We are migrating away from an old Windows 2003 domain controller, and moving to a Windows 2012 R2 domain controller. However, there are a few issues I need to clear up due to the configuration of the original domain controller.
We would like to remove the .local suffix on our domain, and use a real domain that we own instead, since this is no longer best practice (and is actually bad practice IIRC). However, the question I have is this;
Would it be better to
- rename the domain first, then migrate,
- migrate, then rename the domain, or
- rebuild the (new) domain from scratch and then import/recreate the users?
We have Office 365 with synced login credentials, so the users cannot be simply recreated on the new domain without re-associating all of the Office 365 accounts again (not out of the question though).
There is a lot to consider in that question. Depending on how large you are and what application are tied to your domain are going to directly correlate to the difficulty in pulling a rename off.
I would consider if you need to rename at all or just add the new domain and update the UPN's of your users. Users have unique ID's that tie to O365 identities and you can update the UPN"s without any loss of data. The only impact is they have to use the new UPN. If you have legacy application you can actually keep the pre-2000 logon so that doesn't change, to further minimize disruption.
If you need to go whole hog - you need to inventory the entire environment. I would create a new forest/domain and then build a trust with the old server and migrate users and servers. I'm not a big fan or renaming domains or even computers, it can lead to issues you don't see right away but only weeks or months down the road that you can't recover from. If you have applications - you need to evaluate if you can just update server names and service accounts or if you need to rebuild and import data. Bear in mind how those keep track of user data as well. Things like SharePoint need to have explicit commands run to update users. You will need to re-join workstations to the domain - but with the trust configured it gives you some time to do so and minimize disruptions.