Active Directory – How to Change FQDN of Domain Controller

active-directorydomain-controller

Is there a way to change the fqdn of my Active Directory domain controller and other hosts in the domain?

Currently, my domain controller is called dc1.domain.com, and I'd like it to be dc1.site1.domain.com. Similarly, I have an web server called webserver1.domain.com, and I'd like it to be webserver1.site2.domain.com

I know I can just add a cname in the dns, but is there any way to make the actual FQDN modified to include the site?

Thanks

Best Answer

You can only change the FQDN of a domain controller by performing a domain rename operation. That is the only option.

You can only change the FQDN of member servers by changing either 1) renaming the domain, or 2) changing the domain to which the sever belongs.

I recommend against hard-coding a location into the domain name.

If you do proceed with a domain rename (assuming you can - which you cannot do if Exchange is installed), I would recommend using a subdomain of a publicly registered domain (in your case ad.domain.com)

Failing these, you are left with resulting to DNS trickery, which you have already discovered - and (without further manipulation and unnecessary complication) will break any Kerberos-based authentication.

Related Solutions

Will the DNS Forward Lookup Zone recreate itself if I delete it

I already have DNS scavenging turned on, but it never seems to clean up any of the references to DC2, the domain controller and DNS server that failed some time ago.

You need to enable scavenging both at the server level and at the Domain level. Check properties of both to enable scavenging or delete the specific records yourself.

Can I just delete the entire Forward Lookup Zone? Does it recreate itself?

This is what you definitely do NOT want to do. Once you have your new DC up with DNS installed, make sure your Domain is AD Integrated and set it for replication to all domain or forest DNS servers. I prefer all forest but that's just me. When you decommission the old DC and remove everything make sure to re-point all of your clients and servers to the new DNS server IP address. I would suggest running them in parallel for a period of time to get all the clients and servers updated to using the new IP while the old one is still also available.

You are absolutely spot on in rebuilding the current DC as a second DC. You ALWAYS want to have 2 DCs and 2 DNS servers for an AD infrastructure. I personally insist on having at least one be a physical DC versus having both virtualized.

I am worried that in step 3 of my plan, I will end up replicating bad DNS records to my new domain controller. What is the best way to clean up my existing DNS before replicating it to my new server? It seems like it would be best just to have a clean Forward Lookup Zone, but I don't really understand how that zone works.

When in doubt, keep it. If things are working as expected and you don't want to break them, let sleeping dogs lie. If there are records you know are bad, get rid of them, but only records that you know what they do and only if you know for a fact that they are superfluous.

Way to view the members of an Active Directory group if you aren’t a domain admin and can’t log into to a domain controller

Absolutely. From a computer that's a member of the domain, open a command-prompt and run a:

NET GROUP "group name" /DOMAIN

Unless your administrators have changed the stock permissions on the group object you will be able to view the membership that way.

You can use AD Users and Computers even if you're not an administrator, but this, at least, can be done w/o installing anything.

Best Answer

Related Solutions

Will the DNS Forward Lookup Zone recreate itself if I delete it

Way to view the members of an Active Directory group if you aren’t a domain admin and can’t log into to a domain controller

Related Topic