Renaming of domain in Active Directory with Certificate authority

Question

i have domain, washington.example.com on Windows Server 2012 R2. For intergations with office 365, my organization, decided to rename domain name from washington.example.com to example.com. My organization has several domain controllers, that are connecting in one global vpn.
I tried to make on virtual machines renaming of my domain. In domain controller, that has FSMO, I created zone "example.com", i made manual replication between domain controllers. Next, i made in domain controller, that has FSMO, i made rendom /list from Enterprise Admin, then i edited Domainlist.xml, where i changed name of domain. Next, i made several commands to implement my changes rendom /upload, rendom /prepare, rendom /execute. Last command made reboot of all domain controllers. Also i fixed GPO via gpfixup /olddns:washington.example.com /newdns:example.com.
Finally i made rendom /clean and rendom /end. Also, i renamed name of computer via netdom computername vm-dc.washington.example.com /add:vm-dc.example.com and netdom computername washington.example.com /makeprimary:vm-dc.example.com. Of course netdom i did for each virtual machine with domain controller.
Everything works. Computers in isolate network after rebooting in new domain. But, i read from microsoft site, that this procedure can call some troubles, if you have Certificate authority. On my domain controller, that has FSMO, i have this Certificate authority. In console of Certificate authority i see new certificates for other domain controllers with normal names, for example in past srv-dc.washington.example.com and now i see new certificate srv-dc.example.com. But, when i am looking in details, i see that Issuer

CN = washington-VM-DC-CA
DC = washington
DC = example
DC = com

So, according to this topic, i have two questions. First, is it correctly to rename domain with working Certificate authority. And the second question, how to update this Certificate authority according to the new domain name ?

Answer 1

You can't rename ADCS Certification Authority name. The best you can do is to deploy a separate CA, move clients to this new CA and then decommission old CA.

When deploying new CA do not choose default DN suffix, because it is autogenerated from AD information. Use custom DN suffix which is tied to your company, not AD.

After deploying new CA, remove all certificate templates from old CA and add them to new CA, so new clients will work with new CA only. In order to force clients to forcibly reenroll certificates, open certtmpl.msc console, select required template, right-click and select Reenroll all certificate holders. Repeat this action for all other templates you need to reenroll.

Note that this will work only if autoenrollment is enabled in GPO.

Answer 2

For intergations with office 365, my organization, decided to rename domain name from washington.example.com to example.com.

If you're doing this in order to sync your on premises AD users to Office 365/Azure AD then you're doing it wrong.

Your on premises AD domain FQDN shouldn't be the same as your routable domain name in Office 365. You need to add and verify your routable domain name in Office 365 and then add a matching UPN Suffix in your on premises AD. Then assign this UPN Suffix to your on premises AD user accounts. When you then sync your on premises AD user accounts to Office 365/Azure AD the on premises UPN will become the Office 365/Azure AD UPN and that is what your users will use to sign into Office 365/Azure AD.