Cannot remove Active Directory Certificate Services role during migration from SBS to Server Essentials

During a migration from SBS 2008 SP2 to 2012 R2 Essentials, each time I use the Server Manager Remove Roles Wizard to remove the Active Directory Certificate Services role, I get an MMC crash during "Initializing removal".

This is the text from the crash dialog:

Description:
  Stopped working

Problem signature:
  Problem Event Name:      CLR20r3
  Problem Signature 01:      mmc.exe
  Problem Signature 02:      6.0.6002.18005
  Problem Signature 03:      49e02760
  Problem Signature 04:      mscorlib
  Problem Signature 05:      2.0.0.0
  Problem Signature 06:      53a11b76
  Problem Signature 07:      4223
  Problem Signature 08:      a9
  Problem Signature 09:      System.BadImageFormatException
  OS Version:      6.0.6002.2.2.0.305.9
  Locale ID:      2057

A little more information - this is in the ServerManager.log:
2404: 2015-11-03 11:18:52.466 [ExceptionHandler] Error (Id=0) An unexpected exception was found:
System.BadImageFormatException: Could not load file or assembly 'Microsoft.CertificateServices.Setup.Interop, Version=6.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The module was expected to contain an assembly manifest.
File name: 'Microsoft.CertificateServices.Setup.Interop, Version=6.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'
   at Microsoft.Windows.ServerManager.CertificateServer.CertificateServerRoleProvider.PerformActionBeforeUninstall(Object clientContext, XDocument host, XDocument guest, String guestIdentity)
   at Microsoft.Windows.ServerManager.Common.Provider.PreUninstall(XDocument host, XDocument guest, String guestIdentity, Object clientContext)
   at Microsoft.Windows.ServerManager.Common.Provider.FlushSyncPreUninstalls(List`1 guestsToSync, Dictionary`2 syncResultMap)
   at Microsoft.Windows.ServerManager.Common.Provider.FlushSync(SyncProgressHandler progressCallback)
   at Microsoft.Windows.ServerManager.Common.Provider.FinalFlush(SyncProgressHandler progressCallback)
   at Microsoft.SystemDefinitionModel.Transformation.Imperative.SyncEngine.Sync(String rootIdentity, String[] eventClassIdentities)
   at Microsoft.Windows.ServerManager.Utilities.ImperativeTransformationEngine.Sync(ClientContext clientContext, ClassValue rootInstance, SyncProgressEventHandler progressHandler, String[] progressItems)
   at Microsoft.Windows.ServerManager.ModelResult.CommitUpdates(ProgressUpdateCallback progressUpdateDelegate, String[] eventClassIdentities)

Open in new window


Any ideas on how to get around this one? With ADCS still on the old server I can't demote it.

Thanks in advance.
RacksuiteAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FOXActive Directory/Exchange EngineerCommented:
Try ripping it out with a powershell command.
Open powershell as an administrator
type in this command
import-module servermanager
type in the command that you need from the link below
https://technet.microsoft.com/en-us/library/hh848390(v=wps.630).aspx
RacksuiteAuthor Commented:
Foxluv thanks for the suggestion, but it's the SBS 2008 SP2 server that won't let me remove Certificate Services.

The link you gave lists PowerShell commands on 2012 R2 / Win 8.1.

Just in case it might work anyway, I tried import-module servermanager but the module file was not found.

Any other thoughts..?
RacksuiteAuthor Commented:
I may have solved this myself (probably tempting fate writing that as it's still going through now... but it has got further than ever before).

Doing an sfc /scannow reported that corrupt files were found and could not be repaired. Reading the c:\Windows\Logs\CBS\CBS.log file revealed three corrupt files (irritatingly it lists them again and again so at first it looks worse than it actually is).

One of them was Microsoft.CertificateServices.Setup.Interop.dll .

The full file location for this DLL was not given in the CBS.log (thanks guys...) but it was specified as AMD64 and nonSxS so I was able to deduce the file location as
C:\Windows\assembly\GAC_64\Microsoft.CertificateServices.Setup.Interop\6.0.0.0__31bf3856ad364e35\Microsoft.CertificateServices.Setup.Interop.dll

Using an SBS 2008 SP2 DVD (very grateful that was lying around) and a copy of the ever-useful 7-Zip, I opened the INSTALL.WIM archive from the SOURCES folder, then navigated through to the equivalent location in the archive and extracted a pristine copy of the DLL from the DVD.

Following these steps at an elevated command prompt I was then able to replace the file.
1. Take ownership of the corrupt file
takeown /f {fullpath_and_filename}
2. Grant full access to Administrators group
icacls {fullpath_and_filename} /grant administrators:f
3. Copy extracted file over the corrupt file (I also took a backup copy of the corrrupt file beforehand in case this somehow made things worse, but wasn't needed)

Those steps came from a Microsoft article aimed at non-server OS systems but since this server is being decommissioned anyway, and I didn't fancy an in-place repair install, I gave them a go.

The Remove Roles wizard is now chugging away and hasn't crashed immediately as before - will update on progress later - wish me luck!

UPDATE: Can confirm this worked and ADCS has now gone from the old server and I can proceed to demote it. Only wasted a day on this, *sigh*...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

FOXActive Directory/Exchange EngineerCommented:
Nice work!! Great learning curve to say the least.
RacksuiteAuthor Commented:
Thanks! Yeah sharp learning curve, could have done with an easier ride as this is really eating my time but hey, better than being defeated!
RacksuiteAuthor Commented:
The only expert reply this question attracted was not helpful as it is not applicable to the operating system in question.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.