Improve company productivity with a Business Account.Sign Up

x
?
Solved

Demoting Domain Controller that is a FSMO role holder & secondary CA

Posted on 2009-03-30
12
Medium Priority
?
1,097 Views
Last Modified: 2012-05-06
My Situation :
1. Previous admins installed several domain controllers with 12GB system partitions.
2. DC in question has 700MB left on the system partition. It is the proverbial ticking time bomb.
3. DC is also a FSMO role holder :  RID master, PDC emulator, Domain Naming Master.
4. DC is a secondary Certificate Authority for the domain.
5, Active Directory related directories (sysvol, NTDS,dit, etc.) are, of course, on the system partition.

From what I've researched, demoting / promoting the DC and choosing a secondary partition for the ADS data is the best method to resolve my problem.

My questions :
1. Is the demote / promote method  the best way to resolve this issue? Most of the other methods (e.g. manually move ADS data, expand system partition) seemed ill-advised?
2. Should I manually move the FSMO roles prior to demotion, or allow ADS to automatically re-provision the FSMO roles?
3. What the heck do I do about the CA?
4. Should the whole operation go sideways, what is my exposure? Forest level restore from sys-state backup?
5. Anything else I should know?

0
Comment
Question by:ChristopherTN
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 160 total points
ID: 24021347

Resizing the System partition on a server is something which isn't trivial, but do-able. If there is free space on the server, or space could be salvaged from another partition, I would rather go down the route of resizing partitions rather than demoting the server and starting afresh.

Both GParted (Free - http://gparted.sourceforge.net/) and Partition Manager Server Edition (pay for - http://www.paragon-software.com/) will enable you to move space around between partitions and resolve this issue.

Only if you really cannot salvage space from other drives on the machine would I demote it, blow it away and start afresh. You have a lot more work to do - particularly with the roles the box is running - if you go down that route.

-Matt
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24021374
How big is your AD database?
That can be moved to another drive (if the server has room to expand)
http://support.microsoft.com/kb/257420
How To Move the Ntds.dit File or Log Files
Not sure how big your AD is so I'm not sure if that will give you enough room if you move it.
Thanks
Mike
0
 

Author Comment

by:ChristopherTN
ID: 24021447
Thought about doing resize -

1. Partition in question is a on a basic disk.
2. Gparted will allow me to make more space available on the partition. I can't, however, use diskpart at the OS level to extend the partition as it resides on a basic disk.
3. I can convert the disk to dynamic, but the OS 'remembers' that the partition started out as a basic disk and won't allow extension.

Am I correct in the above, or am I missing something with respect to G-Parted?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:ChristopherTN
ID: 24021465
NTDS.dit is small - only 150MB. Sysvol is really the problem - ~4.0GB.
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 160 total points
ID: 24021521
You can manually relocate the SYSVOL tree to another location on the server to save you 4GB of space: http://support.microsoft.com/kb/842162.

What exactly is being stored in SYSVOL though? I've rarely seen it grow that large.

You are correct in your thinking with regards to extending a volume which previously resided on a Basic Disk. It simply cannot be done through Windows - particularly in the case of the System volume.

-Matt
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24021571
Wow a 4 GB sysvol with only a 150MB ntds.   What all is in that folder?
You can move sysvol but a demotion and repromotion would be easier
I would manually move the FSMO's first.
I'll have to research the secondary CA issue..don't want to blow smoke on that one.
 
Thanks
Mike
0
 

Author Comment

by:ChristopherTN
ID: 24021623
Our domain appears to have an absurd number of GPOs - enough to consume ~3GB of space. Working on cleaning those up, but that process is part political, part technical.

0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 120 total points
ID: 24028997
To save some typing, here's some advice on the CA, let me know if you have further questions:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24271040.html
0
 

Accepted Solution

by:
ChristopherTN earned 0 total points
ID: 24368469
Sorry haven't updated in a while. Basically, I'm moving the FSMO roles, one-by-one, to new DCs. So far, so good. PDC move required a few additional steps but nothing major.  Paranormastic's advice on CAs is helpful. In the end, the CA was the issue that I needed the most assistance with - my knowledge in that area is limited.

Accepting Paranormastics solution.

Thanks All!
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24368623
Christopher,

I feel points should have been 'split' here as multiple Experts answered the various questions you asked. Would you agree?
0
 

Author Comment

by:ChristopherTN
ID: 24444179
Re-opened to award multiple points.
0

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

585 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question