none
Domain Rename: Can't Logon to Control Station after rendom /execute

    Question

  • I am attempting a relative simple domain rename in a Windows 2003 Server R2 forest that has two PDCs and a bunch of Windows XP SP2 client workstations. An isolated configuration with no zones and no Exchange (and, if fact, no network connection outside of itself, no public Internet, etc). In order to use the rendom procedure, I built and configured a third Windows 2003 Server R2 (named CONTROL) and made it a member of the domain for the sole purpose of being able to run rendom.

    The object of this exercise is to first change domain names, then change the computer names of the PDCs. The existing PDCs are cs01.domain1.local and cs02.domain1.local. The objective of domain rename is to change domain1 to domain2.

    The rendom script has only 3 XML <Domain></Domain> entries, one for each of the PDCs (PartitionType:Application), and one for the ForestRoot. The PDC entries have no NetBiosName or DcName values, so the only change there is to DNSname values. The ForestRoot entry has values for both DNSname and NetBiosName, both of which I changed from domain1 to domain2.

    Following the Step-by-Step instructions, everything worked (apparently) flawlessly through the rendom /execute step (Step 8). After /execute, rendom reported

    Waiting for DCs to reply

    Waiting for DCs to reply

    The script was executed successfully on cs02.domain1.local

    The script was executed successfully on cs01.domain1.local

    2 servers contacted, 0 servers returned Errors

    Everything looked good to me, so I rebooted the Control Station twice. OK, fine. Now, as I understand it, the next step is to log on again to the Control Station and do rendom /end. The only problem is that I can't log onto the Control Station (as a member of the domain) because the logon dialog displayed to me on the Control Station still presents the option to log on under the original domain name (domain1) only, which doesn't work because when I try this, the result is:

    "Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found."

    The only other logon option presented on the Control Station is "Log on to: CONTROL (this computer)".

    So it looks to me like my control station Windows 2003 Server R2 computer (member of the domain) didn't "get the message" about the domain name change, despite the fact that it was set (as by default) to change its name suffix when the domain name changes.

    So what about logging onto each of the two PDCs? That works perfectly, and when I display Computer Name under System Properties, I see the old computer names (of course) and the new domain name, as follows:

    Full computer name: cs01.domain1.local

    Domain: domain2.local

    All perfect, except that rendom lives on CONTROL (the third Windows 2003 Server R2 system that was created and made a member of the domain for the purpose of running rendom and managing the rename process). So I assume that I need to be able to log onto CONTROL as a member of the domain in order to complete the domain rename procedure (rendom/end and eventually rendom/clean).

    So I'm stuck. Am I? Is there anything I can do now to discover why CONTROL didn't become a member of the new domain, and correct it so I can proceed with rendom/end?

    Judging by the absence of any notes or descriptions about this condition in this or any other forum on the net, I assume that I'm the first?? Seems unlikely, but...?

    Monday, April 09, 2012 5:59 PM

Answers


  • Hi,

    > a) if I screwed up by not adequately preparing my DNS (by manually creating records reflecting my
    > new/future domain name) prior to starting rendom, and

    Not sure whether missing this step cause this issue.

    > b) should I undertake netdom (Step 10) before rendom/end (Step 9), and if so why.

    No

    From page 62/64 of this article “Step-by-Step Guide to Implementing Domain Rename” , we know not only the control station computer should to start twice, but all client computers and all member servers should be restart twice to ensure them learn of the domain name change.

    And when the member computers are rebooted at this step, their DNS host names will also change after the reboot due to the fact that their Primary DNS Suffix changes as a result of the name change of the domain of which they are members.

    According this information, I think DNS host names was not changed on your control station, also the DNS Suffix, due to domain membership was not changed. You can logon to that control station with local administrator account and check it.

    So now issue is: member computer not learn of the new name (Domain Name System (DNS) name or NetBIOS name) of the renamed domain.

    I’m trying a test to reproduce the issue and to find the reason, and need more time to figure it out.


    Lawrence

    TechNet Community Support

    • Marked as answer by VideoCowboy Monday, April 16, 2012 4:51 PM
    Friday, April 13, 2012 9:29 AM
    Moderator

All replies

  • Hi,

    Did you change DNS suffix manually?

    When you run "rendom /execute", domain name changes but not the DNS suffix on the DC’s. This has to be done manually on each domain controller.
    .
    Check below steps:
    Add the new DNS suffix: (abc.local is old and xyz.local is new)

    · netdom computername dc01.abc.local /add:dc01.xyz.local

    Change the primary DNS suffix:

    · netdom computername dc01.abc.local /makeprimary dc01.xyz.local

    Reboot the DC.

    Remove the old DNS suffix:

    · netdom computername dc01.xyz.local /remove:dc01.abc.local
    .
    Reboot the CONTROL station twice and let us know the result.

    .
    How Domain Rename works: http://technet.microsoft.com/en-us/library/cc738208(v=ws.10).aspx

     


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, April 10, 2012 2:40 AM
  • Hi,

    According to your posting, you don’t change Domain Computer (DC) name after your rename that domain.

    DC name are not changed automatically by the domain rename operation, In other words, the primary DNS suffix of a domain controller will not match the new domain DNS name after the domain has been renamed.

    If you want DNS host names of domain controllers to match a new domain name, you must perform domain controller rename procedures after the domain rename operation is complete.

    To rename a domain controller

    1. Open Command Prompt.
    2. Type: netdom computername CurrentComputerName/add:NewComputerName

      This command will update the service principal name (SPN) attributes in Active Directory for this computer account and register DNS resource records for the new computer name. The SPN value of the computer account must be replicated to all domain controllers for the domain and the DNS resource records for the new computer name must be distributed to all the authoritative DNS servers for the domain name. If the updates and registrations have not occurred prior to removing the old computer name, then some clients may be unable to locate this computer using the new or old name.
    3. Ensure the computer account updates and DNS registrations are completed, then type:

      netdom computername CurrentComputerName /makeprimary:NewComputerName
    4. Restart the computer.
    5. From the command prompt, type:

      netdom computername NewComputerName /remove:OldComputerName

    For more information please refer to following MS articles:

    How Domain Rename Works
    http://technet.microsoft.com/en-us/library/cc738208(v=ws.10).aspx
    Rename a domain controller
    http://technet.microsoft.com/en-us/library/cc782761%28v=ws.10%29.aspx

    Lawrence

    TechNet Community Support


    Tuesday, April 10, 2012 2:56 AM
    Moderator
  • Hi and Thanks to Abhijit and Lawrence for these responses. Let me explain a little more my objective in this question.

    I am trying to learn to do Domain Rename in a way that I will be able to repeat it, so it will help me a GREAT DEAL to understand the proper steps in order. What I am trying to do with the domain rename here is to follow "Microsoft Step-by-Step Guide to Implementing Domain Rename" for Microsoft Windows Server 2003, and, in particular to move from Step 8 to Step 9 in that procedure.

    Step 8 is "Execute Domain Rename Script" (i.e., rendom /execute)

    Step 9 is "Unfreeze the Forest Configuration"

    Step 9 says: "In this step, after restarting the control station twice, you will use the Rendom tool from a command prompt." The detailed instructions for this step say to reboot the control station twice to ensure that all services running on it learn of the new name of the domain of which the control station is a member. And then do "rendom /end".

    So the problem (as I understand it, which is admittedly imprefect) is that after restarting the control station twice, I am unable to log on again to the control station in order to a) verify that the control station has learned of the new name, and b) run rendom/end.

    I understand that the computername of the two PDCs has not changed, and it is my impression that changing the computernames of the PDCs (or of the control station) is not a prerequisite to doing Step 9. Please help me to understand if this is incorrect. It is my impression that changing the computernames of the PDCs is an optional step that comes later, and that until I do rendom/end, the forest configuration is frozen. Fixing DFS and GPOs also comes later (follows) doing rendom/end and unfreezing the forest configuration (as I understand it).

    So another way to state the problem as it appears to me here is, "Following closely the instructions in 'Step-by-Step', how do I procees from Step 8 to Step 9 if I cannot log onto the control station after doing a successful rendom/execute and rebooting the control station twice?"

    My bottom line need here is to demonstrate that I can reliably do a domain rename (and that I understand the correct and necessary order of steps to do so) based on this relatively simple forest configuration (one domain, two PDCs, and a bunch of clients, no zones, no Exchange and nothing in the network other than my domain controllers and clients). This is a "practice run" for doing this same operation in a live (production) configuration. I have set up the configuration for the specific purpose of proving that I can do this operation. I have full system backups of both PDCs, the control station, and at least one client in my demonsration setting, so I can (if necessary) roll everything back to square one and start the domain rename operation over from the beginning. But there is a saying attributed to Albert Einstein to the effect that "The definition of insanity is doing the same thing over and over again ans expecting different results."

    So is using netdom to change computer names something that is really necessary between Step 8 and Step 9, and if so, is the Microsoft Step-by-Step document in error for having omitted this?

    Many, many thanks to any hints or suggestions here...


    Chris

    Tuesday, April 10, 2012 5:37 PM
  • Hi,

    Above "netdom" steps are required to run after the "rendom /execute" command and reboot the DC and before the run "rendom /end". Lawrence has already provided you an explanation about these steps or read this: http://technet.microsoft.com/en-us/library/cc738341(v=ws.10).aspx


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Wednesday, April 11, 2012 1:44 AM
  • Hi,

    I read that MS article “Step-by-Step Guide to Implementing Domain Rename” and notice a preliminary step “Preparing DNS Zones”, I think maybe you lost that step.

    An Active Directory server is located by DC Locator mechanism, DC Locator uses SRV resource records in DNS to locate domain controllers. Your current DNS infrastructure already provides necessary support for your Active Directory domain using its current name, but no information for renamed domain. You may add it manually.

    And I think you may double check the preliminay steps to make sure not miss any steps.


    Lawrence

    TechNet Community Support

    Wednesday, April 11, 2012 12:06 PM
    Moderator
  • Since you are testing domain rename it ok however I would not recommend to rename domain unless and until there is strong business requirement.Instead you can create new forest and migrate user/computers etc using ADMT.This also needs testing.

    ADMT Guide: Migrating and Restructuring Active Directory Domains
    http://technet.microsoft.com/en-us/library/cc974332(WS.10).aspx

    MIGRATING STUFF WITH ADMTV3
    http://blogs.dirteam.com/blogs/jorge/archive/2006/12/27/Migrating-stuff-with-ADMTv3.aspx

    However for domain rename you can refer below link which I used and tested and all required steps are mentioned.
    http://sandeshdubey.wordpress.com/2011/10/12/domain-rename-for-windows-20032008/

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Wednesday, April 11, 2012 3:48 PM
  • First of all, many thanks to Lawrence and Abhijit and Sandesh for your replies. I have been trying in recent hours to digest them and double check your suggestions against my configuration and what I have done so far. What I have NOT done so far is take any further action until I understand what and why and what I may have missed.

    Lawrence may be onto something wrt "Configuring Member Computers for Host Name Changes" in preparation for running rendom. I had not, actually, missed that step, but I will admit to having been confused by it. I had checked the DNS configuration on my two PDCs, and although I didn't completely understand what I found, I had verified that I had CNAME records for each of my DCs under msdcs.domain1.local, and I had lots of SRV records in the DNS tree, including under gc (which I assumed meant global catalog), and under pdc\tcp (which I took to be a pointer to a PDC). I didn't know how to verify that they were correct, but they seemed reasonable and had been automatically created by magic when the domain was created, so I assumed they were correct. Something I may have missed completely (if true) is manually creating a new DNS infrastructure with new records reflecting the NEW (future) domain and server names alongside (I assume) the OLD (existing) records in DNS before undertaking rendom operations. I didn't do this, so if I was supposed to do it, I didn't understand that.

    I'm still confused about zones and whether or not I have one or need one since I have no subdomains or parent domain, just two DCs that mirror each other (via DFS) and share responsibility for a bunch of clients. And, as mentioned before, no access to the public Internet and no Exchange or other email functionality. A pretty (logically) simple configuration. But for the complexity of the applications and the GPOs and the trusts and whatnot that I know nothing about I wouldn't know how to recreate from scratch, I might be tempted to just blow the whole thing away and create a new domain instead of trying to rename the one that exists already. Fortunately, I don't have that option, so I can't be tempted. I have been tasked with renaming the domain, renaming the PDCs, changing all the IP addresses of every system (including all clients) in the network, and making sure that everything happens smoothly and so quickly that no one in the production environment even (hardly) notices that anything happened (beyond having to reboot their client workstations ... twice). This is, as you may have guessed, a critical environment that doesn't tolerate downtime.

    So moving right along, I notice that at the present time, having just completed rendom/execute from my Control Station in my "practice" domain, the DNS configuration on my DCs looks no different than it did before rendom/execute. And maybe this is normal. I didn't know whether rendom was going to automatically make name changes in DNS or not. As mentioned before, I didn't know (and still don't know) if I was supposed to manually make these changes in DNS (which would mean, I suppose, walking through the DNS tree on one or the other or both DCs and making either ADDITIONAL record definitions or changing the ones that now exist. I would love it if someone could give me some direction about this. Or whether rendom is going to make changes in DNS automatically once (and if) I get to the point of doing rendom/end.

    AND, I now assume, based on comments from Lawrence and Abhijit, that I need to do "netdom" as described under Step 10 of the Step-by-Step instructions. The reason I haven't yet crossed that bridge is that I'm still trying to get from Step 8 (remdom/execute) to Step 9 (double reboot followed by rendom/end). So I'm faced with something of a disconnect here. I haven't yet done Step 9, so how or why should I do Step 10 before Step 9? There may be a good reason, but if so, I don't yet understand it. And I REALLY, REALLY want to understand this process so I don't screw it up when I'm under the gun and the whole world is watching.

    So the place I think I'm at just now is I don't understand

    a) if I screwed up by not adequately preparing my DNS (by manually creating records reflecting my new/future domain name) prior to starting rendom, and

    b) should I undertake netdom (Step 10) before rendom/end (Step 9), and if so why.

    THANK YOU for your patience while I try to get this down. And thanks to Sandesh for the suggestion about ADMT. One reason I have not pursued this is it is my understanding that ADMT is a Windows Server 2008 tool, while my target is Windows Sever 2003 R2. And domain rename is, I think, anyway more appropriate for what I have been tasked with doing.

    Chris

    Chris

    Wednesday, April 11, 2012 9:25 PM

  • Hi,

    > a) if I screwed up by not adequately preparing my DNS (by manually creating records reflecting my
    > new/future domain name) prior to starting rendom, and

    Not sure whether missing this step cause this issue.

    > b) should I undertake netdom (Step 10) before rendom/end (Step 9), and if so why.

    No

    From page 62/64 of this article “Step-by-Step Guide to Implementing Domain Rename” , we know not only the control station computer should to start twice, but all client computers and all member servers should be restart twice to ensure them learn of the domain name change.

    And when the member computers are rebooted at this step, their DNS host names will also change after the reboot due to the fact that their Primary DNS Suffix changes as a result of the name change of the domain of which they are members.

    According this information, I think DNS host names was not changed on your control station, also the DNS Suffix, due to domain membership was not changed. You can logon to that control station with local administrator account and check it.

    So now issue is: member computer not learn of the new name (Domain Name System (DNS) name or NetBIOS name) of the renamed domain.

    I’m trying a test to reproduce the issue and to find the reason, and need more time to figure it out.


    Lawrence

    TechNet Community Support

    • Marked as answer by VideoCowboy Monday, April 16, 2012 4:51 PM
    Friday, April 13, 2012 9:29 AM
    Moderator
  • Lawrence,

    If I missed doing anything in preparation for rendom, I can (and will be happy to) restore both DCs and the Control Station from backup to the state they were in before rendom, and repeat everything from the beginning. It seems to me likely that either there is something unique about the my configuration or I missed something in preparation. I know that I did NOT manually change or add new DNS entries (via Administrative Tools -> DNS) to duplicate or add entries reflecting the new domain name alongside those with the original/old DNS name. If I was supposed to do this, it wasn't clear to me at the start (based on my reading of the Step-by-Step instructions).

    Chris


    Chris

    Friday, April 13, 2012 10:38 AM
  • Before you proceed you do have to read the official documentation and requirements from Microsoft: http://technet.microsoft.com/nb-no/windowsserver/bb405948(en-us).aspx

    I would recommend instead of restoring the DC from backup as you are testing create a fresh DC and then proceed with testing.You need follow step by step process.I used below link for testing.
    http://sandeshdubey.wordpress.com/2011/10/12/domain-rename-for-windows-20032008/
    http://adfordummiez.com/?p=39

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, April 13, 2012 11:05 AM
  • Sabdesh,

    Thank you for your suggestion and reference to information on your blog. One of the prerequisites citedon your blog, of course, is "A DNS zone for the new domain must be in place", and this is a requirements I still do not completely understand because I don't know exactly what a "zone" looks like in DNS. As far as I know, my configuration either has no zones or has only one zone because it has no subdomains and no parent domain. There is only a single domain with two PDCs that share and mirror responsibility for the domain. What I would love to see is a specific example (e.g., a screen shot or example listing of DNS entries) that illustrates what a "properly prepared" DNS display should look like.

    Does "A DNS zone for the new domain must be in place" mean that I should use Administrative Tools -> DNS to manually create dozens of new entries in DNS reflecting the new domain name alongside (in addition to) the existing entries reflecting the old (existing) domain name? If so, I assume this would mean entries under Forward Lookup Zones such as duplicate branches under _msdcs.old_domain_name.local such as:

    xxxxxx    Alias (CNAME)     host1.old_domain_name.local

    xxxxx     Alias (CNAME)     host2.old_domain_name.local

    xxxxx     Alias (CNAME)     host1.new_domain_name.local

    xxxxx     Alias (CNAME)     host2.new_domain_name.local

    ...and similar duplications under domains, gc, pdc etc. branches of the DNS tree

    I haven't seen anywhere specific examples of what "A DNS zone for the new domain must be in place" means in terms of what it would look like in a DNS tree. This ignorance on my part (together with my lack of understanding about whether I had a zone in the first place) is what led me to skip this step in the first place.Thanks for your help and suggestion.

    Chris


    Chris

    Friday, April 13, 2012 11:33 AM
  • You can delete the old dns CName record and run ipconfig /flushdns and ipconfig /registerdns and dcdiag /fix or delete the record and reboot the server.

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, April 13, 2012 11:42 AM
  • Sandesh,

    Thanks for your suggestions. It may be helpful here to understand that the exercise I am currently engaged in is a "learning" or "practice" domain rename operation on a domain that mirrors my production domain. The objective of this exercise is to learn and prove that I understand the "proper" way to accomplish domain rename from start to finish. I am not so interested in "fixing" or "recovering from" any problems that I have now as I am interested in knowing how to avoid having them in the first place.

    Chris


    Chris

    Friday, April 13, 2012 11:54 AM
  • Last time I faced the same issue in the lab with domain rename(but the dc was restored multiple time with backup by my collogue) the cname quid was old and found replication issue between the DC done the above mentioned step and issue was resolved.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, April 13, 2012 12:04 PM
  • Sabdesh,

    Does "A DNS zone for the new domain must be in place" mean that I should use Administrative Tools -> DNS to manually create dozens of new entries in DNS reflecting the new domain name alongside (in addition to) the existing entries reflecting the old (existing) domain name? If so, I assume this would mean entries under Forward Lookup Zones such as duplicate branches under _msdcs.old_domain_name.local such as:

    xxxxxx    Alias (CNAME)     host1.old_domain_name.local

    xxxxx     Alias (CNAME)     host2.old_domain_name.local

    xxxxx     Alias (CNAME)     host1.new_domain_name.local

    xxxxx     Alias (CNAME)     host2.new_domain_name.local

    ...and similar duplications under domains, gc, pdc etc. branches of the DNS tree

    I haven't seen anywhere specific examples of what "A DNS zone for the new domain must be in place" means in terms of what it would look like in a DNS tree. This ignorance on my part (together with my lack of understanding about whether I had a zone in the first place) is what led me to skip this step in the first place.Thanks for your help and suggestion.

    Chris


    Chris

    Hi,

    I am not able to find out GUI steps for you, however, As a prerequisite, DSN zone step, you just need to set up DNS zone as below:
    Create a new DNS zone and you are done.

    · Open the DNS management consoll (dnsmgmt.msc)
    · Right click “Forward Lookup Zones” > “Add new forward lookup zone”
    · Call it “xyz.local” (without quotes)
    · If you have a trusting domain, create the same zone as a secondary zone in the trusting domain


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, April 14, 2012 4:44 AM
  • After too much gnashing of teeth, I have restored my domain and the third Windows Server 2003 R2 computer that I am using as Control Station to their state prior to undertaking Domain Rename. I am starting over from the beginning, taking care to not miss preparing my DNS by manually creating records reflecting the new (future) name of my domain-to-be (as Lawrence has advised). So I am marking this case as resolved and moving on with many thanks to all who have contributed to this solution.

    Chris


    Chris

    Monday, April 16, 2012 4:57 PM