Monday, 26 September 2011

Rename Windows Server 2008 Domain Controllers

The command

In order to rename a DC you will need the NETDOM command. In Windows Server 2008, this is part of the operating system, and not a separate download as in previous versions. By using the NETDOM command, you ensure that there is little or no disturbance for the domain and client operations.

Renaming a domain controller requires that you first provide a FQDN as a new computer name for the domain controller. All of the computer accounts for the domain controller must contain the updated SPN attribute and all the authoritative DNS servers for the domain name must contain the host (A) resource record for the new computer name. Both the old and new computer names are maintained until you remove the old computer name. This ensures that there will be no interruption in the ability of clients to locate or authenticate to the renamed domain controller, except when the domain controller is restarted.

Important: To rename a domain controller using the NETDOM command, the domain functional level must be set to at least Windows Server 2003.

The bad news: As usual, you will need to reboot the renamed DC.

The good news: You don't have to sit near the DC you're renaming. You can accomplish it from any computer that has the NETDOM command, and if you have the appropriate user credentials.

You must be a member of the Domain Admins group.

To rename a DC with the name from KUKU-SERVER in the PETRI.LOCAL domain to DC-SERVER follow the next steps:

1. Open Command Prompt and type: NETDOM computername KUKU-SERVER.PETRI.LOCAL /add:DC-SERVER.PETRI.LOCAL

This command will update the service principal name (SPN) attributes in Active Directory for this computer account, and register DNS resource records for the new computer name. The SPN value of the computer account must be replicated to all DCs for the domain, and the DNS resource records for the new computer name must be distributed to all the authoritative DNS servers for the domain name. If the updates and registrations have not occurred prior to removing the old computer name, then some clients may be unable to locate this computer using the new or old name. Therefore, it's very important to wait till the Active Directory replication finishes a replication cycle. You can check that by using tools such as REPADMIN and REPLMON.

You can verify the new name was indeed added to the computer object by viewing it through ADSIEDIT.MSC (which, for Windows Server 2008, is installed by default). Navigate to the computer object and right-click it. Select Properties:

Scroll down in the list of available attributes till you reach the attribute called msDS-AdditionalDnsHostName.

2. Ensure the computer account updates and DNS registrations are completed, then type: NETDOM computername KUKU-SERVER.PETRI.LOCAL /makeprimary:DC-SERVER.PETRI.LOCAL

Again, you can inspect the change with ADSIEDIT.MSC. Scroll down in the list of available attributes for the computer object (notice how the server now appears with the new name) till you reach the attribute called msDS-AdditionalDnsHostName.

Notice that the old name should appear in the attribute's properties.

3. Restart the computer.

4. From the command prompt, type: NETDOM computername DC-SERVER.PETRI.LOCAL /remove:KUKU-SERVER.PETRI.LOCAL

5. Make sure that the changes have successfully been replicated to all the DCs.


Post a Comment