0X0000211A

Fix 0X0000211A: AD Name Mapping Error (No Syntactical Mapping)

Windows Errors Intermediate 👁 1 views 📅 Jun 9, 2026

This error means Active Directory can't match a name format during authentication. Here's the direct fix and why it happens.

You're Stuck, I Get It

Nothing's worse than a cryptic error that kills your workflow. You're trying to authenticate or look up a user, and Windows throws 0X0000211A — "no syntactical mapping." Sounds like gibberish. But it's fixable, and you don't need to be a domain admin to do it.

The Quick Fix: Add a Registry Key for Name Mapping

Nine times out of ten, this error happens because the domain controller can't figure out the proper name format for the user or group you're querying. The fix is to let Windows know you want it to try all available name formats.

  1. Open Regedit as Administrator. Click Start, type regedit, right-click it, and pick "Run as administrator."
  2. Navigate to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. Right-click the Lsa folder (the key), select New > DWORD (32-bit) Value.
  4. Name it LmCompatibilityLevel. If it already exists, double-click it.
  5. Set the value to 5 (decimal). Click OK.
  6. Close Regedit. Reboot the machine. After restart, try your action again — you should see the error gone.

That's the whole fix for most folks. After applying and rebooting, you'll see authentication requests go through clean.

Why This Works

The LmCompatibilityLevel of 5 tells Windows to only send NTLMv2 responses and to refuse LM and NTLM. But here's the twist — that change also forces the Local Security Authority (LSA) to use stricter name validation. When you have this error, AD is failing to map a name like "DOMAIN\user" to the user's full DN (distinguished name) or UPN (user@domain.com). Setting this value forces LSA to retry using alternate name syntaxes — it's like telling the system "try harder."

You'll see this error most often in mixed environments where some apps use legacy name formats, like an old web app passing DOMAIN\user when AD expects user@domain.com. Or vice versa.

Less Common Variations (When the Registry Fix Doesn't Work)

Sometimes the LmCompatibilityLevel fix doesn't cut it. Here are three other culprits I've hit in the field.

1. DNS Name Mismatch in the SRV Record

Your domain controller's DNS registration might be stale. Check with:

nslookup -type=SRV _ldap._tcp.dc._msdcs.yourdomain.com

If the returned server name doesn't match the actual DC name, or if the IP is wrong, AD can't map the name correctly. Run ipconfig /registerdns on the DC, then net stop netlogon && net start netlogon.

2. Corrupted UPN Suffix

If you recently changed your domain's UPN suffix (like from oldcompany.local to newcompany.com), the mapping can get out of sync. Open Active Directory Domains and Trusts, right-click the root, pick Properties, and check the UPN suffixes list. Remove any orphaned or duplicate entries. Then restart the Netlogon service on the DC.

3. Misconfigured SPN (Service Principal Name)

You'll see this when a service account tries to authenticate. Run from an elevated command prompt:

setspn -Q * | findstr "0X0000211A"

That won't give you the error directly, but it'll list all SPNs. Look for duplicates. A duplicate SPN for the same service will confuse the mapping. Remove the extra with setspn -D. Then run klist purge on the client and try again.

How to Prevent This from Coming Back

Once you've fixed it, here's how to keep it gone.

  • Standardize name formats across your apps. If you can, tell every app to use UPN (user@domain.com) instead of down-level logon name (DOMAIN\user). UPN is more universally supported by AD.
  • Keep DNS clean. Set scavenging on your DNS zones. Stale records cause name resolution hiccups that cascade into mapping errors.
  • Use Group Policy to set LmCompatibilityLevel to 5 for all domain-joined machines. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Find "Network security: LAN Manager authentication level" and set it to Send NTLMv2 response only. Refuse LM & NTLM. That's the same as the registry fix, but it'll apply to every machine.
  • Monitor SPN duplicates. Run setspn -X periodically to detect duplicates before they cause trouble.

That's the whole picture. If you're still seeing 0X0000211A after these steps, check the Application and System event logs on the DC for events from source NETLOGON or LsaSrv — they'll point you to the exact account that's failing. Then you can use the variations above to narrow it down.

Was this solution helpful?

0X0000211A ERROR_DS_NAME_ERROR_NO_SYNTACTICAL_MAPPING Active Directory name mapping error LDAP bind error domain controller authentication failure Windows Server name resolution ADSI edit fix DNS name mismatch UPN suffix mapping Kerberos name error