1

i have domain, washington.example.com on Windows Server 2012 R2. For intergations with office 365, my organization, decided to rename domain name from washington.example.com to example.com. My organization has several domain controllers, that are connecting in one global vpn.
I tried to make on virtual machines renaming of my domain. In domain controller, that has FSMO, I created zone "example.com", i made manual replication between domain controllers. Next, i made in domain controller, that has FSMO, i made rendom /list from Enterprise Admin, then i edited Domainlist.xml, where i changed name of domain. Next, i made several commands to implement my changes rendom /upload, rendom /prepare, rendom /execute. Last command made reboot of all domain controllers. Also i fixed GPO via gpfixup /olddns:washington.example.com /newdns:example.com.
Finally i made rendom /clean and rendom /end. Also, i renamed name of computer via netdom computername vm-dc.washington.example.com /add:vm-dc.example.com and netdom computername washington.example.com /makeprimary:vm-dc.example.com. Of course netdom i did for each virtual machine with domain controller.
Everything works. Computers in isolate network after rebooting in new domain. But, i read from microsoft site, that this procedure can call some troubles, if you have Certificate authority. On my domain controller, that has FSMO, i have this Certificate authority. In console of Certificate authority i see new certificates for other domain controllers with normal names, for example in past srv-dc.washington.example.com and now i see new certificate srv-dc.example.com. But, when i am looking in details, i see that Issuer

CN = washington-VM-DC-CA DC = washington DC = example DC = com

So, according to this topic, i have two questions. First, is it correctly to rename domain with working Certificate authority. And the second question, how to update this Certificate authority according to the new domain name ?

Improve this question
2
  • 1
    For integations with office 365, my organization, decided to rename domain name from washington.example.com to example.com - What integrations? This is not what is typically done. Are you trying to sync your on premises users to Office 365/Azure AD? Commented Feb 5, 2019 at 20:21
  • 2
    I repeat my warning from another forum: Your domain name already confirms to best practice. The positives are unknown. Your stated reason is invalid. There is no technical reason to move forward with this change that has been provided in an least two forums. You jeopardize your environment on a whim. Commented Feb 5, 2019 at 22:11

2 Answers 2

Reset to default
5

You can't rename ADCS Certification Authority name. The best you can do is to deploy a separate CA, move clients to this new CA and then decommission old CA.

When deploying new CA do not choose default DN suffix, because it is autogenerated from AD information. Use custom DN suffix which is tied to your company, not AD.

After deploying new CA, remove all certificate templates from old CA and add them to new CA, so new clients will work with new CA only. In order to force clients to forcibly reenroll certificates, open certtmpl.msc console, select required template, right-click and select Reenroll all certificate holders. Repeat this action for all other templates you need to reenroll.

Note that this will work only if autoenrollment is enabled in GPO.

Improve this answer
4
  • Hello. Should i deploy separate CA on my domain controller, that has FSMO ? and should i do this step after renaming of domain name ? Commented Feb 5, 2019 at 20:41
  • 1
    CA should be installed on a domain member. You should not combine CA and DC roles. Commented Feb 5, 2019 at 20:42
  • should i install this CA after renaming of domain, or before ? Commented Feb 5, 2019 at 20:46
  • You should install new CA after finishing domain rename. Commented Feb 5, 2019 at 20:47
4

For intergations with office 365, my organization, decided to rename domain name from washington.example.com to example.com.

If you're doing this in order to sync your on premises AD users to Office 365/Azure AD then you're doing it wrong.

Your on premises AD domain FQDN shouldn't be the same as your routable domain name in Office 365. You need to add and verify your routable domain name in Office 365 and then add a matching UPN Suffix in your on premises AD. Then assign this UPN Suffix to your on premises AD user accounts. When you then sync your on premises AD user accounts to Office 365/Azure AD the on premises UPN will become the Office 365/Azure AD UPN and that is what your users will use to sign into Office 365/Azure AD.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.