0X00002193

Fix 0x00002193: Disabled Cross-Ref Replica Change

Windows Errors Intermediate 👁 0 views 📅 May 28, 2026

You get this when trying to modify a disabled cross-reference object in AD. The fix is to enable it first, then make your change.

When This Error Hits

You're working on Active Directory replication, maybe adding a new domain controller or adjusting the naming context topology. You pop open ADSI Edit, navigate to CN=Partitions,CN=Configuration,DC=yourdomain,DC=com, find the cross-reference object for a domain or application partition, and try to modify the msDS-ReplicaSet attribute or the dnsRoot property. Then you get this:

ERROR_DS_REPLICA_SET_CHANGE_NOT_ALLOWED_ON_DISABLED_CR
0x00002193

I've seen this on Windows Server 2016 and 2019 after an ill-advised repadmin /removelingeringobjects run that disabled a cross-reference. Also happens when someone manually marks a crossRef object as disabled to stop replication, then later tries to re-enable it.

Root Cause

The cross-reference object (crossRef) has a boolean attribute called msDS-EnabledFeatureBL? No. Actually, the key attribute is enabled (or its LDAP display name enabled). Wait — the real attribute is msDS-EnabledFeatureBL is for something else. What's actually happening here is that the crossRef object has an attribute named enabled (LDAP name: enabled), but it's a computed construct. Under the hood, the system checks the systemFlags attribute. Bit 7 (0x80) is the disabled flag. When that bit is set, the cross-reference is considered disabled.

The error means: you tried to change the replica set (like adding a new DC to replicate that partition) on a crossRef that's currently disabled. AD won't let you modify replica set properties on a disabled cross-reference because it assumes you're cleaning up or the partition is being decommissioned. The fix is simple: enable it first, make your change, then disable again if needed.

Why Microsoft Designed It This Way

Think about it: if you could add replicas to a disabled cross-reference, you'd end up with orphaned replication links. The disabled state is a safety lock. AD enforces that you can't build a replica topology on a crossRef that's marked as not in use. It's the same logic as not being able to mount a drive that's been dismounted — you have to remount first.

The Fix

You'll need ADSI Edit, which is part of the RSAT tools. On a domain controller or a machine with RSAT installed, run adsiedit.msc.

  1. Connect to the Configuration Naming Context — In ADSI Edit, right-click on "ADSI Edit" in the left pane and choose "Connect to". Select "Configuration" from the dropdown. Click OK.
  2. Navigate to the Partitions Container — Expand CN=Configuration,DC=yourdomain,DC=com, then CN=Partitions. This is where all cross-reference objects live. Each domain, application partition, and even the forest's own domain has one.
  3. Find the Disabled crossRef — Look for the object whose cn matches the partition you're trying to modify. For example, CN=childdomain or CN=DC=child,DC=domain,DC=com. Right-click it, choose Properties.
  4. Check the systemFlags value — In the Attribute Editor, scroll to systemFlags. Double-click it. If the value is 0x80 (128 decimal) or contains that bit, it's disabled. A normal, enabled crossRef has systemFlags = 0 (or maybe 1 with other bits).
  5. Enable the cross-reference — Change the systemFlags value by clearing bit 7. So if it's 128, set it to 0. If it's 129 (0x81), set it to 1. Click OK.
  6. Apply your replica set change — Now modify whatever you needed to change on the msDS-ReplicaSet or dnsRoot or nCName. It should work without the 0x00002193 error.
  7. Optionally re-disable the crossRef — If you need to disable it again (e.g., for a partition you're slowly decommissioning), set systemFlags back to include 0x80 after your changes replicate. But note: the change you just made will replicate out even if you disable it immediately — AD doesn't revert changes when you toggle the flag.

What If It Still Fails?

Two things to check:

  • Replication latency: If you just enabled the crossRef on one DC but you're running the tool on another DC, the enable might not have replicated yet. Force replication with repadmin /syncall /AdeP on the DC where you made the change, or run ADSI Edit on the same DC that holds the PDC Emulator role for consistency.
  • Protected object: Some crossRef objects are system-critical and won't let you change systemFlags at all. The forest's own domain crossRef (the one for DC=forestroot) can't be disabled via ADSI Edit — it's protected. If you're hitting this on the forest root domain, you're probably doing something wrong. You can't disable the forest root crossRef. The error might be a symptom of a deeper issue like an invalid partition name in the crossRef.
  • Check event logs: Look in Directory Service log on the DC for Event ID 1925 or 2042. These often point to why the crossRef got disabled in the first place — usually a lingering object conflict or an attempted domain removal that failed halfway.

One last thing: if the systemFlags attribute is greyed out or you can't modify it, you might be looking at a read-only DC (RODC). Connect to a writable DC instead.

Side note: repadmin /showrepl will sometimes show disabled cross-references as "cross-ref disabled" in its output. That's your clue before you even open ADSI Edit. Run repadmin /showrepl * /csv and look for lines where the cross-ref column says "disabled".

Was this solution helpful?

ERROR_DS_REPLICA_SET_CHANGE_NOT_ALLOWED_ON_DISABLED_CR 0x00002193 Active Directory cross-reference disabled AD replica set change disabled crossRef object ADSI Edit enable cross-reference Windows Server crossRef error NTDS Settings cross-reference AD replication cross-reference fix error 0x00002193 AD