Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1088
  • Last Modified:

Demoting Domain Controller that is a FSMO role holder & secondary CA

My Situation :
1. Previous admins installed several domain controllers with 12GB system partitions.
2. DC in question has 700MB left on the system partition. It is the proverbial ticking time bomb.
3. DC is also a FSMO role holder :  RID master, PDC emulator, Domain Naming Master.
4. DC is a secondary Certificate Authority for the domain.
5, Active Directory related directories (sysvol, NTDS,dit, etc.) are, of course, on the system partition.

From what I've researched, demoting / promoting the DC and choosing a secondary partition for the ADS data is the best method to resolve my problem.

My questions :
1. Is the demote / promote method  the best way to resolve this issue? Most of the other methods (e.g. manually move ADS data, expand system partition) seemed ill-advised?
2. Should I manually move the FSMO roles prior to demotion, or allow ADS to automatically re-provision the FSMO roles?
3. What the heck do I do about the CA?
4. Should the whole operation go sideways, what is my exposure? Forest level restore from sys-state backup?
5. Anything else I should know?

0
ChristopherTN
Asked:
ChristopherTN
  • 5
  • 3
  • 2
  • +1
4 Solutions
 
tigermattCommented:

Resizing the System partition on a server is something which isn't trivial, but do-able. If there is free space on the server, or space could be salvaged from another partition, I would rather go down the route of resizing partitions rather than demoting the server and starting afresh.

Both GParted (Free - http://gparted.sourceforge.net/) and Partition Manager Server Edition (pay for - http://www.paragon-software.com/) will enable you to move space around between partitions and resolve this issue.

Only if you really cannot salvage space from other drives on the machine would I demote it, blow it away and start afresh. You have a lot more work to do - particularly with the roles the box is running - if you go down that route.

-Matt
0
 
Mike KlineCommented:
How big is your AD database?
That can be moved to another drive (if the server has room to expand)
http://support.microsoft.com/kb/257420
How To Move the Ntds.dit File or Log Files
Not sure how big your AD is so I'm not sure if that will give you enough room if you move it.
Thanks
Mike
0
 
ChristopherTNAuthor Commented:
Thought about doing resize -

1. Partition in question is a on a basic disk.
2. Gparted will allow me to make more space available on the partition. I can't, however, use diskpart at the OS level to extend the partition as it resides on a basic disk.
3. I can convert the disk to dynamic, but the OS 'remembers' that the partition started out as a basic disk and won't allow extension.

Am I correct in the above, or am I missing something with respect to G-Parted?
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
ChristopherTNAuthor Commented:
NTDS.dit is small - only 150MB. Sysvol is really the problem - ~4.0GB.
0
 
tigermattCommented:
You can manually relocate the SYSVOL tree to another location on the server to save you 4GB of space: http://support.microsoft.com/kb/842162.

What exactly is being stored in SYSVOL though? I've rarely seen it grow that large.

You are correct in your thinking with regards to extending a volume which previously resided on a Basic Disk. It simply cannot be done through Windows - particularly in the case of the System volume.

-Matt
0
 
Mike KlineCommented:
Wow a 4 GB sysvol with only a 150MB ntds.   What all is in that folder?
You can move sysvol but a demotion and repromotion would be easier
I would manually move the FSMO's first.
I'll have to research the secondary CA issue..don't want to blow smoke on that one.
 
Thanks
Mike
0
 
ChristopherTNAuthor Commented:
Our domain appears to have an absurd number of GPOs - enough to consume ~3GB of space. Working on cleaning those up, but that process is part political, part technical.

0
 
ParanormasticCryptographic EngineerCommented:
To save some typing, here's some advice on the CA, let me know if you have further questions:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24271040.html
0
 
ChristopherTNAuthor Commented:
Sorry haven't updated in a while. Basically, I'm moving the FSMO roles, one-by-one, to new DCs. So far, so good. PDC move required a few additional steps but nothing major.  Paranormastic's advice on CAs is helpful. In the end, the CA was the issue that I needed the most assistance with - my knowledge in that area is limited.

Accepting Paranormastics solution.

Thanks All!
0
 
tigermattCommented:
Christopher,

I feel points should have been 'split' here as multiple Experts answered the various questions you asked. Would you agree?
0
 
ChristopherTNAuthor Commented:
Re-opened to award multiple points.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now