It's looking more and more like I'll have to rename my Active Directory domain.
There is a well-known process for making this change, including some very good answers on Server Fault already (like this one). I understand you may think I want to ask a duplicated question, but this includes the squishy topic of Not Triggering a Revolution.
I inherited an internal Active Directory domain from the dawn of Active Directory. We'll call it ACRO.TLD
with the NetBIOS name ACRO
(short for "acronym").
This was great when everybody used a grandpa box behind the firewall. But this practice is now deprecated and could cause trouble down the line. There are a lot more mobile devices and it would probably be Very Bad if the domain leaked out into the Internet at large.
I need to
- sell the change to managers
- minimize disruption to users, especially the ones who like convenience (see requirement 1). (Changing the NetBIOS domain name from
ACRO
would be a deal breaker).
There are bound to be decisions made in planning and presenting the change that increase the chance of success (i.e. users don't show up at my door with pitchforks and torches). This is clearly a subjective question and the best answers would come from people who had been through the change already.
Selling it to management probably consists of explaining the why behind the Very Bad Things, combined with "the change shouldn't be so bad".
So now the question is how to make the change not be so bad, in other words, minimize the disruption to users. I hate to sound open ended but I may be tripping over something basic.
We own domains that I'll call COMPANYNAME.COM
and COMPANYNAME.NET
. Our external web presence and email addresses (email is hosted externally, there is no Exchange) use COMPANYNAME.COM
; we have COMPANYNAME.NET
as a buffer against domain squatting.
So I think that my best alternatives are
ACRO.COMPANYNAME.COM
(subdomain)
COMPANYNAME.NET
I prefer ACRO.COMPANYNAME.COM
, because users are used to ACRO
and COMPANYNAME.COM
and we're just bringing the two together. No need to change the NetBIOS domain name, and of course the Windows 10 login screen by default uses the domain a computer is joined to.
Because of the existing practice I've already laid out, users are already trained to use separate user names and passwords for Windows login and email (probably a Good Thing with hosted email)
Some of the cons are
ACRO.COMPANYNAME.COM
is already a hostname registered in Internet DNS.- there may be some confusion when both accounts contain
companyname
. - a pain point of potentially tripling what people have to type in to enter login credentials.
But are these real barriers to going ahead with ACRO.COMPANYNAME.COM
? Am I missing something?