[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1861
  • Last Modified:

Trouble removing 2008 Server from being a Domain Controller

The question starts with the issues I was having with WSUS to show you how I arrived at the my real question.  I can save the WSUS question for another post, just wanted to give some background info in case it's relevant.

The other week I realized I could no longer open the WSUS console on one of our 2008 servers (Antelope).

Error: MMC has detected an error in a snap-in and will unload it.
When I chose to “Unload the snap-in and continue running” I received the message box:
End Snap-in.  The snap-in is not responding.
I’d choose “End Now” and receive an “Unhandled Exception in Managed Code Snap-in."

I tried a few things, including removing the WSUS file, but couldn’t get it to work.  I ended up uninstalling/reinstalling ASP.net and WSUS.  However, once WSUS was installed again, it no longer showed up under the Admin Tools menu… I had to access it via Server Manager.  Every time server manager was closed, all the Classifications I had chosen no longer showed up under the Updates section.  The default Updates showed up: All Updates, Critical Updates, Security Updates and WSUS Updates, and all the other classifications are still checked in the Products and Classifications window, but I need to uncheck them, hit apply, check and apply again.  I also noticed that the few Windows 7 boxes we have show up as an OS of Windows 6.1.  I finally decided to see if I could correct these things and ran into some more problems…

This server became a Domain Controller and AD was installed during the brief time WSUS was uninstalled, so I figured uninstalling AD would be a good place to start.  The PDC was a 2003 server (Maze).  I believe this caused the IUSR accounts to be removed and it’s the reason I get this error in the event log:

Self-update is not working.

I tried using the script here:  http://support.microsoft.com/?kbid=946139 but it gives me the error:

There was an error attempting to retrieve the localhost RootDSE object.
Perhaps this machine is not a Domain Controller on the network?
ErrorCode: -2147016646

From http://www.selfadsi.org/errorcodes.htm I’ve gathered this info: LDAP_SERVER_DOWN This error code occurs when the addressed server is unreachable during a BIND authentication in the directory. This can occur due to underlying network problems. A firewall may block the used LDAP port, or the LDAP service isn't active on the destination host.

I pulled up ldp.exe and was able to connect (and bind to the server by using its own name, Antelope, but not when using the term “localhost.”  I assumed MS wanted me to change “localhost” to the name of my server, so I did.  The script got further this time, I forget the exact wording of the message I got, but it seemed as if it was working.  After a while I checked and the IUSR accounts were still missing.  I ended up promoting another 2008 server (Dividedsky) to the PDC role to hopefully avoid future problems.

I also tried restarting the IIS Admin Service, once Dividedsky was the PDC, but still no IUSR accounts.

So anyway, I wanted to remove Antelope as a DC and remove AD.  I start by using dcpromo.exe to remove Antelope from DC status but get an error after the “Delete the Domain” window:

Failed to examine the Active Directory forest. The error was: The operation cannot continue because LDAP connect/bind operation failed: 58 (the specified server cannot perform the requested operation.).

Google was little help with this error, except for what I found here:

http://www.wildbluesky.com/ (under ‘Splain This heading). So, I disabled the local admin account, but no dice, still got the same error.

Looking at the dcpromoui.log doesn’t give me much help, but hopefully someone sees something of use. I've attached it.

I think another big piece to this puzzle may be the fact that the Intersite Messaging service fails to start at startup, or when I try to do it manually.  When tried manually I get a pop-up that says “Failed to start Intersite Messaging The service changed to an unexpected state.”  In the system event viewer: The Intersite Messaging service terminated with the following error: The specified server cannot perform the requested operation.  No errors about this in the application event viewer (I saw someone online w/ this problem who had an error in here too).

Anyone have any ideas as to why I’m having trouble removing Antelope as a DC?


dcpromoui.log.docx
Repadmin.docx
0
clarkincit
Asked:
clarkincit
  • 3
  • 3
1 Solution
 
Darius GhassemCommented:
Do you have a existing domian controller running without you making any changes to it before this mess? Run dcdiag on new server and the server with problems.

Just to let you know what you could have done was just create the Local user accounts in AD first then added them to IIS which would have fixed your problem.
0
 
clarkincitAuthor Commented:
Sorry for the delay...
Yes, Esther was an existing DC w/ out any changes.  I'm attaching both dcdiag results.  I'm also including Dividedsky's results because there are plenty of errors that may be of use?

Thanks for the info about creating the accounts.
Antelope-dcdiag.txt
Esther-dcdiag.txt
Dividedsky-dcdiag.txt
0
 
Darius GhassemCommented:
What server is what?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
clarkincitAuthor Commented:
Sorry about that...

Antelope is the server that I can't remove as a DC.
Esther is our 2003 R2 SP2 email server.  It seems to be working fine and nothing was changed.
Dividedsky is now the current PDC.
0
 
Darius GhassemCommented:
If you just want to remove the DC you can run dcpromo /forceremoval. Run metadata cleanup. Once you have force removed though the best practice is a clean install.
0
 
clarkincitAuthor Commented:
Thanks, I was unaware of the forceremoval command.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now