36

4 Answers4

3

In my opionion 32 - 40 billable hours to perform the testing necessary for a domain rename in such a small infrastructure is insanely high.

The configuration you describe could be tested in an afternoon with a couple of physical "scratch" client computers, a virtual domain controller, and a virtual member server on an isolated LAN.

I'd start by obtaining a test domain controller by installing a VM connected to the LAN, joining it to the domain, and promoting it to a domain controller. I'd install a DNS server, mark it as a Global Catalog server, and set it to refer to itself for DNS. Once all AD replication completed I'd take a snapshot of the VM, and then demote it back to being a member server before removing it from the domain. This leaves the production AD domain in a state consistent with how it started.

I'd detach the VM host from the LAN (or otherwise isolate it), reboot the domain controller VM from the snapshot taken when it was still a DC and seize the FSMO roles to it. This gives you a DC "under glass" to work from. I'd join a couple of "scratch" client computers to the domain hosted by the DC in the isolated network, and bring up a test file server VM as a member server. Once I verified that the "domain under glass" functioned properly I'd proceed with taking snapshots (to give me a fall-back position to re-start testing) and start the domain rename resting.

Domain rename without an Exchange 2003 infrastructure to worry about isn't something you should be too scared of. It's reasonably well documented (others provide links in their answers that are reasonable) and is "supported" by Microsoft. As you've already noted, doing it before you deploy Exchange is important because this is your last chance to rename the domain.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Thank you. We are going with this approach, modified slightly to take a clean snapshot of the sole domain controller. The consultants are still citing two days to replicate and test, but it seems to be the best way to accomplish the domain rename. – ewwhite Mar 02 '11 at 15:20
2

Can't emphasize enough that you should listen to your consultants. It's hard coming from the *nix world to understand just how... ahem "non-deterministic"... Microsoft products are.

Add that to the absolutely vital nature of your domain services, especially authentication/authorization and the risk analysis is clear on this one: let them take the time to test it if you're going to do a domain rename.

Mary
  • 21
  • 1
  • 4
    I don't want to get into an OS flame war, but I strongly disagree w/ your statement re: Microsoft products acting in a "non-deterministic" manner. Any product that isn't fully understood is going to appear to act non-deterministically, proprietary or otherwise. – Evan Anderson Mar 01 '11 at 21:27
1

You should be able to find the information and guidance you need here:

http://technet.microsoft.com/en-us/library/cc794907(WS.10).aspx

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • I'm being told by the Windows consultants that there's considerable risk to doing this and that an isolated test environment is necessary to prevent destroying Active Directory. – ewwhite Mar 01 '11 at 14:33
  • There is a certain amount of risk involved and the consultants are being prudently cautious. The information at the link is what you need to know in order to undertake the domain rename and it's up to you to determine how much risk you're willing to expose yourself to and how best to go about achieving the objective. I wouldn't fault the consultants for wanting to proceed carefully. – joeqwerty Mar 01 '11 at 14:44
0

It sounds like you have got everything in place to rename the domain. I think that each client of the domain will have to reboot twice to pick up the new domain name.

Also be careful when running DCs in a virtual environment, they are supported but there are certain things you need to consider. Please see the following sites.

http://support.microsoft.com/kb/888794

http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en

TheMoo
  • 33
  • 1
  • 7