Change Active Directory Domain name from dot local to dot com
In this article, we will learn how to change Active Directory Domain name from dot local to dot com (.local to .com.). Since global DNS does not recognise .local domains, and they lack global uniqueness. Also, they are not suitable for services that require access beyond the local network. While this is generally not problematic for internal domains, it can pose challenges when connecting services to the external world. Please see how to Create a Windows Server VM on HyperV, and how to Install HyperV and Configure vSwitch on Windows Server with PowerShell.
Be careful in performing these steps outrightly in a production environment as it can lead to potential disruption and data loss if not executed correctly. But then, ensure to pull a backup and proceed with caution!!! For me, I have a new Lab and DC etc. Please see how to setup a Domain Controller as Recommended by Microsoft. Therefore, I will be retiring this environment.
As you can see below, we wish to change the domain to reflect a a subdomain of an existing domain for my Active Directory (AD) implementation. Unfortunately, we cannot change the computer name to a new name because because, we have ADCA installed on this Server.
Please see Batch rename multiple files on Windows, What are the effect of renaming an MBAM-Protected Computer, and Change the name of your macOS user account and home folder.
Why should you change the Active Directory Domain name from .local to .com
Changing the Active Directory domain name from “.local” to “.com” is recommended to enhance compatibility and align with best practices when setting up a new AD environment. Please see how to install and configure Active Directory Domain Services on Windows Server 2022.
The transition to a “.com” domain provides several advantages, including improved integration with internet-facing services, simplified SSL certificate management, and better support for external collaboration tools.
Additionally, using a “.com” domain aligns with industry standards, reducing the likelihood of encountering issues related to naming conventions and ensuring a more seamless experience across various applications and services.
The .local top-level domain (TLD) is not intended for global use in the Domain Name System (DNS). Instead, it is utilized by multicast DNS (mDNS) to facilitate the resolution of hostnames to IP addresses within small networks, eliminating the necessity for a dedicated DNS server.
Specifically, the mDNS operates on the local network link and utilizes the .local TLD for this purpose. When an mDNS client needs to resolve a hostname ending with .local, it sends queries to the mDNS IPv4 link-local multicast address 224.0.0.251 or its IPv6 equivalent ff02::fb. You will find this article very useful on “Why using .local as your domain name extension is a BAD idea“.
Consideration before renaming Active Directory (AD)
Renaming an Active Directory (AD) domain is a complex process that requires careful planning and execution. Before deciding to rename an AD domain, consider the following factors:
- Renaming the AD domain can have a significant impact on services and applications that rely on AD. Ensure that all systems and services are compatible with the new domain name.
- Some applications and services may have hard-coded references to the current domain name. Verify the compatibility of all applications and update configurations accordingly.
- If your AD domain has trust relationships with other domains, forests, or external systems, consider how the domain rename will affect these trusts. Plan to update trust configurations as needed.
- Inform users about the upcoming domain rename to minimize disruptions.
- The DNS records associated with the old domain name need to be updated. Ensure that DNS changes are propagated throughout the network.
- Document the entire domain rename process in a test environment first before proceeding to production. This includes the steps taken, and any issues encountered.
- Plan for a maintenance window during which you can perform the domain rename with minimal impact on users and services. Communicate this downtime to stakeholders.
Rename Active Directory Domain Name
Renaming an Active Directory (AD) domain is a complex and potentially risky operation. This involves updating domain controllers, DNS records, certificates, Group Policies, service principal names (SPNs), and more as we will see very shortly.
Note: While this renaming process is technically possible, it’s generally considered best practice to avoid renaming AD domains whenever possible due to the potential for disruption and data loss if not executed correctly. Therefore, evaluate the potential impact of renaming the domain name on your environment.
That being said, if you still need to rename an Active Directory domain, you should follow a detailed plan and consider engaging with Microsoft support or a qualified consultant with experience in domain renaming.
Backup Your Active Directory
I would recommend backing up your AD environment before making any changes your domain controllers. I would recommend using Veeam Backup and Replication for AD protection. This ensures that you can recover in case of unexpected issues during the rename process.
Note: Before you begin the domain rename operation, ensure that the certificate revocation lists (CRLs) and the CA certificates will not expire soon. If you find that they are close to expiration, complete the following tasks as described in the Microsoft guide before the domain rename operation. For me, I am fine and have met this prerequisite.
Update DNS Configuration
Therefore, we shall be modifying the DNS setup to use a different TLD. This approach ensures you align with standard practices and avoids potential issues with future TLDs or conflicts with mDNS or other services.
Note: Before proceeding with these steps, ensure all forest domain activities are stopped. Some of these activities includes adding new DC, changing forest configuration etc.
We will have to update the DNS records to reflect the new domain name. This involves all DNS records associated with the domain name are updated, including SRV records, A records, and any other relevant records. To do this, launch the DNS Manager.
Create a New Forward Lookup Zones
To do this, you can right-click on the forward lookup zone or select it and right to select the New Zone on the right pane.
Click Next on the new Zone Wizard
Select the “Primary Zone” since this going to be the first DC server. Click on Next after selecting.
Note: This is an isolated environment and it is independent on the other environment I have linked above.
I am fine with the option below. This option will replicate to all DNS servers running in this domain. Click Next to proceed.
In next window it ask about the Zone name. I have decided to use the following prefix below.
Select allow only secure dynamic updates
Complete forward zone creation
As you can see below, we have created our new zone
Install Active Directory Domain Rename Tool
Note: It is recommended to install and run the Active Directory Domain Rename Tool on a member server rather than directly on a domain controller. This helps to minimize potential disruptions to Active Directory operations and avoids unnecessary risks associated with running administrative tools directly on DCs.
While the tool doesn’t have to be installed on a DC as mentioned above. It’s beneficial to install it on a computer that is close to the domain controllers in terms of network connectivity. This helps ensure efficient communication and reduces the likelihood of network-related issues during the domain rename process.
Note: Remote Server Administration Tools for Active Directory Domain Services (AD DS and Active Directory Lightweight Directory Services (AD LDS) are installed by default on Windows Server. But let me show you the process if you were to have it installed.Because of this, I will login to a member server with my domain credentials.
Launch Add Roles and Features
Click next on the Before you begin wizard
Select Role based installation
If you have multiple server in the server pool. Please select the server to which you want to install RSAT.
Skip the Server Roles and on the Features Window, ensure the remote Server Administration Tools by Server manager is selected. Ensure you you select AD DS and AD LDS tools under the RSAT.
Since these requirements are met, I will stop here. Else, you should ensure they are installed.
Run Active Directory Domain Rename Tool
Microsoft provides the Active Directory Domain Rename Tool (rendom.exe) for renaming domains. First, we will create a report that explains the current forest setup. To do that type the below and press enter.
rendom /list
Note: If you do not run this command prompt as an administrator, you will run into issue and the error “could not create file domainlist.xml: Access is denied :5” will be prompted.
Open the Domainlist.xml file. In my case, I will be using Notepad++
Below is the Domainlist.xml file created.
You will need to edit the file to match with the new domain name. Make sure you save the file after edits.
Note: The NetBIOS name must not exceed 15 characters if you wish to modify it. Else, you will get an error that th device attachd to the system is not functioning. : 31
Next, type the command below command from same folder path. This command will execute the rendom /upload command to upload the rename instructions to Active Directory.
rendom /upload
To check the domain readiness before the rename process type rendom /prepare
Once its pass with no errors, execute rendom /execute to proceed with rename. It will reboot all domain controllers automatically.
Note: While we wait for the command to complete successfully. You can already take a look at the DC and some of the renaming has happened.
As you can see below, the command has now completed successfully.
Restarts Servers and Computers
Next, all workstations and servers will needs to reboot to apply changes. Username and password will not change, but the domain name will as shown above.
Quickly lets verify member server. The image below is before the AD rename.
As you can see, the member server has been corrected updated.
Rename Domain Controllers
As you can see above, the rename process could not rename the domain controllers. This has to be done manually.
To do this, run the command below
netdom computername techdirectarchive.techdirectarchive.local /add:techda02.techdirectarchive.com
To make the “techda02.techdirectarchive.com” the primary name for this server. Please run the command below.
netdom computername techdirectarchive.techdirectarchive.local /makeprimary:techda02.techdirectarchive.com
Active Directory Rename Cleanup
Once you’re confident that the rename process was successful and all systems are functioning as expected, perform cleanup tasks such as removing the old domain name from DNS records and updating any external references to the domain name
First, launch the DNS Manager and remove the following DNS Server
Please confirm Server deletion by hitting the Yes button.
Group Policy: The specified Domain Controller could not be contacted. This affects the following console
To fix this Group Policy Management console error, we will need to specific the new domain.
Use the command below to initiate the Gpfixup new Group Policy link
gpfixup /olddns:techdirectarchive.local /newdns:techda02.techdirectarchive.com
Since I did not change the NetBios name, there is no need to change this. If you were to change this, please run the commend below.
gpfixup /oldnb:OLDNETBIOSNAME /newnb:ENTERNEWNETBIOSNAMEHEREExecute the rendom /clean command to remove the rename metadata
Run is rendom /end to stop the rename process and unfreeze the DC activity.
Monitoring Post Rename process
Verify that all domain services, applications, trusts, and client computers are functioning correctly with the new domain name. We have performed some client tests above. In order to replicate this in production environment, perform a thorough testing in your test environment before implementing changes in production.
In order to start working with our Group Policy Management again, we need to add the new forest. To do this, click on Action and select Add Forest.
Here you go! You should continue monitoring other services to ensure all errors asscoiated with the rename process is eliminated.
Conclusion on Change Active Directory Domain name from dot local to dot com
If your domain has trusts with other domains or forests, update them as needed. Also, consider external dependencies such as firewalls, DNS, DHCP, etc. Update certificates and service principal names (SPNs) to match the new domain name.
Lastly, check with third-party applications that rely on Active Directory and ensure they support a domain rename. B the way, let#s see if this name change is reflected in Active Directory Users and Computers.
FAQs
Why is having the same SID in an AD?
Having duplicate Security Identifiers (SIDs) in an Active Directory (AD) environment can lead to significant issues because SIDs are meant to be unique identifiers for security accounts, such as users, groups, or computers. Here’s why it’s problematic:
Access Control Confusion: Permissions and access rights in AD are tied to SIDs. If two accounts share the same SID, the system cannot distinguish between them, potentially granting or denying access incorrectly.
Authentication Issues: Duplicate SIDs can cause authentication failures or conflicts, as the system may not know which account to authenticate. Policy Misapplication: Group policies and other configurations rely on unique SIDs. Duplicate SIDs can result in policies being applied to the wrong accounts or not applied at all.
Security Risks: Duplicate SIDs can create vulnerabilities, as malicious actors might exploit the confusion to gain unauthorized access. To avoid these issues, tools like Sysprep are used when cloning systems to ensure each machine gets a unique SID. If duplicates are detected, administrators can use tools like Ntdsutil to identify and resolve them
I hope you found this article useful on “how to change Active Directory Domain name from dot local to dot com (.local to .com.).” Please feel free to leave a comment below.
