Whether it is because you’re shortening the domain name for users to sign-in or you’re consolidating multiple Admin consoles into one, the question of when to do a primary domain change, and why you might not want to do one, is a popular topic of support this time of year.
What does a primary domain do within Google?
There are three types of domains within the Google Admin console: Primary domain, Additional domains, and domain aliases. The primary domain is the reference point which Google uses for Customizable shortcuts, Naked domain redirection, resource and secondary calendar IDs (although Google announced this is changing for newly created calendars starting June 3rd), and classic Google Sites in various manners. It also appears in the “Managed by” field on managed Chrome devices. For resource calendars, when the primary domain is used as a part of the calendar ID, when the primary domain is changed, so are the calendar IDs. Secondary calendars previously used the user’s primary domain in the calendar ID, but these IDs are never changed. This means that old secondary calendars will be permanently deleted if the domain they are tied to is removed from the Admin console.
One thing you’ll notice that is not associated with the primary domain is the user’s primary email address. You can create users on an additional domain without giving them an email address on the primary domain. Note that this is true for additional domains, but not domain aliases. When you perform a primary domain change, you’re telling Google that you want to promote one of your additional domains to be the primary. Users’ email addresses are not updated or changed to the new primary domain, and it doesn’t require a primary domain change to rename users to another managed domain.
Why perform a user rename instead of a primary domain change?
As previously mentioned, performing a primary domain change does not change how users sign-in. It does change the resources and settings that are associated with the organization, and it’s not always possible to locate every resource that points to the primary domain out there on the web. Additionally, and currently most importantly, in order to perform a primary domain change all 100% of Chrome devices have to be deprovisioned, the licenses have to be removed, and after the domain change has been completed, all Chromebooks have to be re-enrolled in the new domain. This requirement is something that Google has been working to simplify and even has had a Beta program to test a new method where every Chromebook doesn’t need to be touched, twice. But until it has been completely vetted, this is one of the current requirements for performing a primary domain change, and this is one of the major factors preventing schools from doing it. Amplified IT has been notified that the beta is still open, and for those with support contracts with Amplified IT, we can work with schools to bypass the Chromebook deprovision/re-enroll step of a primary domain change.
What could break by renaming my users?
First, let’s start with what won’t break. Nothing built by Google will break. Users will retain access to all their Google Drive files, Google Classroom activities and data, Google Mail, and Google Chat/Hangouts messages – all will be in place as though nothing happened. This is due to Google using a unique ID to identify your users instead of using their email address. Google makes this ID available for developers as well and encourages them to use this field rather than an email address. For third parties that use this identifier, everything will continue to work as well. Access to any app-specific data about your users will remain accessible.
Also, anything which you type in the email address and enter a password (services like Netflix or Facebook) will continue to work with the old email address.
Single Sign-On or SAML applications within your Google Workspace domain may need to be updated to reference the new primary email address. The same goes for any Marketplace Apps which have been purchased. We recommend that you reach out to any third party tools and ensure that licenses will be updated and that admin accounts (which are typically handled by internal ACLs pointing to an email address) are updated as well. If the tool is making reference to the user’s email address or sign-in credentials rather than the user ID, any application data will not be accessible if you use a “Sign-in with Google” button.
So, when is a primary domain change necessary?
Strictly speaking, unless you no longer have access to your current primary domain, or you’re planning to completely abandon it, it’s not. The places where the primary domain is referenced within the standard user’s day to day is very limited, and changing for aesthetic purposes can result in an abundance of work, not to mention opportunities to break something inadvertently. And lastly, changing the primary domain within Google doesn’t change your usernames – that has its own challenges and will need to be done separately, and doesn’t require a primary domain change. The vast majority of the time, this is what is ultimately wanted when we’re being asked to do a primary domain change anyways.
You can connect with us to talk in more detail about your school’s domain and how to best manage changes.
Technical Support Analyst
About the Author:
Stephen lives in Utah and enjoys the puzzle of investigating users’ problems and finding potential solutions. A recovering/reformed gamer, Stephen throws himself into his passion for staying on top of all things Chrome OS and Chromebook related. Prior to joining Amplified IT, Stephen served as a network admin in a therapeutic boarding school and an IT director, where he implemented Google Workspace for Education. Stephen has studied computer science and security at Weber State University, Western Governors University. A self-anointed honor, Stephen likes Chromebooks more than almost anyone else in the world.