In the final part of this three part series, James takes us through the steps required to complete the Exchange Server 2003 portion of the domain rename.
Once your domain controllers are back up, let's work on exchange to make it work with the renamed domain. You will need to install the XDR-FIXUP tool (see the link at the end of this article). Running XDR-fixup.exe is an additional step required to perform a domain rename procedure. XDR-fixup.exe modifies Exchange Active Directory attributes to reflect the new domain name. XDR-fixup.exe does not replace the Windows Server 2003 domain rename tools, nor does it extend the functionality of those domain rename tools.
Note: You must run XDR-fixup.exe every time that you run rendom /execute.
The domain rename tools do not rename e-mail domains The domain rename tools do not change the e-mail domains that are specified in Exchange recipient policies and e-mail addresses. Change your e-mail domains after the domain rename procedure. For information about how to modify e-mail domains, see the Microsoft Knowledge Base articles listed at the end of this article. The domain rename tools do not rename the Exchange Organization You cannot rename the Exchange organization with the domain rename tools. The domain rename tools do not merge Exchange Organizations You cannot use the domain rename tools to merge two Exchange organizations, which are in different Active Directory forests, into a single Exchange organization. At this step, we need to type this command in:
XDR-fixup /s:DOMAINLIST-SAVE.XML /e:DOMAINLIST.XML /trace:TRACEFILE /changes:CHANGESCRIPT.LDF /restore:RESTORESCRIPT.LDF
Changescript.ldf contains the changes that are required to update the Exchange configuration after the domain is renamed. Restorescript.ldf contains the changes that are required to undo the Changescript.ldf changes and return to the current Exchange configuration. Please, do not make the same error I did. As being lazy, I did a copy and paste of the command above and would error out. As you could only run this command once, it will not work! TYPE IN THE COMMAND!!!! I noticed that the domainlist and domainlist-save is case sensitive when runnin xdr-fixup.
The CHANGESCRIPT.LDF file should not be 0 bytes. It should show you that it fixed a certain amount of objects. That is how you know the command ran successfully. After the XDR-fixup command has run, restart the control center computer to reset the connection between this computer and a domain controller and to update domain information on this computer. Restart the control station computer a second time to make sure that all services have been updated with the new domain information. Then log on to the control station computer again. On the control station computer, run the following command to apply the CHANGESCRIPT.LDF changes to the Active Directory server
LDIFDE i f CHANGESCRIPT.LDF
Now, restart your exchange server(s) 2 times. Do not be alarmed once you log in after the first reboot and get all kinds of errors. Reboot again and those will go away. Once your exchange server is up, log back on to your domain controllers and change the dns suffix of each DC to reflect your new domain name. Domain controllers will not be automatically updated regarding their dns suffix like member servers and clients will be. Once you do that, go in to system manager, and your receiptant update services. You are just going to reselect your domain controller. If you notice, it is still looking at the old dns suffix. The forest configuration was frozen with respect to certain types of changes. In this frozen configuration, addition/removal of domains, addition/removal of DCs and addition/removal of trusts were not allowed within the forest. In this step, you will use Rendom to unfreeze the forest such that changes that were not allowed can once again be made.
At this point, there are a few things that need domain depending on how your network is setup. We need to update the group policy to reflect the new domain name. Run the following command from a command prompt
gpfixup /olddns:OldDomainDnsName /newdns:NewDomainDNSName /oldnb:OldDomainNetBIOSName /newnb:NewDomainNetBIOSName /dc:DcDnsName
Note: This command must be typed on 1 line.
Force replication once this is done. Also, you need to update your domain controller certificate. The domain controller certificates have to be updated so that any authentication mechanism based on certificates (for example, replication and SmartCard via Kerberos) continues to work. To update these certificates, if template-based autoenrollment is set previous to domain rename, increment the version number for Domain Controller Authentication and Directory Email Replication Certificate templates to force re-enrollment. Otherwise, use the Group Policy to set Machine Based Autoenrollment. The domain controller machines will re-enroll and supercede the existing V1 Domain Controller Certificate.
To enable certificate enrollment using either autoenrollment or the Certificates MMC snap-in in the new domain, a small change has to be made in Active Directory to the Enrollment Services Container in the configuration directory partition (cn=Enrollment Services,cn=Public Key Services, cn=Services,cn=Configuration,dc=ForestRootDomain). The CA object in this container has a dNSHostName attribute that still contains the old DNS name of the CA machine. You can use ADSIEdit to change the value of this attribute Container = LDAP://CN=YOURCA,CN=Enrollment Services,CN=Public Key Services, CN=Services,CN=Configuration,DC=YoursubDomain,DC=YourDomain,DC=com". Next, don't forget to update the DNS name of the CA machine
- On the CA machine, open registry editor and locate the entry CAServerName under HKLM\System\CurrentControlSet\CertSvc\Configuration\YourCAName.
- Change the value in CAServerName to correspond to the new DNS host name.
Please do all of these steps on all CA's in your domain. You might also want to increase the version number on other templates (particularly those related with authentication) to pulse autoenrollment for the users and their machine.
At this point, restart all your member clients twice be logging in and going to restart. They will automatically look at the new domain. Once you have done this and completed any other steps that need to be done depending on your certificate infrastructure, type Rendom /clean The rendom /clean command removes the values for msDS DnsRootAlias and msDS UpdateScript attributes from Active Directory by connecting to the domain naming master domain controller. That should do it! I just BARELY touched the surface of a domain rename. This is not a walk in the park process as there are many things to consider in a domain rename.