Solved

Demoting Domain Controller that is a FSMO role holder & secondary CA

Posted on 2009-03-30
12
1,082 Views
Last Modified: 2012-05-06
My Situation :
1. Previous admins installed several domain controllers with 12GB system partitions.
2. DC in question has 700MB left on the system partition. It is the proverbial ticking time bomb.
3. DC is also a FSMO role holder :  RID master, PDC emulator, Domain Naming Master.
4. DC is a secondary Certificate Authority for the domain.
5, Active Directory related directories (sysvol, NTDS,dit, etc.) are, of course, on the system partition.

From what I've researched, demoting / promoting the DC and choosing a secondary partition for the ADS data is the best method to resolve my problem.

My questions :
1. Is the demote / promote method  the best way to resolve this issue? Most of the other methods (e.g. manually move ADS data, expand system partition) seemed ill-advised?
2. Should I manually move the FSMO roles prior to demotion, or allow ADS to automatically re-provision the FSMO roles?
3. What the heck do I do about the CA?
4. Should the whole operation go sideways, what is my exposure? Forest level restore from sys-state backup?
5. Anything else I should know?

0
Comment
Question by:ChristopherTN
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 40 total points
ID: 24021347

Resizing the System partition on a server is something which isn't trivial, but do-able. If there is free space on the server, or space could be salvaged from another partition, I would rather go down the route of resizing partitions rather than demoting the server and starting afresh.

Both GParted (Free - http://gparted.sourceforge.net/) and Partition Manager Server Edition (pay for - http://www.paragon-software.com/) will enable you to move space around between partitions and resolve this issue.

Only if you really cannot salvage space from other drives on the machine would I demote it, blow it away and start afresh. You have a lot more work to do - particularly with the roles the box is running - if you go down that route.

-Matt
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24021374
How big is your AD database?
That can be moved to another drive (if the server has room to expand)
http://support.microsoft.com/kb/257420
How To Move the Ntds.dit File or Log Files
Not sure how big your AD is so I'm not sure if that will give you enough room if you move it.
Thanks
Mike
0
 

Author Comment

by:ChristopherTN
ID: 24021447
Thought about doing resize -

1. Partition in question is a on a basic disk.
2. Gparted will allow me to make more space available on the partition. I can't, however, use diskpart at the OS level to extend the partition as it resides on a basic disk.
3. I can convert the disk to dynamic, but the OS 'remembers' that the partition started out as a basic disk and won't allow extension.

Am I correct in the above, or am I missing something with respect to G-Parted?
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:ChristopherTN
ID: 24021465
NTDS.dit is small - only 150MB. Sysvol is really the problem - ~4.0GB.
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 40 total points
ID: 24021521
You can manually relocate the SYSVOL tree to another location on the server to save you 4GB of space: http://support.microsoft.com/kb/842162.

What exactly is being stored in SYSVOL though? I've rarely seen it grow that large.

You are correct in your thinking with regards to extending a volume which previously resided on a Basic Disk. It simply cannot be done through Windows - particularly in the case of the System volume.

-Matt
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24021571
Wow a 4 GB sysvol with only a 150MB ntds.   What all is in that folder?
You can move sysvol but a demotion and repromotion would be easier
I would manually move the FSMO's first.
I'll have to research the secondary CA issue..don't want to blow smoke on that one.
 
Thanks
Mike
0
 

Author Comment

by:ChristopherTN
ID: 24021623
Our domain appears to have an absurd number of GPOs - enough to consume ~3GB of space. Working on cleaning those up, but that process is part political, part technical.

0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 30 total points
ID: 24028997
To save some typing, here's some advice on the CA, let me know if you have further questions:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24271040.html
0
 

Accepted Solution

by:
ChristopherTN earned 0 total points
ID: 24368469
Sorry haven't updated in a while. Basically, I'm moving the FSMO roles, one-by-one, to new DCs. So far, so good. PDC move required a few additional steps but nothing major.  Paranormastic's advice on CAs is helpful. In the end, the CA was the issue that I needed the most assistance with - my knowledge in that area is limited.

Accepting Paranormastics solution.

Thanks All!
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24368623
Christopher,

I feel points should have been 'split' here as multiple Experts answered the various questions you asked. Would you agree?
0
 

Author Comment

by:ChristopherTN
ID: 24444179
Re-opened to award multiple points.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question