Privacy Policy

Stella inattivaStella inattivaStella inattivaStella inattivaStella inattiva
 

Vedi  http://technet.microsoft.com/en-us/library/cc794869(WS.10).aspx

----- Preparing for the Domain Rename Operation -----

To complete this task, perform the following procedures:

1 - Adjust Forest Functional Level

To set the forest functional level to Windows Server 2003 or Windows Server 2008

1.Open the Active Directory Domains and Trusts snap-in: click Start, click Administrative Tools, and then click Active Directory Domains and Trusts.

2.In the console tree, right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.

3.In Select an available forest functional level, do one of the following:

To raise the forest functional level to Windows Server 2003, click Windows Server 2003, and then click Raise.

To raise the forest functional level to Windows Server 2008, click Windows Server 2008, and then click Raise.

2 - Create Necessary Shortcut Trust Relationships

vedi http://technet.microsoft.com/en-us/library/cc794918(WS.10).aspx

3 - Prepare DNS Zones

va creata una zona dns "nuovodominio" e una _msdcs.nuovodominio" con permesso di agg. dinamici sicuri e non sicuri

vedi http://technet.microsoft.com/en-us/library/cc794811(WS.10).aspx

4 - Redirect Special Folders to a Standalone DFSN

vedi http://technet.microsoft.com/en-us/library/cc816818(WS.10).aspx

5 - Relocate Roaming User Profiles to a Standalone DFSN

vedi http://technet.microsoft.com/en-us/library/cc794753(WS.10).aspx

6 - Configure Member Computers for Host Name Changes

normalmente è automatico, verificare in configurazione rete nella scheda DNS (avanzate del tcpip IPv4). Si può impostare una gpo.

vedi http://technet.microsoft.com/en-us/library/cc816608(WS.10).aspx

7 - Prepare Certification Authorities

vedi http://technet.microsoft.com/en-us/library/cc816587(WS.10).aspx

8 - Exchange-Specific Steps: Prepare a Domain that Contains Exchange

vedi http://technet.microsoft.com/en-us/library/cc794909(WS.10).aspx

----- Performing the Domain Rename Operation -----

1 - Set Up the Control Station

Important 

Do not use a domain controller to act as the control station for the domain rename operation.

 - To set up the control station on a Windows Server 2003 member server

1.On a local disk drive of the selected control station computer, create a working directory for the domain rename tools, for example, C:\domren

Note  Each time that you use the tools in this procedure, run them from this directory.

2.Insert the Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, or Windows Server 2003 Datacenter Edition operating system CD into the CDROM drive and copy the files from the valueadd directory into your working directory as follows:

copy D:\valueadd\msft\mgmt\domren\*.* C:\domren

In particular, verify that the two tools Rendom.exe and Gpfixup.exe have been copied into the working directory on the control station.

3.Install the Support Tools from the Support\Tools folder on the Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, or Windows Server 2003 Datacenter Edition operating system CD. (To install Support Tools, run Suptools.msi in the Support\Tools directory.) In particular, verify that the tools Rendom.exe, Repadmin.exe, Dfsutil.exe, and Gpfixup.exe are installed on the control station.

 - To set up the control station on a Windows Server 2008 member server

1.On a local disk drive of the selected control station computer, create a working directory for the domain rename tools, for example, C:\domren.

Note  Each time that you use the tools in this procedure, run them from this directory.

 2.To obtain the necessary tools for the domain rename operation, install the Remote Server Administration Tools Pack (E’ UNA FEATURE, INSTALLA ANCHE IL RUOLO IIS – RICHIEDE RIAVVIO). For more information, see Installing or Removing the Remote Server Administration Tools Pack (http://go.microsoft.com/fwlink/?LinkId=124111).

Verify that the tools Rendom.exe, Repadmin.exe, Dfsutil.exe, and Gpfixup.exe are installed on the control station in the C:\Windows\System32 directory.

3.Copy Rendom.exe, Repadmin.exe, Dfsutil.exe, and Gpfixup.exe tools from the %\Windows\System32 directory into your working directory as follows:

robocopy C:\Windows\System32 C:\domren rendom.exe repadmin.exe dfsutil.exe gpfixup.exe

vedi http://technet.microsoft.com/en-us/library/cc816869(WS.10).aspx

2 - Freeze the Forest Configuration

E' necessario sospendere la creazione di oggetti in AD in tuti i dc

vedi http://technet.microsoft.com/en-us/library/cc816725(WS.10).aspx

3 - Back Up All Domain Controllers

4 - Generate the Current Forest Description

To generate the current forest description file

1.On the control station, click Start, click Run, type cmd, and then click OK.

2.At the command prompt, type the following command to change to the working directory, and then press ENTER:

Cd C:\domren

3.To generate the XML-encoded forest description file, at the command prompt, type the following command, and then press ENTER:

rendom /list

4.Save a copy of the current forest description file (Domainlist.xml) that was generated in step 3 as Domainlist-save.xml for future reference by using the following copy command:

copy domainlist.xml domainlist-save.xml

5 - Specify the New Forest Description

To edit the Domainlist.xml file

1.Use a simple text editor, such as Notepad.exe, to open the current forest description file Domainlist.xml that you created in Generate the Current Forest Description.

2.Edit the forest description file, replacing the current DNS or NetBIOS names of the domains and application directory partitions to be renamed with the planned new DNS or NetBIOS names.

Note 

It is not necessary to change the NetBIOS name of a domain when its DNS name changes.

vedi http://technet.microsoft.com/en-us/library/cc816795(WS.10).aspx

6 - Generate Domain Rename Instructions

To generate the domain rename instructions and upload them to the domain naming master

1.On the control station, click Start, click Run, type cmd, and then click OK.

2.At the command prompt, type the following to change to the working directory, and then press ENTER:

C:\domren

3.From within the working directory, type the following command, and then press ENTER:

rendom /upload

4.Verify that the state file Dclist.xml is created in the working directory and that it contains an entry for every domain controller in your forest.

vedi http://technet.microsoft.com/en-us/library/cc794851(WS.10).aspx

7 - Push Domain Rename Instructions to All Domain Controllers and Verify DNS Readiness

To force synchronization of changes made on the domain naming master to all domain controllers in the forest

1.On the control station, click Start, click Run, type cmd, and then click OK.

2.At the command prompt, type the following command, and then press ENTER:

repadmin /syncall /d /e /P /q “DomainNamingMaster”

 

Note 

“DomainNamingMaster” è il nome del dc che ha il ruolo “DomainNamingMaster” - The repadmin command-line options are case sensitive.

 

Note 

If read-only domain controllers (RODCs) are included in your domain, run this command one more time to ensure that the RODC new servicePrincipalName attribute is replicated to all the domain controllers in the forest. 

vedi http://technet.microsoft.com/en-us/library/cc816721(WS.10).aspx

8 - Verify Readiness of Domain Controllers

Important 

All domain controllers must be in the Prepared state before domain rename instructions can be run.

To verify the readiness of domain controllers in the forest

1.On the control station, click Start, click Run, type cmd, and then click OK.

2.At the command prompt, type the following command to change to the working directory, and then press ENTER:

C:\domren

3.From within the working directory, type the following command, and then press ENTER:

rendom /prepare

4.After the command finishes, examine the state file Dclist.xml to determine whether all domain controllers achieved the Prepared state. If not, repeat step 2 in this procedure until all domain controllers achieve the Prepared state.

Note 

Each time that it runs, the Rendom tool consults the Dclist.xml state file and, it does not connect to and verify the domain controllers that are already in the Prepared state. Therefore, no redundant operations are performed when you run this command repeatedly.

vedi http://technet.microsoft.com/en-us/library/cc816639(WS.10).aspx

9 - Run Domain Rename Instructions

The rendom command must be repeated until all domain controllers have either successfully executed the domain rename or you have established that one or more domain controllers are unreachable and will be removed from the forest.

Important 

This step will cause a temporary disruption in service while the domain controllers are running the domain rename instructions and restarting after they run the instructions successfully. The Active Directory Domain Services (AD DS) service in the forest has not been disrupted up to this point in the domain rename operation.

 Important 

All domain controllers in the forest must be in the Prepared state, as indicated by the state field (<State>Prepared</State>) in the state file Dclist.xml. This state is checked for and enforced by rendom at this step.

To run the domain rename instructions on all domain controllers

1.On the control station, click Start, click Run, type cmd, and then click OK.

2.At the command prompt, type the following command to change to the working directory, and then press ENTER:

C:\domren

3.From within the working directory, type the following command, and then press ENTER:

rendom /execute

IL COMANDO RIAVVIA I DC – AL LOGIN SUCCESSIVO IL NOME DOMINIO DEVE ESSERE QUELLO NUOVO, QUINDI CAMBIARE UTENTE ED ENTRARE CON ADMINISTRATOR DEL NUOVO DOMINIO

4.When the command has finished running, examine the state file Dclist.xml to determine whether all domain controllers have reached either the Done state or the Error state.

5.If the Dclist.xml file shows any domain controllers as remaining in the Prepared state, repeat step 2 in this procedure as many times as necessary until the stopping criterion is met.

Important 

The stopping criterion for the domain rename operation is that every domain controller in the forest has reached one of the two final states of Done or Error in the Dclist.xml state file.

 Note 

Each time that you run it, the rendom /execute command consults the Dclist.xml state file and skips connecting to the domain controllers that are already in the Done or Error state. Therefore, no redundant operations are performed if you repeatedly attempt this command.

 If you determine that an error that has caused a domain controller to reach the Error state in the Cclist.xml file is actually a recoverable error and you think that progress can be made on that domain controller by trying to run the domain rename instructions again, you can force the rendom /execute command to run again by issuing the RPC to that domain controller (instead of skipping it) as described in the following procedure.

To force rendom /execute to reissue the RPC to a domain controller in the Error state

1.On the control station, navigate to the working directory C:\domren, and using a simple text editor, such as Notepad.exe, open the Dclist.xml file.

2.In the Dclist.xml file, locate the <Retry></Retry> field in the domain controller entry for the domain controller that you think should be reissued the RPC, and then edit the Dclist.xml file so that the field reads <Retry>yes</Retry> for that entry.

3.On the control station, click Start, click Run, type cmd, and then click OK.

4.At the command prompt, type the following command to change to the working directory, and then press ENTER:

C:\domren

5.From within the working directory, type the following command, and then press ENTER:

rendom /execute

Running the rendom /execute command reissues the execute-specific RPC to that domain controller.

When all the domain controllers are in either the Done or Error state (there should be no domain controller in the Prepared state), declaring the execution of the domain rename instructions to be complete is at your discretion. You can continue to retry execution attempts on domain controllers that are in the Error state if you think that they will eventually succeed. However, when you declare that the execution of the domain rename instructions is:

Complete, and you will not retry the rendom /execute command, you must remove AD DS from all domain controllers that are still in the Error state. For detailed step-by-step instructions to remove the AD DS server role, see the Step-by-Step Guide for Windows Server 2008 Active Directory Domain Services Installation and Removal (http://go.microsoft.com/fwlink/?LinkID=86716).

Note 

The Domain Name System (DNS) host names of the domain controllers in the renamed domains do not change automatically as a result of the domain rename operation. In other words, the DNS suffix in the fully qualified DNS host name of a domain controller in the renamed domain will continue to reflect the old domain name. You can use a special domain controller rename procedure, which you run as a separate post-domain-rename task, to change the DNS host name of a domain controller so that it conforms to the DNS name of the domain to which it is joined. For information about renaming domain controllers, see Renaming a Domain Controller.

10 - Exchange-Specific Steps: Update the Exchange Configuration and Restart Exchange Servers

vedi http://technet.microsoft.com/en-us/library/cc794842(WS.10).aspx

11 - Unfreeze the Forest Configuration

Important 

All the procedures in Run Domain Rename Instructions, including the automatic domain controller restart, must have been completed on all domain controllers in the renamed domains.

To unfreeze the forest configuration

1.Restart the control station computer twice to ensure that all services that are running on it learn of the new name (Domain Name System (DNS) name or NetBIOS name) of the domain of which the control station is a member. Do not restart the control station by turning its power off and then back on. AL LOGIN IL NOME DOMINIO DEVE ESSERE QUELLO NUOVO, QUINDI CAMBIARE UTENTE ED ENTRARE CON ADMINISTRATOR DEL NUOVO DOMINIO

2.On the control station, click Start, click Run, type cmd, and then click OK.

3.At the command prompt, type the following command to change to the working directory, and then press ENTER:

C:\domren

4.From within the working directory, type the following command, and then press ENTER:

rendom /end

The rendom /end command connects to the domain controller that holds the domain naming operations master role and removes the attribute msDS-UpdateScript on the Partitions container.

vedi http://technet.microsoft.com/en-us/library/cc816691(WS.10).aspx

12 - Re-establish External Trusts

vedi http://technet.microsoft.com/en-us/library/cc816756(WS.10).aspx

13 - Fix Group Policy Objects and Links

Important 

The GPO/link fix-up procedure does not fix any interdomain GPO links that might exist in your forest. Any existing interdomain GPO links must be either removed or reconfigured so that they can work properly. In addition, this fix-up procedure does not repair network paths for Software Distribution Points (present in AD DS) that are external to the domain. As a best practice, do not use GPO links that cross domain boundaries. 

Before you repair GPOs, ensure that the following conditions are satisfied:

All procedures that are described in Run Domain Rename Instructions, that include the automatic domain controller restart, must have been completed on all domain controllers in the renamed domains.

The domain controller with the primary domain controller (PDC) emulator operations master role in a renamed domain must have successfully completed the domain rename operation, and it must have reached the final "Done" state as described in Run Domain Rename Instructions.

The control station computer must have been restarted twice, as described in Unfreeze the Forest Configuration.

All member servers in the domain that host Software Distribution Points (network locations from which users deploy managed software in your environment) must have been restarted twice, as described in Run Domain Rename Instructions. This prerequisite step is extremely important and necessary for the Software Installation and Maintenance data fix-up to work correctly.

To fix up GPOs and GPO references

1.On the control station, click Start, click Run, type cmd, and then click OK.

2.At the command prompt, type the following command to change to the working directory, and then press ENTER:

C:\domren

3.From within the working directory, type the following command, and then press ENTER. The entire command must be typed on a single line, although it is shown on multiple lines for clarity.

gpfixup /olddns:OldDomainDnsName

        /newdns:NewDomainDNSName

        /oldnb:OldDomainNetBIOSName

        /newnb:NewDomainNetBIOSName

        /dc:DcDnsName 2>&1 >gpfixup.log

example:

gpfixup /olddns:cohovineyard.com  /newdns:cohowinery.com

/oldnb:cohovineyard  /newnb:cohowinery

/dc:dc1.cohovineyard.com  2>&1 >gpfixup1.log

repadmin /syncall /d /e /P /q dc1.cohovineyard.com dc=cohowinery,dc=com

gpfixup /olddns:sales.cohovineyard.com  /newdns:sales.cohowinery.com 

/dc:dc3.sales.cohovineyard.com  2>&1 >gpfixup2.log

Note 

The command-line parameters /oldnb and /newnb are required only if the NetBIOS name of the domain changed. Otherwise, you can omit these parameters from the command line for Gpfixup.

 The output of the command—both status or error output—is saved to the file Gpfixup.log, which you can display periodically to monitor the progress of the command.

4.To force replication of the Group Policy fix-up changes that are made at the domain controller that is named in DcDNSName in step 3 of this procedure to the rest of the domain controllers in the renamed domain, type the following command, and then press ENTER:

repadmin /syncall /d /e /P /q DcDnsName “dc=NewDomainDN”

OKKIO ALLE VIRGOLETTE NELL’ULTIMA STRINGA

Where:

DcDnsName is the Domain Name System (DNS) host name of the domain controller that was targeted by the gpfixup command. CON NOME DOMINIO VECCHIO!!!

NewDomainDN is the distinguished name that corresponds to the new DNS name of the renamed domain.

Esempio “dc=sales,dc=cohowinery,dc=comImportant”

5.Repeat steps 2 and 3 in this procedure for every renamed domain. You can enter the commands in sequence for each renamed domain.

Example:

gpfixup /olddns:cohovineyard.com  /newdns:cohowinery.com /oldnb:cohovineyard  /newnb:cohowinery /dc:dc1.cohovineyard.com  2>&1 >gpfixup1.log

repadmin /syncall /d /e /P /q dc1.cohovineyard.com “dc=cohowinery,dc=com”

gpfixup /olddns:sales.cohovineyard.com  /newdns:sales.cohowinery.com /dc:dc3.sales.cohovineyard.com 2>&1 >gpfixup2.log

repadmin /syncall /d /e /P /q dc3.sales.cohovineyard.com “dc=sales,dc=cohowinery,dc=comImportant”

Run the gpfixup command only once for each renamed domain. Do not run it for renamed application directory partitions.

 Note 

The DNS host names for the domain controllers in the renamed domains that are used in these command invocations still reflect the old DNS name for the domain. As mentioned earlier, the DNS host name of a domain controller in a renamed domain does not change automatically as a result of the domain name change.

 

Parameter and description 

gpfixup

 Fixes domain name dependencies in Group Policy objects and Group Policy links after a domain rename operation.

 /olddns:OldDomainDnsName

 Specifies the old DNS name of the renamed domain.

 /newdns:NewDomainDNSName

 Specifies the new DNS name of the renamed domain.

 /oldnb:OldDomainNetBIOSName

 Specifies the old NETBIOS name of the renamed domain.

 /newnb:NewDomainNetBIOSName

 Specifies the new NETBIOS name of the renamed domain.

 /dc:DcDnsName 2>&1 >gpfixup.log

 Contains status or error output of the command.

 ----- Completing the Domain Rename Operation -----

vedi http://technet.microsoft.com/en-us/library/cc794825(WS.10).aspx

- Verify Certificate Security

- Perform Miscellaneous Tasks

- Back Up Domain Controllers

- Restart Member Computers

Restart twice all member workstations, member servers, and standalone servers (excluding domain controllers) that are running Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2008 in the renamed domains in your forest. When you restart these computers twice, this ensures that each member computer learns of the domain name changes and propagates the changes to all applications and services that are running on the member computer.

Note 

Each computer must be restarted by logging into the computer and by using the Shutdown/Restart administrative option. Computers must not be restarted by turning off the computer’s power and then turning it back on.

 Note 

Member computers on a wired local area network (LAN) can simply be restarted twice. Member computers on a wireless LAN should be connected to a wired network while you perform the two required restarts. If that is not possible, eject the wireless network card and then reinsert it after logon before each restart.

 Unjoin and then join any remote computers that connect to the renamed domain through a remote connection, such as dial-up and virtual private network (VPN).

If there are any remote computers that are members of a renamed domain that connect to the domain through remote connection mechanisms such dial-up lines or VPNs, you will have to unjoin each member computer from the old domain name and then rejoin it to the new domain name.

- Exchange-Specific Steps: Verify the Exchange Rename and Update Active Directory Connector

- Perform Attribute Cleanup

To perform attribute cleanup after a domain rename

1.On the control station, click Start, click Run, type cmd, and then click OK.

2.At the command prompt, type the following command to change to the working directory, and then press ENTER:

C:\domren

3.From within the working directory, type the following command, and then press ENTER:

dc

The rendom /clean command removes the values for the msDS-DnsRootAlias and msDS-UpdateScript attributes from AD DS by connecting to the domain controller that has the domain naming operations master role.

After the steps in this procedure are complete, the new forest is ready for another domain rename (or forest restructuring) operation, if necessary.

 

----- Rename Domain Controllers -----

Permissions

You must be a member of the Domain Admins group.

To rename a DC with the name from OLDdc01 in the dnsname.local domain to NEWdc01 follow the next steps:

 

  1. Open Command Prompt and type:

NETDOM computername OLDdc01.dnsname.local /add:NEWdc01.dnsname.local

This command will update the service principal name (SPN) attributes in Active Directory for this computer account, and register DNS resource records for the new computer name. The SPN value of the computer account must be replicated to all DCs for the domain, and the DNS resource records for the new computer name must be distributed to all the authoritative DNS servers for the domain name. If the updates and registrations have not occurred prior to removing the old computer name, then some clients may be unable to locate this computer using the new or old name. Therefore, it's very important to wait till the Active Directory replication finishes a replication cycle. You can check that by using tools such as REPADMIN and REPLMON.

 

  1. Verify the new name was indeed added to the computer object by viewing it through ADSIEDIT.MSC (which, for Windows Server 2008, is installed by default). Navigate to the computer object and right-click it. Select Properties:

Scroll down in the list of available attributes till you reach the attribute called msDS-AdditionalDnsHostName.

 

  1. Ensure the computer account updates and DNS registrations are completed, then type:

NETDOM computername OLDdc01.dnsname,local /makeprimary:NEWdc01.dnsname.local

Again, you can inspect the change with ADSIEDIT.MSC. Scroll down in the list of available attributes for the computer object (notice how the server now appears with the new name) till you reach the attribute called msDS-AdditionalDnsHostName.

Notice that the old name should appear in the attribute's properties.

 

  1. Restart the computer.

 

  1. From the command prompt, type:

NETDOM computername NEWdc01.dnsname.local /remove:OLDdc01.dnsname.local

 

  1. Make sure that the changes have successfully been replicated to all the DCs.
Luca
C e r t i f i c a z i o n i