0X00002190

ERROR_DS_NTDSCRIPT_PROCESS_ERROR (0X00002190) Fix

Server & Cloud Intermediate 👁 0 views 📅 May 28, 2026

Happens when Active Directory replication fails due to a corrupt script or script execution error. Fix involves clearing the script or rebuilding the domain controller.

When This Error Shows Up

You're running repadmin /replsum or trying to promote a new domain controller via Install-ADDSDomainController, and you see ERROR_DS_NTDSCRIPT_PROCESS_ERROR (0X00002190). It usually happens during the script processing phase of initial replication — specifically when the destination DC tries to execute a script (like a logon script or startup script) that's stored in the NTDS directory partition.

The real-world trigger is often a corrupt Group Policy Object (GPO) script or a malformed script file (e.g., a PowerShell script with a BOM character or a VBS file with a truncated line). I've seen this on Server 2019 and Server 2022 boxes where someone edited a logon script with Notepad and saved it in UTF-16 instead of ANSI.

Root Cause

Active Directory uses scripts during replication to execute custom code — things like logon scripts, startup scripts, or AD-integrated DNS updates. The NTDSCRIPT process is the component that parses and runs these scripts on the destination domain controller.

What's actually happening here is that the script can't be parsed or executed due to one of these reasons:

  • A script file is corrupt — missing a closing quote, wrong encoding, or binary data in a text file.
  • The script references a file or path that doesn't exist on the destination DC.
  • The script execution policy blocks it — e.g., PowerShell scripts with RemoteSigned but the file isn't signed.
  • The script contains a syntax error that only fails when run on the target DC's OS version.

The error code 0X00002190 maps to ERROR_DS_NTDSCRIPT_PROCESS_ERROR in winerror.h. It's not a network or permissions error — it's purely a script processing failure.

How to Fix It

Step 1: Identify the failing script

Run repadmin /showrepl on the destination DC. Look for the replication failure entry that mentions NTDSCRIPT. The output will include a source DSA object GUID and sometimes a script name. If it doesn't show the script name explicitly, check the event log:

Event ID: 1925
Source: NTDS Replication
Description: The attempt to establish a replication link failed with error 0X00002190

Click the event details — the script path is often listed as %SystemRoot%\SYSVOL\...\scripts\....

Step 2: Check the script on the source DC

Log into the source domain controller (the one that last replicated successfully). Navigate to the script path from step 1. Open the script file with Notepad++ or VS Code — not Notepad. Look for:

  • Invisible BOM characters (UTF-8 BOM is okay, UTF-16 BOM breaks things).
  • Truncated lines — if the file ends mid-script.
  • Binary characters — especially if someone copied script from a Word doc.

The most common fix: re-save the file as ANSI or UTF-8 without BOM. In VS Code, click the bottom-right encoding indicator, select "Save with Encoding" then "UTF-8".

Step 3: Force replication of the fix

Once the script is clean on the source DC, force replication:

repadmin /syncall /AdeP

Then on the destination DC, run:

repadmin /syncall /AdeP
repadmin /showrepl /errorsonly

If the error persists, the script may still be cached in the replication queue. Stop and restart the NTDS service on the destination DC to clear the queue:

net stop ntds
net start ntds

Then run repadmin /syncall again.

Step 4: If you can't find the script — nuke the script from Group Policy

Sometimes the script reference is buried in a GPO that you can't easily edit. On the source DC, open Group Policy Management Console, find the GPO that links to the script (look in User Configuration > Windows Settings > Scripts > Logon/Logoff). Temporarily disable the script by removing the script path, then run gpupdate /force and replicate again.

After replication succeeds, you can re-enable the script with a clean copy.

If It Still Fails

If you've cleaned every script and the error won't budge, the issue might be deeper. Check these:

  • SYSVOL permissions — the destination DC must have read access to the SYSVOL share. Run dcdiag /test:sysvolcheck.
  • Script execution policy — on the destination DC, run Get-ExecutionPolicy -List. If it's Restricted, set it to RemoteSigned: Set-ExecutionPolicy RemoteSigned.
  • Corrupt NTDS database — if nothing works, the NTDS database on the destination DC might have a corrupt script table. Run ntdsutil and use semantic database analysis to check for corruption:
ntdsutil
activate instance ntds
semantic database analysis
go
verbose on
go

If it reports script-related corruption, you'll need to demote the DC and re-promote it from scratch. Painful, but sometimes the quickest path.

Final thought: 0X00002190 is almost always a script encoding issue. Don't waste time chasing permissions or DNS — look at the script files first. I've fixed this on four separate Server 2022 deployments by simply re-saving a logon script as ANSI.

Was this solution helpful?

ERROR_DS_NTDSCRIPT_PROCESS_ERROR 0X00002190 Active Directory replication error directory service script error AD DS installation script failure domain controller script error Windows Server 2022 replication issue AD script processing failure repadmin dcpromo script error NTDS script corrupt AD DS 0x2190 fix