Removing AD from a server 2003 with CA role?


We have an old AD server having a hard time to keep up with sync and everything and causing ldap request latency for our Exchange 2007 environment. We bought new hardware and we are slowing adding newer server and decomissionning the older ones. We encountered a little issue with we tried put our hands on the AD server having the Certificate Authory role.

I know it can be transfered but I would like to keep that option for later. A fast way and more secury way to eliminate the latency issue would be to transform that AD server into a dedicated standalone CA server. My question is, can we, in a first time, remove the Global Catalog from that AD server without impacting on the CA role? And secondly, can we simply dcpromo down the AD server without impacting on the CA role? At which extend can we push that idea and what needs to be considered. It is running on a Wk3Ent R2 server.

Any input?

Best regards
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mcsweenSr. Network AdministratorCommented:
To demote a Domain Controller hosting Certificate Authority, you need to perform the following steps:
1.    Backup the CA.
2.    Uninstall CA.
3.    Demote the DC.
4.    Install the CA from backup
samparAuthor Commented:
So, in the end, it is the same as migrating the CA role to another server.

What if I remove the Global Catalog only. In that scenario, the server would stop processing the logins and that would probably be enough to catch up.
Removing the Global Catalog does not stop the login authentication process it will only stop resource lookups. It may buy you some networking time, but it will still process authentication requests, issue KERB tickets, etc...

I would transfer all FSMOs to other servers, make sure no RID, PDC, etc... is on this computer.

Also make sure that Infrastructure master is NOT on this system, will not coexist with Global catalog and may be part of your trouble. Schema master doesn't matter as much!

Move all roles, remove GC, and then see if the latency is better. Force replication of connections, to test.

Another slick little thing you can do only if you are not replicating a bunch of changes, is to change the site replication messaging to SMTP (created for slow links) which will package the changes and send them in bursts instead of creating a constant stream. It is harder to set up so I would try the previous first.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

samparAuthor Commented:
All the master roles are already on another server. To give you an idea of our setup:

100,000 Exchange mailbox / users
8 AD servers:

AD1: older hardware, used to have the master roles, REMOVED
AD2: older hardware, Certificate Authority role, sync performance issue, ldap request latency, TO BE REMOVED (or partially removed, offloading what we can)
AD3: old hardware, doing ok on performance
AD4: old hardware, doing ok on performance
AD5: new  hardware,
AD6: new hardware, received all master roles from AD1
AD7: new hardware, recently added
AD8: new hardware, to be added

***Note: All the servers have the global catalog checked***
mcsweenSr. Network AdministratorCommented:
It looks like you have the right idea with removing AD from this server.
Justin OwensITIL Problem ManagerCommented:
You asked:
My question is, can we, in a first time, remove the Global Catalog from that AD server without impacting on the CA role?
No, you will experience a small amount of downtime regardless of if you transfer to a different server or it you remove the DC role and use the same server.
And secondly, can we simply dcpromo down the AD server without impacting on the CA role?
No, you will imact CA if you don't follow the proper steps.  It can be done, but it is not a one step process.
At which extend can we push that idea and what needs to be considered?
I am not entirely sure what you are asking here.  For the most part, if you remove the GC role from your server then it will reduce, but not eliminate traffic to it (as windowsmt explained very well).  If you don't want users authenticating against it, you could put it in its own VLAN/subnet and link that to a Site in AD.  CA would still work, but users would only authenticate against it if they logged into that server directly.  I would not have it hosting FSMO roles if I went with this option, which means you would need at least two other DCs in the main site.
samparAuthor Commented:
DrUltima, Mcsween and windowsmt,

Thank you for your input. To summaries, we have a few alternatives, tell me if I am wrong:

1- Removing the global catalog from AD2 (holding the CA). This will reduce the trafic but not eliminate it. If the performance issue is not too critical, it could fix the replication and ldap performance issue, at least on a short term. This would bring a smaller downtime than completely decomissionning the AD and reimportant the CA but still, it will cause downtime (to be confirmed)

2- Decomissionning completely AD from the server "AD2". Bringing larger downtime (the time to dcpromo down, uninstall CA, reinstall it, import backuped CA db and key) but would definitely be the best long term solution.

3- Considering removing the GC role on AD6 (who also has the infrastructure master role) and other master roles, which could have impact in general, over other server like AD2 (to be confirmed)

Justin OwensITIL Problem ManagerCommented:
Yes and no... You have the option for another Site, too.  Additionally, I would remove the GC from from your Infrastructure Master regardless of your other choices.  Other than that, both alternative 1 and 2 are viable options.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.