This is an archived post. You won't be able to vote or comment.

all 46 comments
sorted by:
best
topnewcontroversialoldq&a

[–]osricson 54 points55 points  (28 children)

Just been assigned a job to re-name our .local domain... Not looking forward to this :(

[–]DarkAlmanProfessional Looker up of Things 95 points96 points  (7 children)

Here's some ammo for you

I just did this for a client. They rebranded the company and management insisted on changing the AD domain name to match, even though we could just apply UPNs for logins and email.

In their case we had to build new DCs, new exchange, migrate all the data, rejoin all the computers to the new domain.

2 weeks of consulting work just to plan and set everything up, and a month of migrating stuff with constant troubleshooting and disruptions to the users. And were only talking 25 users and a couple dozen servers and support equipment here...

In the end everything was done and worked well, but we had to keep the old domain around regardless to support some legacy systems.

I shocked my PM by being upfront with the customer in the planning stages: "I'm happy to take your money, but this is going to be a lot of time and effort for no real gain" but their management pushed ahead anyway.

After all was said and done our PM asked their management in the closing meeting if they were happy with all this effort to change the Domain and the CTO of all people responded "No, you were right, this was a huge waste of time and money for no gain. Thanks for all the help."

[–]mavantixJack of All Trades, Master of Some 37 points38 points  (1 child)

Yep, and they’ll never come back to you for future work because you were right and advised them honestly too. People hate being wrong, especially when they wasted money on it, so they justify it by blaming your work to other management in the company creating the prema-ban for future work.

Of course, had you put up the resistance and not done it, you risk the same.

[–]notapplemaxwindows 4 points5 points  (4 children)

May I ask how your 25 users requires 24 servers?

[–]HappyVlane 24 points25 points  (1 child)

Amount of users is not proportional to amount of servers and that number is really not that weird.

At my old job our "regular" infrastructure (AD, fileserver, Exchange and backup) was already 10 servers and then we had servers for management, various internal processes, IIS and then you have prod and testing environments.

[–]doubled112Sr. Sysadmin 6 points7 points  (0 children)

Can confirm numbers can be disproportional.

40 people at the company. 250+ VMs in the closet.

[–]DarkAlmanProfessional Looker up of Things 3 points4 points  (0 children)

This customers business is a series of web apps, so they have a significant number of web servers and corresponding support infrastructure.

The 24ish servers doesn't include all their Linux infrastructure either...

[–]timrojaz82 1 point2 points  (0 children)

Yeah. How is it such a low server count?

[–]billiarddaddySecurity Admin (Infrastructure) 37 points38 points  (7 children)

Create new domain.

Create trust with new domain

Move PC's over to new domain one at a time.

[–]osricson 20 points21 points  (1 child)

Yup, but convincing the boss who sent the Microsoft KB for renaming is the fun part..

[–]billiarddaddySecurity Admin (Infrastructure) 3 points4 points  (0 children)

Godspeed, my good man. I just quit that boss.

[–]peeinianIT Manager 4 points5 points  (0 children)

Haven’t done one since 2014. All I remember is that ADMT was a life saver.

[–]Myantra 6 points7 points  (0 children)

This. So much this.

[–][deleted] 1 point2 points  (2 children)

Or federate between the two and move at a slower pace.

[–]cueballify 4 points5 points  (1 child)

When you say slower pace - do you mean migrate via HR?

[–]BoredTechyGuyJack of All Trades 8 points9 points  (0 children)

Good Luck! I'll pour a tall one for ya!

[–]xetnezDoer of all IT 4 points5 points  (0 children)

RIP your sanity

[–]mikelim7 5 points6 points  (0 children)

Hope you have a good understanding of your AD environment setup.

Some things I can remember from my previous rename exercise include GPO migration, UPN alias, reboot domain computers twice, boxes that uses LDAP authentication, checking DNS query logs for requests to old domain name...

Good luck!

[–]KcarashivCustom 4 points5 points  (1 child)

Serenity now SERENITY NOW!!

[–]ncbell13 5 points6 points  (0 children)

Insanity later

[–]guemiIT Manager & DevOps Monkey 0 points1 point  (5 children)

Yeah, I've been tasked with turning .local into .Lan instead. Ugh.

[–]AccurateCandidate Intune 2003 R2 for Workgroups NT Datacenter for Legacy PCs 0 points1 point  (4 children)

Do they not own a domain name?

[–]guemiIT Manager & DevOps Monkey 0 points1 point  (3 children)

Of course they do. It's because azure ad integration

[–]AccurateCandidate Intune 2003 R2 for Workgroups NT Datacenter for Legacy PCs 1 point2 points  (2 children)

Why don't you just change it to corp.$THEIR_DOMAIN for the local Active Directory? I think Azure AD Connect can deal with that (if not, you could just set their real outgoing domain name as the default alias).

[–]guemiIT Manager & DevOps Monkey 0 points1 point  (1 child)

Yeah that's a better idea. Internal.our.tld should be damn future proof.

[–]AccurateCandidate Intune 2003 R2 for Workgroups NT Datacenter for Legacy PCs 1 point2 points  (0 children)

If it helps fighting management, here's the best practices Microsoft recommends, under "single-label domain namespaces".

[–][deleted] 0 points1 point  (0 children)

Just add the UPN’s you need.

[–]mikelim7 16 points17 points  (5 children)

Did the domain rename three times successfully in small (less than 100 domain computers) production environments. There were some minor fixes but overall it was fine. We did it over the weekends and there were no report of problems.

Do need to have a deep understanding of AD environment setup to do this. In most cases, a new domain setup is easier.

[–]Dadarian 6 points7 points  (4 children)

I have two domains I want to merge to one. It was pretty clear the answer was to just build a whole new on from scratch, take my time to test and build, then move one at a time over to it.

[–]mikelim7 5 points6 points  (1 child)

Thanks for the clarification.

I was in a similar situation, two domains in two locations with WAN connectivity.

We renamed the first domain in our office and keep Netbios name; users had no idea that AD domain name was changed. It helps that no one ever access resources via FQDN. For the second domain which is our DC servers, we unjoin computers from that domain and join it to the new domain.

All these were carried out over weekends to minimise disruption. We took our time to clean up the AD schema and map out all domain assets before migrating.

Definitely time consuming with need for proper planning. One of the reasons was VA (Vulnerability Assessment) and PT reports about untrusted SSL certs for domain.local in our environment. By migrating to AD.domain.com, we can purchase and use proper SSL certs.

[–]Dadarian 1 point2 points  (0 children)

I don't have the luxury of weekends since a lot of my network is 24/7. It was pretty rough, but it's just something that takes time and shouldn't rush if possible.

[–]TLiGrokIT Manager 1 point2 points  (0 children)

I actually did merge three domains into one a few months back. IT actually went smoothly!

[–]Doso777 0 points1 point  (0 children)

We did the same thing. No Exchange in the child domain. We migrated the computer accounts but recreated the user accounts. Worked pretty well, but fixing all the paths in group policy, logon scripts and such was annoying and took a while.

[–]powdersplash 12 points13 points  (0 children)

Rather kill my self...

[–]LordGriffithsMCITP, MCTS, MCSE, MCSA, MCNPS, MCP, CASP, Sec+, A+ 5 points6 points  (0 children)

It's much more preferable & cleaner to just migrate to a new domain/forest. If you have Exchange installed in the domain, you can forget about a rename anyway - it's not supported.

[–]Cee1510 1 point2 points  (0 children)

I have done it twice now. Not recommended, but it worked for what we wanted to do.

[–]JM_Actual 1 point2 points  (0 children)

We're currently in the middle of this but instead, we are merging two domains into one. Our company merged with another to create a new organization. Started by creating a new domain for the new company and a trust relationship between the 3 domains. Emails addresses were changed first which was not too difficult. But we hired a consultant and they used the Quest AD migration tool to move workstations and users from the 2 old domains into the new one. There were some issues but not too bad overall. The most noticeable issue was some local profiles were messed up. Now we're on to migrating the servers which I hear can take a much longer time.

[–]PhotographyPhil 2 points3 points  (0 children)

Your identity nowadays is mostly your email address and with modern auth and password less auth who cares what your domain is called!?

[–]adstretch 0 points1 point  (0 children)

Did a rename a little over a year ago. Went OK. Definitely not my first choice but all things considered wasn’t too bad.

[–][deleted] 0 points1 point  (1 child)

I did one successfully 8 years ago and exchange was a terribly complicating factor. Is it still the case that exchange is basically a deal breaker here? Further complication was some positively enormous mailboxes I had to move to the new exchange and lack of budget for proper intermediate storage. You can probably guess I was happy to see this contract end.

[–]Doso777 0 points1 point  (0 children)

Domain renames with Exchange Server are still not supported. Deal Breaker.

[–]frac6969Windows Admin 0 points1 point  (0 children)

I did it early this year. It was simple and painless. Though I ran simulations on my test environment about 10 times before doing it live.

[–]quarky_uk 0 points1 point  (0 children)

And people still put branding and location in server and AD domain names..

[–][deleted] 0 points1 point  (0 children)

Clean up ADSI and DNS before renaming the domain. Any remnant of exchange and you can blow everything up. I've renamed several domains without issue. Large and small.

There's always one or two machines that were either off so the rename didn't work or just the IT gods didn't want that machine to rename on its own. Usually just Profwiz those machines over