Solved

Demoting Domain Controller that is a FSMO role holder & secondary CA

Posted on 2009-03-30
12
1,071 Views
Last Modified: 2012-05-06
My Situation :
1. Previous admins installed several domain controllers with 12GB system partitions.
2. DC in question has 700MB left on the system partition. It is the proverbial ticking time bomb.
3. DC is also a FSMO role holder :  RID master, PDC emulator, Domain Naming Master.
4. DC is a secondary Certificate Authority for the domain.
5, Active Directory related directories (sysvol, NTDS,dit, etc.) are, of course, on the system partition.

From what I've researched, demoting / promoting the DC and choosing a secondary partition for the ADS data is the best method to resolve my problem.

My questions :
1. Is the demote / promote method  the best way to resolve this issue? Most of the other methods (e.g. manually move ADS data, expand system partition) seemed ill-advised?
2. Should I manually move the FSMO roles prior to demotion, or allow ADS to automatically re-provision the FSMO roles?
3. What the heck do I do about the CA?
4. Should the whole operation go sideways, what is my exposure? Forest level restore from sys-state backup?
5. Anything else I should know?

0
Comment
Question by:ChristopherTN
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 40 total points
ID: 24021347

Resizing the System partition on a server is something which isn't trivial, but do-able. If there is free space on the server, or space could be salvaged from another partition, I would rather go down the route of resizing partitions rather than demoting the server and starting afresh.

Both GParted (Free - http://gparted.sourceforge.net/) and Partition Manager Server Edition (pay for - http://www.paragon-software.com/) will enable you to move space around between partitions and resolve this issue.

Only if you really cannot salvage space from other drives on the machine would I demote it, blow it away and start afresh. You have a lot more work to do - particularly with the roles the box is running - if you go down that route.

-Matt
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24021374
How big is your AD database?
That can be moved to another drive (if the server has room to expand)
http://support.microsoft.com/kb/257420
How To Move the Ntds.dit File or Log Files
Not sure how big your AD is so I'm not sure if that will give you enough room if you move it.
Thanks
Mike
0
 

Author Comment

by:ChristopherTN
ID: 24021447
Thought about doing resize -

1. Partition in question is a on a basic disk.
2. Gparted will allow me to make more space available on the partition. I can't, however, use diskpart at the OS level to extend the partition as it resides on a basic disk.
3. I can convert the disk to dynamic, but the OS 'remembers' that the partition started out as a basic disk and won't allow extension.

Am I correct in the above, or am I missing something with respect to G-Parted?
0
 

Author Comment

by:ChristopherTN
ID: 24021465
NTDS.dit is small - only 150MB. Sysvol is really the problem - ~4.0GB.
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 40 total points
ID: 24021521
You can manually relocate the SYSVOL tree to another location on the server to save you 4GB of space: http://support.microsoft.com/kb/842162.

What exactly is being stored in SYSVOL though? I've rarely seen it grow that large.

You are correct in your thinking with regards to extending a volume which previously resided on a Basic Disk. It simply cannot be done through Windows - particularly in the case of the System volume.

-Matt
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 24021571
Wow a 4 GB sysvol with only a 150MB ntds.   What all is in that folder?
You can move sysvol but a demotion and repromotion would be easier
I would manually move the FSMO's first.
I'll have to research the secondary CA issue..don't want to blow smoke on that one.
 
Thanks
Mike
0
 

Author Comment

by:ChristopherTN
ID: 24021623
Our domain appears to have an absurd number of GPOs - enough to consume ~3GB of space. Working on cleaning those up, but that process is part political, part technical.

0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 30 total points
ID: 24028997
To save some typing, here's some advice on the CA, let me know if you have further questions:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24271040.html
0
 

Accepted Solution

by:
ChristopherTN earned 0 total points
ID: 24368469
Sorry haven't updated in a while. Basically, I'm moving the FSMO roles, one-by-one, to new DCs. So far, so good. PDC move required a few additional steps but nothing major.  Paranormastic's advice on CAs is helpful. In the end, the CA was the issue that I needed the most assistance with - my knowledge in that area is limited.

Accepting Paranormastics solution.

Thanks All!
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24368623
Christopher,

I feel points should have been 'split' here as multiple Experts answered the various questions you asked. Would you agree?
0
 

Author Comment

by:ChristopherTN
ID: 24444179
Re-opened to award multiple points.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now