Trouble removing 2008 Server from being a Domain Controller

The question starts with the issues I was having with WSUS to show you how I arrived at the my real question.  I can save the WSUS question for another post, just wanted to give some background info in case it's relevant.

The other week I realized I could no longer open the WSUS console on one of our 2008 servers (Antelope).

Error: MMC has detected an error in a snap-in and will unload it.
When I chose to “Unload the snap-in and continue running” I received the message box:
End Snap-in.  The snap-in is not responding.
I’d choose “End Now” and receive an “Unhandled Exception in Managed Code Snap-in."

I tried a few things, including removing the WSUS file, but couldn’t get it to work.  I ended up uninstalling/reinstalling and WSUS.  However, once WSUS was installed again, it no longer showed up under the Admin Tools menu… I had to access it via Server Manager.  Every time server manager was closed, all the Classifications I had chosen no longer showed up under the Updates section.  The default Updates showed up: All Updates, Critical Updates, Security Updates and WSUS Updates, and all the other classifications are still checked in the Products and Classifications window, but I need to uncheck them, hit apply, check and apply again.  I also noticed that the few Windows 7 boxes we have show up as an OS of Windows 6.1.  I finally decided to see if I could correct these things and ran into some more problems…

This server became a Domain Controller and AD was installed during the brief time WSUS was uninstalled, so I figured uninstalling AD would be a good place to start.  The PDC was a 2003 server (Maze).  I believe this caused the IUSR accounts to be removed and it’s the reason I get this error in the event log:

Self-update is not working.

I tried using the script here: but it gives me the error:

There was an error attempting to retrieve the localhost RootDSE object.
Perhaps this machine is not a Domain Controller on the network?
ErrorCode: -2147016646

From I’ve gathered this info: LDAP_SERVER_DOWN This error code occurs when the addressed server is unreachable during a BIND authentication in the directory. This can occur due to underlying network problems. A firewall may block the used LDAP port, or the LDAP service isn't active on the destination host.

I pulled up ldp.exe and was able to connect (and bind to the server by using its own name, Antelope, but not when using the term “localhost.”  I assumed MS wanted me to change “localhost” to the name of my server, so I did.  The script got further this time, I forget the exact wording of the message I got, but it seemed as if it was working.  After a while I checked and the IUSR accounts were still missing.  I ended up promoting another 2008 server (Dividedsky) to the PDC role to hopefully avoid future problems.

I also tried restarting the IIS Admin Service, once Dividedsky was the PDC, but still no IUSR accounts.

So anyway, I wanted to remove Antelope as a DC and remove AD.  I start by using dcpromo.exe to remove Antelope from DC status but get an error after the “Delete the Domain” window:

Failed to examine the Active Directory forest. The error was: The operation cannot continue because LDAP connect/bind operation failed: 58 (the specified server cannot perform the requested operation.).

Google was little help with this error, except for what I found here: (under ‘Splain This heading). So, I disabled the local admin account, but no dice, still got the same error.

Looking at the dcpromoui.log doesn’t give me much help, but hopefully someone sees something of use. I've attached it.

I think another big piece to this puzzle may be the fact that the Intersite Messaging service fails to start at startup, or when I try to do it manually.  When tried manually I get a pop-up that says “Failed to start Intersite Messaging The service changed to an unexpected state.”  In the system event viewer: The Intersite Messaging service terminated with the following error: The specified server cannot perform the requested operation.  No errors about this in the application event viewer (I saw someone online w/ this problem who had an error in here too).

Anyone have any ideas as to why I’m having trouble removing Antelope as a DC?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Darius GhassemCommented:
Do you have a existing domian controller running without you making any changes to it before this mess? Run dcdiag on new server and the server with problems.

Just to let you know what you could have done was just create the Local user accounts in AD first then added them to IIS which would have fixed your problem.
clarkincitAuthor Commented:
Sorry for the delay...
Yes, Esther was an existing DC w/ out any changes.  I'm attaching both dcdiag results.  I'm also including Dividedsky's results because there are plenty of errors that may be of use?

Thanks for the info about creating the accounts.
Darius GhassemCommented:
What server is what?
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

clarkincitAuthor Commented:
Sorry about that...

Antelope is the server that I can't remove as a DC.
Esther is our 2003 R2 SP2 email server.  It seems to be working fine and nothing was changed.
Dividedsky is now the current PDC.
Darius GhassemCommented:
If you just want to remove the DC you can run dcpromo /forceremoval. Run metadata cleanup. Once you have force removed though the best practice is a clean install.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
clarkincitAuthor Commented:
Thanks, I was unaware of the forceremoval command.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.