Friday, April 11, 2008

Windows Domain Rename - WOW

A customer wanted to do a domain migration. Easy enough with the ADMT from Microsoft. Create a new domain, move some users around, make sure they have seemless access to resources on member servers...blah blah blah...

That takes a while and can be very cumbersome. But, this is my PREFERRED method of doing it. The domain rename functionality freaks me out thoroughly.

And then this customer came along. They have no workstations and all users connect via Citrix. The email system is Lotus Domino, and here is the best part of that, they only use POP3 for it. It's not like they are small...they are over 500 users. So after poking around, they looked good for a domain rename and it would be the least impact to the users. They only had around 30 servers, so it's something that could be accomplished quickly.

So last night after prepping thoroughly, went after it. Following the docs from Microsoft was the best way to do it, and there is plenty of documentation on their site for it.

Oh, and one hold your breath moment with the DC's taking over 5 minutes to come up all the way. DNS took FOREVER to start and therefore when trying to logon, the new domian name did not exist. Didn't see that in the handy dandy documentation, but take heed, it does take a few minutes after the rendom /execute command and the reboot of the DC's for it to come to life all the way.

They did have quite a few SQL Servers which were my biggest problem. It has to do with Windows Auth being used on the SQL Server.

I had to make sure that I deleted the user and recreated that same user with the new domain name. Some jobs were orphaned and were therefore moved to be owned by the sa account. I don't forsee that to be a large problem, but you DBA's would know more on the actual problems and caveats of that.

Citrix was the most time consuming part of the ordeal. There is a nice link that applies to the version they were running (Metaframe XP). ( Nice and very helpful.

So after it was all said and done, the UPN's were not automagically updated for the users. Quick VBS script to fix that? I think not. Thanks to Joe at and his handy ADfind and ADmod utilities, a quick single line took care of it all:

adfind -b dc=new,dc=domainame -f "objectcategory=user" userPrincipalName sAMAccountname -adcsv admod userPrincipalName::{{sAMAccountName}}@new.domainname -unsafe

It's in his documentation on how to do this, but not explicit enough. Joe's a good man in protecting the innocent on this one with the damage that can be brought forth with admod itself.

So there you have it. A domain rename with over 500 users, 30 servers and a TON of Citrix apps in exactly 4 hours.