active-directory – How to Plan an Active Directory Domain Rename

active-directorybest practicesdomain-name

It's looking more and more like I'll have to rename my Active Directory domain.

There is a well-known process for making this change, including some very good answers on Server Fault already (like this one). I understand you may think I want to ask a duplicated question, but this includes the squishy topic of Not Triggering a Revolution.

I inherited an internal Active Directory domain from the dawn of Active Directory. We'll call it ACRO.TLD with the NetBIOS name ACRO (short for "acronym").

This was great when everybody used a grandpa box behind the firewall. But this practice is now deprecated and could cause trouble down the line. There are a lot more mobile devices and it would probably be Very Bad if the domain leaked out into the Internet at large.

I need to

sell the change to managers
minimize disruption to users, especially the ones who like convenience (see requirement 1). (Changing the NetBIOS domain name from ACRO would be a deal breaker).

There are bound to be decisions made in planning and presenting the change that increase the chance of success (i.e. users don't show up at my door with pitchforks and torches). This is clearly a subjective question and the best answers would come from people who had been through the change already.

Selling it to management probably consists of explaining the why behind the Very Bad Things, combined with "the change shouldn't be so bad".

So now the question is how to make the change not be so bad, in other words, minimize the disruption to users. I hate to sound open ended but I may be tripping over something basic.

We own domains that I'll call COMPANYNAME.COM and COMPANYNAME.NET. Our external web presence and email addresses (email is hosted externally, there is no Exchange) use COMPANYNAME.COM; we have COMPANYNAME.NET as a buffer against domain squatting.

So I think that my best alternatives are

ACRO.COMPANYNAME.COM (subdomain)
COMPANYNAME.NET

I prefer ACRO.COMPANYNAME.COM, because users are used to ACRO and COMPANYNAME.COM and we're just bringing the two together. No need to change the NetBIOS domain name, and of course the Windows 10 login screen by default uses the domain a computer is joined to.

Because of the existing practice I've already laid out, users are already trained to use separate user names and passwords for Windows login and email (probably a Good Thing with hosted email)

Some of the cons are

ACRO.COMPANYNAME.COM is already a hostname registered in Internet DNS.
there may be some confusion when both accounts contain companyname.
a pain point of potentially tripling what people have to type in to enter login credentials.

But are these real barriers to going ahead with ACRO.COMPANYNAME.COM? Am I missing something?

Best Answer

If your organization changes and you need an entirely new directory structure, sure take the opportunity to pick a best practice DNS name. But you have not identified a problem, either technical or user experience, worth doing a rename project.

Adding a UPN of COMPANYNAME.COM or perhaps COMPANYNAME and doing a UserPrincipalName conversion, is supposed to be easy. Describe this to users as logging in with (what looks like) their email address. Although, you trained them to separate email credentials from AD DS, so this may be confusing.

ACRO.TLD in an internal network security zone is fine, you can keep that. Register the name, just in case clients bypass internal DNS. Challenges come if users expect something else, or expect this to be the public presence (web server).

ACRO.COMPANYNAME.COM is already a hostname registered in Internet DNS.

I suggest avoiding the public presence names, even if you can design around the conflicts and confusion. Perhaps something like ACRO.COMPANYNAME.NET.

Best Answer

Related Solutions

Active Directory Naming – Best Practices for Windows Active Directory Naming

How to allow active directory users to remote desktop in

Related Topic