0X000020F7

AD Replication Error 0X000020F7 Fix

Windows Errors Intermediate 👁 1 views 📅 May 28, 2026

This error pops up when Active Directory replication tries to use a malformed distinguished name. It's almost always a stale object or a schema mismatch.

When This Error Hits

You'll see 0X000020F7 in the Directory Service event log or when running repadmin /showrepl. It usually follows a partial domain controller demotion or a failed object move between domains. The replication partner complains that the distinguished name (DN) it received doesn't match any object in the naming context — think of it like a mailing address where the street name is misspelled.

Root Cause

The culprit here is almost always an orphaned object — usually a deleted domain controller or a cross-reference container that wasn't cleaned up properly. When a DC is demoted but not fully removed from the topology, its metadata lingers in the configuration partition. Other DCs try to replicate that object's updates using the old DN, which no longer resolves. Schema version mismatches between domain controllers can also trigger this, but that's rarer.

Fix Steps

  1. Identify the bad DN. Run repadmin /showrepl * /csv > repl.csv and look for 0x20f7 in the output. The DN will appear in the error message — something like CN=NTDS Settings,CN=OLD-DC,CN=Servers....
  2. Check for lingering objects. On the source DC, execute repadmin /removelingeringobjects /advisory_mode. Replace with the failing partner's name and with the partition DN (e.g., DC=domain,DC=com). This tells you if an object exists on the source but not the destination.
  3. Force-remove the offending object. If the object is an old DC, use Active Directory Sites and Services. Right-click the NTDS Settings object under the old server, choose Delete. Then right-click the server object itself and delete it. This cleans up the configuration partition reference.
  4. Run metadata cleanup manually. If AD Sites and Services won't let you delete, use ntdsutil from an elevated prompt: 
    ntdsutil
metadata cleanup
select operation target
connections
connect to server 
quit
list domains
select domain 0
list sites
select site 0
list servers in site
select server 
remove selected server
quit
quit
  5. Force replication. After cleanup, run repadmin /syncall /AdeP on the source DC. Check if the error repeats with repadmin /showrepl.

If It Still Fails

Sometimes the error is caused by a cross-reference object in the Partitions container. Open ADSI Edit, connect to the Configuration partition, navigate to CN=Partitions,CN=Configuration,DC=domain,DC=com. Look for references to the old domain that shouldn't be there — typically CN=OldDomain entries with the wrong dnsRoot attribute. Delete those carefully (back up first). Also check that all DCs have the same schema version by running dcdiag /test:replications /v on every domain controller. If you see version mismatch, update the schema master first.

Pro tip: Never ignore 0X000020F7. It doesn't fix itself. The longer you wait, the more objects get stuck in the replication queue, and the bigger the cleanup headache.

Was this solution helpful?

AD replication error 0X000020F7 ERROR_DS_DRA_BAD_DN Windows Server 2019 Active Directory troubleshooting DRA replication bad distinguished name repadmin dcdiag AD cleanup lingering objects tombstone lifetime