In Windows NT, a domain is uniquely identified by both a
NetBIOS name and by a Security Identifier (SID). Most Access Control Lists
(ACLs) and other security features of Windows NT identify the domain by a SID;
therefore, it is possible to change the name of the domain with little
disruption to network services.
The following procedure describes
how to safely rename a Windows NT domain. This will work for a single domain,
or for an accounts domain or resource domain in a network using the master
Please read this article in its entirety before
attempting to rename your domain. Some BackOffice products are adversely
affected by renaming a domain; these products are detailed later in this
Microsoft cannot guarantee that any third-party software
that is installed will function after changing the domain name. You should work
with third-party application vendors to ensure you understand how their product
will react to a domain name change.
Microsoft strongly recommends
that you thoroughly test, outside of a production environment, the effects of
renaming your domain, before you actually change the domain name on your
production computers. This article does not attempt to address every issue that
might arise as a consequence of renaming your domain.
procedure at your own risk.
- Do not install any primary domain controller (PDC) or
backup domain controller (BDC) during this procedure, under either the old or
new domain name.
- Do not promote any BDC to PDC during this procedure.
- This procedure should only be undertaken during a time when
ALL network services related to this domain can be disrupted. All clients
should log off and remain logged off until the rename is complete and all
computers involved have been restarted.
- Perform a full backup on all computers involved immediately
before beginning this process.
- Create separate, updated Emergency Repair Disks for each
computer involved immediately before and after the update.
- Have a copy of the Windows NT Server compact disc, the
latest service pack, and Windows NT boot disks (appropriate to your version of
Windows NT) available during the procedure.
- The NETDOM utility in the Windows NT Server Resource Kit,
Supplement 2, can be used to change the domain name remotely on some computers,
preventing a visit to each computer involved.
To change a domain name, follow these steps:
- Document and then break all trust relationships between the
domain whose name you will be changing and all other domains. Be sure to remove
the trust entry on both sides of the trust (in User Manager for Domains for
both domains in the trust).
- Stop all BackOffice services such as Microsoft Exchange
Server, SQL Server, and Internet Information Server. Set startup to manual on
all these services.
- Change the domain name on the PDC.
- Restart the PDC. This will cause the <1Bh> entry for
the new domain to appear in the WINS server.
- If you are using WINS for NetBIOS over TCP/IP name
resolution, force replication from the PDC's primary WINS server to all other
WINS servers to propagate the <1Bh> entry for the new domain. Name
resolution to the PDC is necessary for each BDC to successfully change to the
new domain name. If you are using TCP/IP without using WINS, create an LMHOSTS
file with a <1Bh> entry for the new domain and put it on each
- On each BDC, change the domain name and restart. The
restart is necessary for the BDC to correctly register its <1Ch> entry
For additional information about what to do if the BDC
refuses the domain name change, please see the following article in the
Microsoft Knowledge Base:
Unable to Change Domain Name of Windows NT BDC
- Force replication from all WINS servers to propagate the
- Re-establish the trust relationships. Using Server Manager,
synchronize both domains involved in each trust.
- In the Services tool in Control Panel, re-enter the service
account for each of the BackOffice services that were stopped in step 2. Pick
the account by using the Startup button rather than typing in the account name.
Set the services back to Automatic startup, if appropriate. Restart the
services in the correct order.
- Make any necessary service-specific changes, as detailed
elsewhere in this article.
- Change the domain name on each member server or
workstation. For downlevel clients such as Windows 95 or Windows for
Workgroups, change the workgroup name to the new domain name.
- Synchronize the entire domain.
If you encounter errors on any of the BDCs after the name change
is completed, the most likely causes will be either name resolution or accounts
database synchronization problems. The first thing you should do to
troubleshoot is to open Server Manager on the computer that has problems and
synchronize it with the PDC. For name resolution issues, make sure that WINS
has replicated or that your LMHOSTS files are correct.
encounter some errors in batch files and so on, with the old domain name
embedded. For this reason, you should check all such files. They are likely to
be found in the NETLOGON share on your domain controllers, referenced by the
Scheduler service where it is installed, and in any other scripting or
automation tools that you use.
You can find out more information
about specific error events by searching the Microsoft Knowledge Base for
"event id XXXX" where XXXX is the event id number of the error event. The
Microsoft Knowledge Base is available on the World Wide Web at:
If you encounter any problems after the domain name change, they
are likely related to the name change, especially if you see any of the
Typically, these are name resolution
issues that are specific to one computer. Check for the
COMPUTERNAME<00h>, COMPUTERNAME<03h>, and COMPUTERNAME<20h>
entries in WINS, and replicate if necessary.
controller for this domain could not be found.
Unable to contact the domain controller for this domain.
Typically, these are name resolution issues specific to the domain.
Look for the DOMAIN<1Bh> and DOMAIN<1Ch> entries in WINS, and
replicate if necessary.
The trust relationship failed.
Typically, this is either a trust relationship with another domain
that was not re-established, or an invalid machine account. Reestablish the
trust, or delete and re-create the machine account for the computer and remove
and re-add the computer to the domain.
Possible Side Effects of a Domain Name Change
- Service accounts are stored textually, not as SIDs, in the
Service Control Manager database. Therefore, any services, on any computer,
that use domain user accounts as their service account will have to be manually
adjusted. The Sc.exe utility from the Windows NT Server Resource Kit may be
useful for making this change on remote computers.
- If you are using integrated security in SQL Server, you
will need to reset the "Default Domain" field in SQL Security Manager.
Additionally, if the users are not part of the "Default Domain" you may need to
remove and re-add users and groups from the renamed domain or local groups
containing groups from the renamed domain.
- Microsoft Exchange Server service accounts will need to be
reassociated with the new domain name, as described earlier. Additionally, in
the Exchange Administrator program, select Tools, select Options, and then
click the Permissions tab, you will need to change the default Windows NT
domain name to the new domain name.
- Security settings on all Exchange Server public folders
will be lost. Before renaming the domain, use the command line utility
Pfadmin.exe to export the public folder security settings to a text file to
make reconstruction of the permissions easier. This utility can be downloaded
as part of the Microsoft Exchange Server Resource Kit from the following Web
- If Systems Management Server primary or secondary sites
exist in the domain that is being renamed, Systems Management Server will have
to be uninstalled and then reinstalled with the new domain name. You will not
be able to restore the existing Systems Management Server database after
reinstallation; you will have to start with a clean database.
- If the domain being renamed is part of an Systems
Management Server site but has no primary or secondary sites located in it
(only logon servers and clients), the domain should be removed from the site
prior to the name change and added back into the site after the change. Please
refer to the Systems Management Server Installation and Configuration Manual,
Chapter 3, "Adding Domains, Servers, and Clients."
- If you are running Internet Information Server, you may
need to change the account specified in virtual paths.