none
LDAP error 0x35(53 (Unwilling To Perform) in NTDSUTIL

    Question

  • I inherited this one.

    Server was promoted to a DC in an existing single domain/forest that had one DC.

    Client shut down old server without demoting or using metadata cleanup.

    Client renamed new server to the name of the old server.

    This broke AD/DNS/DHCP and where I got involved.

    I was able to change the name of the server back to the name it had when it was promoted.  NETDOM shows only the 1 FQDN of the server and AD/DNS/DHCP is working.

    However, the original server still shows up in AD.  It has a different SID, different SPNs, etc.

    The client still wants to rename the new server to the old name but the object exists in AD so that's not possible.

    If I run ntdsutil and metadata cleanup I am unable to remove the DC and the error is 'LDAP error 0x35(53 (Unwilling To Perform)'.

    Any idea what could be causing this now?


    -=Chris

    Wednesday, December 28, 2016 7:33 PM

All replies

  • Hello,

    There are two thing I would do on your place:

    • Verify that all FSMO roles have correctly been transfered/seized by the new DC.
    • Verify that the new DC is completely operational. If it is possible, I would recommend that you try to join and promote one more DC to the domain.

    /Regards

    • Proposed as answer by AlvwanModerator Thursday, December 29, 2016 9:17 AM
    Wednesday, December 28, 2016 8:33 PM
  • Assuming that the new DC is also a GC, you can proceed as the following (Please take system state backups before proceeding):

    • Seize the FSMO roles on the new DC: https://support.microsoft.com/en-gb/kb/255504
    • Do a metadata cleanup by removing the old DC computer account using dsa.msc then removing its NTDS settings and reference using dssite.msc

    Once done, run dcdiag and make sure that there are no errors.

    After that, you can rename the new DC.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Proposed as answer by AlvwanModerator Thursday, December 29, 2016 9:17 AM
    Wednesday, December 28, 2016 8:51 PM
  • Assuming that the new DC is also a GC, you can proceed as the following (Please take system state backups before proceeding):

    • Seize the FSMO roles on the new DC: https://support.microsoft.com/en-gb/kb/255504
    • Do a metadata cleanup by removing the old DC computer account using dsa.msc then removing its NTDS settings and reference using dssite.msc

    Once done, run dcdiag and make sure that there are no errors.

    After that, you can rename the new DC.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    The roles have been seized to itself.  Attempting to delete the DC from Active Directory Users and Computers yields the same error that I get by running metadata cleanup from a command line with ntdsutil.

    -=Chris

    Thursday, December 29, 2016 5:58 PM
  • Hi,

    You are getting error "LDAP_UNWILLING_TO_PERFORM (0x35)" meaning The server does not handle directory requests. Please go through the steps given in the forum below.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/7320d318-ac2d-4918-bca5-24ac3b5163e4/unable-to-remove-child-domain

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 30, 2016 5:37 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 3, 2017 7:09 AM
    Moderator