If you try to rename an Active Directory domain controller the way you rename domain member computers/servers (by using the
sysdm.cpl console or the
Rename-Computer PowerShell cmdlet)), a warning will appear:
Domain controllers cannot be moved from one domain to another, they must first be demoted. Renaming this domain controller may cause it to become temporarily unavailable to users and computers. For information on renaming domain controllers, including alternate renaming methods, see Renaming a Domain Controller (http://go.microsoft.com/fwlink/?LinkID=177447). To continue renaming this domain controller, click OK.
This doesn’t mean that it is not possible to change the name of the domain controller. In this article, we will show you how to correctly rename an Active Directory domain controller running Windows Server 2019 from dc2 to hq-dc02.
Preparation for Active Directory Domain Controller Renaming
You can rename the domain controller if:
- Your forest uses at least the Windows Server 2003 domain functional level;
- There is at least one additional healthy DC in the domain;
- The DC must not have the Certification Authority role installed;
- Your account is added to the Domain Admins security group.
Check to see if the Flexible Single-Master Operation (FSMO) roles are running on the domain controller that you want to rename:
netdom query fsmo
If your DC is on this list, use the Move-ADDirectoryServerOperationMasterRole PowerShell cmdlet to move its FSMO roles to another domain controller (for example, to hq-dc01).
Move-ADDirectoryServerOperationMasterRole -Identity hq-dc01 -OperationMasterRole SchemaMaster, RIDMaster
We also recommend that you back up your domain controller before changing the name (you can back up the DC using the built-in Windows Server Backup role).
How to Rename an AD Domain Controller using Netdom?
Open the elevated command prompt on the domain controller and add an alternate name to your DC:
netdom computername dc2.contoso.com /add:hq-dc02.contoso.com
Open the Active Directory Users and Computers console (run the
dsa.msc command), expand the Domain Controllers container find the domain controller account, and open its properties. Go to the Attribute Editor tab and check that the new DC name appears in the msDS-AdditionalDnsHostName attribute.
The netdom command must also register an A record for the new domain controller name in DNS. If the A record does not appear, run the command:
Your computer will re-register itself on DNS.
Before proceeding to the next step, wait for the new records to be replicated throughout the domain.
The next step is to make the new DC name the primary DC name:
netdom computername dc2.contoso.com /makeprimary:hq-dc02.contoso.com
Successfully made hq-dc02.contoso.com the primary name for the computer. The computer must be rebooted for this name change to take effect. Until then this computer may not be able to authenticate users and other computers, and may not be authenticated by other computers in the forest. The specified new name was removed from the list of alternate computer names. The primary computer name will be set to the specified new name after the reboot.
The command completed successfully.
Reboot the domain controller.
In the Attribute Editor, check that the domain controller now has a primary name of hq-dc02 and that dc2 has become a secondary.
Open the DNS Manager console, select the domain you want, and expand the _msdcs branch. Check that the domain controller’s SRV records have been updated in all _msdscs subsections. If there is an NS entry for the old DC name, rename it.
Now you can remove the old name with the command:
netdom computername hq-dc02.contoso.com /remove: dc2.contoso.com
Make sure that there is only one name left for the server:
netdom computername hq-dc02.contoso.com /enumerate
dnscmd hq-dc02.contoso.com /recorddelete contoso.com dc2 A /f
Also manually remove the old DC name in the msDS-AdditionalDnsHostName attribute of the domain controller with the ADUC snap-in.
After changing the domain controller name, you need to update the domain controller name in the Distributed File System (DFS) or File Replication Service (FRS) Replication member object. If you don’t do this, your DC won’t be able to replicate the SYSVOL directory.
Switch to the ADUC console and go to System -> DFSR-GlobalSettings -> Domain System Volume -> Topology (if this section is not displayed, enable the Advanced Features option in the View menu). Find the msDFSR-Member object with the old name and rename it.
ADSIEdit.msc snap-in, snap-in, expand the new domain controller object in OU=Domain Controller. Check that the DFSR-LocalSettings object now has the new DC name in its msDFSR-MemberReference attribute.
Check the value of the SysvolReady attribute on the domain controller in the
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry key. Change its value to 1 and wait for AD replication to complete.
Check the domain controller logs and run the
dcdiag command to check that ADDS is working correctly.
Renaming a domain controller in this way leaves an SPN in the DC account. This SPN is not automatically removed. You will get an error if you try to use this SPN in a domain:
The operation failed because SPN value provided for addition/modification is not unique forest-wide.
To remove an old SPN entry, execute:
setspn -l dc2.contoso.com
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NV Hostname