Domain name change

[yellowhousejake]

Yes, I have read prior posts about this topic. I have also read the Wiki (entries I could find. I won't say I have read them all).

For reasons specified by outside agencies our City will be moving to a .gov domain name this year. I have been planning the move alongside internal changes to our Zimbra setup of disconnecting auth from our AD and changing the left side of our email from first initial and last name to first name period last name. We use Sophos email gateway for incoming and outgoing traffic so I do not have AV or AS running on our server. I do not need to make any changes to those configurations.

I think I have a good plan and I am just wondering if anyone recently doing this task has run into any issues that I should be planning to deal with, or that I have not thought of. I plan to script the vast majority of the changes as I have done complete migrations from one Zimbra to another using mostly Zimbra CLI and bash with great success.

These are the simplified set of steps I am planning to implement.

- New dns both public and private are already configured.
- Get a list of all accounts from Zimbra for scripting account changes.
- Get a list of all dist lists from Zimbra for scripting list changes.
- Stop mail at the firewall.
- Rename the domain.
#zmprov -l rd mydomain.org mydomain.gov

- Set the server hostname.
#/opt/zimbra/libexec/zmsetservername -n mydomain.gov

- Check the global config to ensure all entries have been changed. Make changes if needed.
#zmlocalconfig | grep mydomain.org
#zmprov gacf | grep mydomain.org
#zmprov gs `zmhostname` | grep mydomain.org

- Update logger host mapping.
#zmloggerhostmap (note the old domain mapping)
#zmloggerhostmap -a mydomain.gov mydomain.gov
#zmloggerhostmap -d mydomain.org mydomain.org

- Ensure Domain Keys are regenerated.
#/opt/zimbra/libexec/zmdkimkeyutil -r -d mydomain.org
#/opt/zimbra/libexec/zmdkimkeyutil -a -d mydomain.gov

- Rename accounts - THIS WILL BE SCRIPTED TO RUN THROUGH EACH ACCOUNT FROM A LIST.
#zmprov ra dgoodrich@mydomain.gov dave.goodrich@mydomain.gov

- Add alias for old domain name - THIS WILL BE SCRIPTED TO RUN THROUGH EACH ACCOUNT FROM A LIST.
#zmprov aaa dave.goodrich@mydomain.gov dgoodrich@mydomain.org

- Drop AD form authentication and begin using only the internal Zimbra LDAP. Everyone should have set their new password in Zimbra by this date.
#zmprov md mydomain.org zimbraAuthMech zimbra

- Update to disallow passwords from disallowed list.
#zmlocalconfig -e zimbra_block_common_passwords_enabled=TRUE

- Restart Zimbra services.
#zmmailboxdctl restart

- Login to admin panel and check everything, absolutely everything.

- Open the firewall.

I have some questions that I cannot find answers for. The answers may come when I spin up a clone of the Zimbra server to test my scripts. Maybe not.

1) Will zmprov -rd repopulate a dynamic distribution list with new account email addresses?
2) Will zmprov -rd repopulate a static distribution list with the new email addresses?
3) Will zmprov -rd change the right side (domain) of email addresses in user specified forwarding addresses?
4) The Wiki gives a warning about calendar resources in version 8.6 but I find no reference for versions above that. Is this still an issue with 10.1.X?

Thanks,

DAve

[Klug]

Is there any reason you cannot keep the old domain name (and FQDN) for the Zimbra server?
And add a CNAME to it with its new FQDN/domain.

Renaming the Zimbra server is... Touchy.
I tried once a long time ago and it didn't work very well.
I don't know if it's better in 2025.

So keeping the old Zimbra server name and just renaming the domain/accounts (this works very well) would be much easier and sure IMHO.
You can add a SSL certificate for the new domain.

[yellowhousejake]

Not really, other than it is neater to me. There is no reason to ever connect to the server by the old domain name. We are leaving the rest of the internal DNS with the old FQDN simply because the amount of equipment requiring change (several hundred devices) is a bit overwhelming for the size of our staff.

I suppose it could wait until next year when I retire and the server is migrated to a Zimbra hosting service.

It would be less work for me this year to not change it ;^)

DAve

[BradC]

Code: Select all

zmcontrol start
/opt/zimbra/bin/zmcertmgr createca -new
/opt/zimbra/bin/zmcertmgr createcrt -new -subjectAltNames zm.new.host.com -days 3650
/opt/zimbra/bin/zmcertmgr deploycrt self
/opt/zimbra/bin/zmcertmgr deployca
zmcontrol restart
/opt/zimbra/libexec/zmsetservername -n zm.new.host.com
zmcontrol start
zmloggerhostmap -d zm.old.host.com zm.old.host.com 
zmloggerhostmap -d zm.old.host.com

I have a script I use while testing. Clone prod to staging then run this script.
Once it's up and running I deploy new certs, but this gets it over the hump.

I've found zmsetservername works very well if absolutely everything else is configured correctly. If it isn't, it leaves a half-arsed converted broken system.

[yellowhousejake]

I can try both, changing the domain names and using an alias. I have to think about how I manage the alias as I will be changing the user's email addresses at the same time.

Thanks,

DAve

[yellowhousejake]

Somewhat as a place to keep a backup of what I do and possibly as a future reference for others, this is where I am at.

The decision to fully move the domain has been made. So I created a clone of our production server and moved it to another VM host to test the changes I will be doing. Every reference I found about changing the domain name failed. I do not know what zmsetservername is supposed to do but it wrecks my install every time. I ended up making the changes manually, which was quite easy and went very fast. Below are the steps I took to change the IP and hostname on the test server.

Zimbra 10.1.8 GA Network Edition
Ubuntu 20.04.6 LTS
VMWare VSphere 8.0.3

Clone current running Zimbra VM

Start up clone with no network connection
-- zimbra not started cannot assign requested address

change hostname
-- hostnamectl set-hostname newdomain.org –static

change ip
-- vi /etc/netplan/00-installer-config.yaml
reboot

su - zimbra
zmcontrol status
-- Fails ldap not running cache out of date

/opt/zimbra/bin/zmcertmgr createca -new
/opt/zimbra/bin/zmcertmgr createcrt -new -subjectAltNames newdomain.org -days 365
/opt/zimbra/bin/zmcertmgr deploycrt self
/opt/zimbra/bin/zmcertmgr deployca
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
zmcontrol restart
-- ldap fails to start temp fail name resolution

enable network connection
reboot
-- zmcontrol works, but services are not running ldap cannot assign address

Checked ldap configuration
zmlocalconfig | grep -i ldap_master_url
-- ldap_master_url = ldap://olddomain.org:389
zmlocalconfig | grep -i ldap_url
-- ldap_url = ldap://olddomain.org:389

Reset ldap configuration
zmlocalconfig -e ldap_bind_url=ldap://newdomain.org:389
zmlocalconfig -e ldap_url=ldap://newdomain.org:389

zmcontrol restart
-- all services restarted!!! Admin console is up and working. Logs look fine.

Now to move on to testing zmprov -rd.

Check to see what is changed and what is not.

If some accounts, resources, dist lists, aliases are not handled by zmprov -rd, write scripts to walk through those accounts and make the changes needed.

[L. Mark Stone]

FWIW, I have found that zmprov rd <current name> <new name> has reliably renamed all email-related objects (user and resource accounts, aliases, DLs, etc.).

Always good to run zmprov fc -a all after making changes like that too.

Hope that helps,
Mark

[yellowhousejake]

Well, creating a clone for testing has failed again. I do not think you can reliably make that work. Previously, when moving a full version in Zimbra, I have always built a new server and migrated to an full number version and new OS.

With several instances of zmprov rd working fine for others I think that is where I will go. Rename the domain and then migrate to a new server.

Thank you everyone.

DAve