Fix ERROR_DS_DECODING_ERROR 0x0000203D in AD

I've seen this error pop up in two real-world scenarios. First, when you run a PowerShell script that queries AD and hits a corrupted security descriptor on a user object. Second, when an LDAP client like an old application tries to bind and the server can't decode an attribute value—usually a malformed SID or a binary blob that got mangled during replication. The trigger that always sticks out: someone deleted a group but the ACL on a resource still points to that group's SID. Next time you query that resource, boom, 0x0000203D.

What's actually happening here?

Active Directory stores data in a binary format. When an LDAP client sends a query, the server reads the binary data and decodes it into readable attributes. If the binary data is corrupted—say a SID is truncated or a DACL has an invalid ACE—the decoder throws this error. The root cause is almost always a corrupt object in the directory, often from a failed replication, a half-baked schema change, or a tool that wrote garbage into an attribute.

Fix it: step by step

Don't waste time rebuilding the whole domain. You can narrow this down in under 15 minutes.

Identify the culprit object
Open Event Viewer on a domain controller. Go to Windows Logs > Directory Service. Filter by Event ID 1644 or 2889. These events log LDAP queries that failed. Look for the filter or baseDN field—it'll show you the object DN that triggered the error. I had a client last month where the error pointed to a user account in a corrupted OU.
Use repadmin to check replication
Run this command on the DC that threw the error:
```
repadmin /showobjmeta * ""
```
If you see missing or mismatched attribute metadata, replication is the issue. You might need to force sync with repadmin /syncall.
Check the object with ADSI Edit
Open ADSI Edit (install it from RSAT if needed). Connect to the default naming context. Navigate to the object from step 1. Right-click it, choose Properties. Look under nTSecurityDescriptor or sID. If you see a garbled hex value or an error when you open the attribute, that's your corruption.
Fix the security descriptor
The quickest fix is to reset the object's permissions to inherit from the parent OU. In ADSI Edit, right-click the object, select Properties, find nTSecurityDescriptor, click the Editor button. If it fails, you'll need to delete the object and recreate it. For user accounts, this means disabling the account, noting the SID, and creating a new one. Painful but it works.
Repair the database as a last resort
If multiple objects are corrupt, you might have a database issue. Boot a DC into Directory Services Restore Mode (DSRM). Run:
```
ntdsutil
activate instance ntds
files
integrity
```
Check the output for page-level corruption. Then run semantic database analysis to fix references. Reboot and test.

If it still fails after the fix

Sometimes the error comes from an application that's sending bad data. Wireshark a capture of the LDAP query. Look for binary attributes like objectSid or tokenGroups. I've seen a custom app that encoded a Unicode string as UTF-16 but the LDAP library expected UTF-8—the server couldn't decode it and returned 0x0000203D. In that case, the fix is on the app side, not the DC.

Another thing: check the event logs on all DCs. If only one DC throws the error, that DC might be the one with a corrupt copy of the object. Demote and promote it back cleanly. Don't try to force replicate a corrupt object—it'll haunt you later.

Bottom line: 0x0000203D is usually a single bad object. Find it, nuke it, recreate it. You're back up in an hour.