This article is for you if…
You want to rename your domain controller but haven’t yet
You renamed your domain controller wrong and now you see DCDIAG errors and references to the old name (ack!)
You manually updated the File Replication Service entries in Active Directory.
You are worried your metadata is not correct
You followed the bad Dell article “Windows Server – How to Rename a Domain Controller | Dell US”
You have a Windows 2016 server (these steps are also applicable to 2012 R2)
This article assumes you have at least one other functional DC in your domain!!! If this is the only domain controller for your domain, STOP. Reference the NETDOM steps (and make backups) before proceeding!!
About renaming Server 2016 DCs
There is one correct way to rename a 2016 domain controller. Simply demote it then re-promote it using the Manage Server dialogue. Step-by-step instructions are in the section: Step-by-step – demote and rename my 2016 DC.
If you rename your DC by renaming the computer in the normal way (using the System > Rename this PC dialogue), you did not do it right and your metadata is scrambled. Never fear, you should be able to fix it by demoting and re-promoting your server.
But I’m afraid to demote my server. How long does it take?
For all small and medium sized businesses (less than 10k users), it only takes an hour or two for each demotion and promotion action. Total downtime about 3-4 hours. Normally the reboot cycle is the longest part if you have a physical server with a long boot-up process, or if you have pending Windows Updates. If your organization is huge, you should have some historic data on how long it takes to create the active directory database and replicate data.
What about DNS and DHCP?
During the process, assuming you have a second domain controller, you may impact the following client services:
- DNS Server – your forward lookup zone will be removed and re-created during the process. Any clients that have your DC listed in their network properties for Primary or Secondary DNS Server will be affected. If your secondary DNS server is good, they should switch to use it without impact.
- DHCP Server – this is a common role for DCs. Demotion and promotion will not harm your DHCP configurations or server, but the ability to get new DHCP leases will be down while you reboot.
- Other programs running on the server such as active directory sync or SSO.
What about masters roles like Global Catalog, PDC, Schema Master?
During the demotion process, the masters roles will be moved over. You can also manually move them to other DCs before you start demotion.
Check this article for how to manually move the roles
How can I clean up the old name in Active Directory if I used the wrong procedure to rename my server?
In my experience, the best solution is to simply demote your domain controller, reboot it a few times, and re-promote it. This seems to clean up the fragments of wrong-name in Active Directory quite well. The steps to demote and promote are right below.
What about metadata cleanup? Or using netdom?
In general, performing metadata cleanup or netdom will not help if you already renamed your server. You can try the steps in this article if you want, but it is unlikely the tools will find your old server name. Do not run them against your new server name!
Step by step – demote and rename my 2016 DC
The simplest method (and best!) is to use Local Server Manager Roles & Features to demote the domain controller.
These steps can be used to FIX a server that was incorrectly renamed while it was a domain controller. They also are the correct way to rename a domain controller the first time.
Reminder – only perform these steps if you have ANOTHER WORKING DOMAIN CONTROLLER IN THE DOMAIN!! If this is your only DC, scroll down to the section about using NETDOM.
- Log on to the target DC (the one you want to rename) with a domain administrator account
- Make sure you have a **different** working domain controller listed in network settings> Primary DNS for your target DC. If not, you may have trouble logging back in after demotion.
- Open Server Manager (may open automatically, or go to Start > Server Manager)
- Select Manage and then Remove Roles and Features
- The wizard starts… Select your target server (the one you want to rename)and click Next…
- Un-check Active Directory Domain Services and click Next
- You will be asked if you want to remove other AD DS-related roles and features. Un-check Remove management Tools (if applicable) since you will be promoting the domain controller immediately. The list of removed roles will clear. Click Remove Features.
- You will get a validation error that says “The Active Directory domain controller needs to be demoted before the AD DS role can be removed.” Click the link Demote this domain controller.
- The AD Domain Services Configuration Wizard will start…
- Credentials: If you are using a domain admin, you should be fine on credentials. Otherwise, click Change here and add your credentials. Make sure that Force the removal of this domain controller is un-checked. Make sure Last domain controller in the domain is un-checked. Click Next…
- Warnings: List of roles will display. If your server just has Domain Name System (DNS) Server and Global Catalog, you are fine. All domain controllers have these… they don’t need to be migrated. If you have other roles, as long as you left “force the removal…” unchecked, the roles should migrate over automatically. Check this article for manually moving the roles if in doubt.
- Removal options: Make sure Remove this DNS zone is un-checked. Make sure Remove application partitions is unchecked. It is OK to leave DNS delegation checked. Check this discussion board for more explanation.
- New Administrator Password: This creates your local administrator account again with the password you set.
- Confirmation: Review options and click Demote if everything looks fine.
- The computer will reboot
- After reboot completes, you can check a few places to verify the domain controller is no longer listed.
- AD Sites and Services: Expand your site, you should see a list of current domain controllers here.
- AD Users & Computers: Right-click the root and Connect to Domain Controller… the current domain controllers are shown here.
Here are some useful articles on these topics:
- Microsoft: Server 2016, How to demote a DC using Server Manager or Powershell
- Technet: Server 2012 R2 Manually removing a domain controller from AD that was not demoted properly
- Microsoft Server 2008 R2: Manually seizing operations master roles
Now to rename the (previously) 2016 domain controller!
Once your server is no longer a domain controller, you can rename it like any other Windows server.
If you are performing these steps to fix a DC that you renamed without demoting first, you can skip renaming it again. Just go straight to the next section. Though I would encourage renaming it something completely different if you can do so easily, just to make sure there are no metadata issues.
- Open Server Manager and select the Local Server tab
- Click the Computer Name
- Click Change to rename the computer…
- Enter the new computer name. Do not modify the domain… Click OK and OK..
- Reboot as prompted.
- Make sure replication completes and your other domain controllers know that the computer name has changed before proceeding.
How to promote your renamed DC
- Open Server Manager on your target server (Start > Server Manager)
- You hopefully still have the AD DS role installed since you didn’t remove it during the demotion process, right? If so, you should see an alert in server manager on the top-right corner. Click it, you will be prompted to promote this server to a domain controller. Skip to step 12 if so …
- If you uninstalled the AD DS role or rebuilt your server, use Server Manager > Add Roles and Features Wizard.
- Select Role-based or feature-based installation and click Next
- Select this server and click Next.
- Select Server roles displays: Check Active Directory Domain Services and click Next.
- If prompted to install dependencies (such as management tools), say Yes, click Add Features and continue…
- Skip the features page and click Next
- Active Directory Domain Services information page displays. Click Next.
- Confirmation displays. Allow the server to restart automatically if needed. Click Install. Click Close.
- Give it 20 minutes or so.. when you check Server manager, you will see an alert in the top right corner. When you click it, you will see Additional steps are required to make this machine a domain controller. Follow this link and select promote this server to a domain controller.
- Active Directory Domain Services Configuration Wizard displays…
- Select Add a new domain controller to an existing domain. Verify the correct domain is listed and a domain admin is listed for the credentials and click Next.
- Domain controller options displays. Check Domain Name System (DNS) server and Global Catalog (GC). (these are appropriate for almost all small and medium businesses). Enter a directory services restore mode password and make a note of it. Click Next.
- DNS options displays: You may get a warning that the delegation for this DNS server cannot be created… that is very normal. If you don’t get a warning, check Update DNS delegation and click Next.
- Additional options displays. You should be able to leave Install from media unchecked. Replication from: pick your best domain controller (or the one with the best network connection). You may want to dcdiag and repadmin /showrepl (run these on an admin command prompt from the other DCs) to verify everything is happy before picking your best DC. Next…
- Paths: Normally the default is fine unless your organization mandates using multiple disks on servers… (Make sure you have enough room on the paths listed: 100GB+ free) Next…
- Preparation options: May or may not display… click Next…
- Review your selections, make sure they look correct, and click Next.
- Prerequisites check: Warnings are normal, especially regarding domain functional level, delegation for DNS, and security. Errors are not normal. Click Install if everything looks OK.
- The server will reboot.
- After reboot, give the server some time to replicate active directory and DNS (30 minutes to an hour).
- You may want to reboot again for good measure.
Microsoft article reference
Testing your newly promoted 2016 domain controller
From an admin command prompt, or admin powershell, run dcdiag
- It is normal to see DCDIAG errors about the system log events because errors do occur during first replication. You can review the system log by right-clicking Start > Event Viewer > Applications and Services Logs, and browsing through the several directory service log sets.
From an admin command prompt, or admin powershell, run repadmin /showrepl
Configure a test workstation to use the renamed DC for DNS and authentication
- Modify the network settings on your workstation so that the Primary DNS server is your newly renamed DC. Remove the secondary DNS server.
- Test your ability to resolve internal and external DNS (ping google.com … ping other servername.fqdn)
- Reboot your workstation and try to log on to it with a non-cached domain account. This means a user account that has never logged on to that workstation before.
- When done testing, remember to set the workstation’s network back to normal.
Common errors in DCDIAG for Server 2016
The most common dcdiag errors are historic SystemLog errors and warnings. These may be false positives.
You can review the system log by right-clicking Start > Event Viewer > Applications and Services Logs, and browsing through the several directory service log sets.
If you believe you have resolved the errors, or they are from the recent promotion process (this is normal), you can select the log and click Clear Log. You will be prompted to Save and Clear – this is good to do. Pick a location and save the logs to file. They will clear after saving. Then give it some time (or reboot), and do another dcdiag.
Common warning: DNS synchronization
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
It is normal to see one of these per reboot. If you see many, there is a problem.
Common warning: File Replication Service is deprecated
Starting test: FrsEvent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
File Replication Service (FRS) is deprecated. To continue replicating the SYSVOL folder, you should migrate to DFS Replication by using the DFSRMIG command.
If you continue to use FRS for SYSVOL replication in this domain, you might not be able to add domain controllers running a future version of Windows Server.
How to rename a domain controller using NETDOM
This is not the ideal way to rename a Windows Server 2016 DC. You are using a tool from the Windows Server 2003 era (though it has been updated and tested with each release). I would only use this method if this is the only domain controller in your domain / forest.
Can you use netdom to fix a messed up rename? Not really. If you renamed the server using the SYSTEM dialogue, netdom will simply not see the old name. It should only be used if you haven’t renamed the server yet.
What about operations master roles? If this is the only DC in your forest/domain, there is nowhere to migrate them. Just rename it as-is.
To rename a DC using netdom commands, perform the following steps:
- Open an administrative command prompt on the target DC. (right-click the Start button, select Command Prompt (Admin) or Powershell (Admin) )
- NOTE: For all computer name variables, you can use the FQDN as well. This would look like BADNAME01.domain.local or GOODNAME01.domain.local. I would skip the FQDN unless you have multiple domains in your forest, or your netdom is having trouble resolving the names without it.
- Check current names listed for this server..
- netdom computername <CurrentComputerName> /enumerate
- Example: netdom computername BADNAME01 /enumerate
- netdom computername <CurrentComputerName> /add:<NewComputerName>
- Example: netdom computername BADNAME01 /add:GOODNAME01
- Make the new name the primary one:
- netdom computername <CurrentComputerName> /makeprimary:<NewComputerName>
- Example: netdom computername BADNAME01 /makeprimary:GOODNAME01
- Restart the server.
- When the server restarts, open an administrative command prompt.
- Make sure the server has the new name (check system properties, active directory, DNS records, etc)
- Remove the old name using netdom:
- netdom computername <NewCurrentComputerName> /remove:<OldComputerName>
- Example: netdom computername GOODNAME01 /remove:BADNAME01
- Give it about an hour and reboot… make sure to test functionality. Recommended tests can be found in this article here:Testing your newly promoted 2016 domain controller
- Technet: Server 2003 – how to use netdom to rename a domain controller
- Spiceworks: Server 2012 R2 and 2016 – how to use netdom to rename a domain controller
Testing your newly