0X00002072

Fix Active Directory error 0X00002072: No RDN defined in schema

Windows Errors Intermediate 👁 0 views 📅 May 28, 2026

This error means the schema class for the object you're adding lacks a mandatory RDN attribute. We'll fix it by updating the schema or changing the object class.

You're trying to create an object in Active Directory—maybe a user, group, or a custom class—and boom, error 0X00002072. Annoying, but I've seen this dozens of times. Here's the fix.

The fast fix: Add the RDN attribute to the schema class

You need to make sure the schema class you're using has a valid RDN (Relative Distinguished Name) attribute. Most built-in classes like user already have one (CN), but custom or third-party classes often don't. Here's how to check and fix it.

  1. Open ADSI Edit. Go to Administrative Tools > ADSI Edit. If you don't see it, install the AD DS Remote Server Administration Tools (RSAT) on your management machine.
  2. Connect to the Schema Naming Context. Right-click ADSI Edit and choose Connect to. Under Select a well known Naming Context, pick Schema. Click OK.
  3. Find your class. In the tree, go to CN=Schema,CN=Configuration,DC=..., then find the class that's causing the error. Let's say it's CN=MyCustomClass. Double-click it.
  4. Check the RDN-Att-Id property. In the attribute editor, scroll to RDN-Att-Id. If it's empty or missing, that's the problem. You'll see something like <not set>.
  5. Set the RDN attribute. Double-click RDN-Att-Id and set it to the OID of the attribute you want as RDN. For most objects, that's CN (Common-Name) which has OID 2.5.4.3. Click OK.
  6. Apply the change. Right-click the class object and choose Properties. Then click Apply. You should see the status update to say the change is pending.
  7. Wait for replication. Schema changes replicate automatically. On the domain controller you're creating objects on, wait a few minutes or force replication with repadmin /syncall.
  8. Try adding the object again. Create your user, group, or whatever. This time it should work—the RDN is defined now.

Why this works

Every object in Active Directory needs a Relative Distinguished Name (RDN) that makes it unique within its container. The RDN is part of the object's distinguished name—for example, CN=JohnDoe in CN=JohnDoe,CN=Users,DC=contoso,DC=com. The schema class tells AD which attribute to use for that RDN. If the class doesn't specify one, AD throws error 0X00002072 because it literally doesn't know how to name the object.

The attribute RDN-Att-Id in the schema class definition points to the attribute that holds the RDN value. When you create an object, AD reads that property to figure out what attribute to use. If it's blank, you get the error. Setting it to CN (or another attribute like OU if you're creating an organizational unit) fixes it.

Less common variations of the same issue

Sometimes the problem isn't a missing RDN-Att-Id, but a mismatch. Here are a few I've run into:

  • RDN points to a non-existent attribute. Someone set RDN-Att-Id to an OID that doesn't match any attribute in schema. Double-check the OID maps to a real attribute. Use LDP.exe or ADSI Edit to verify the attribute exists under CN=Schema.
  • You're using the wrong RDN attribute type. If the attribute is a string but you're trying to use a binary attribute, it'll fail. The RDN attribute must be a Unicode string (like CN or OU). Check the attributeSyntax on the attribute—should be 2.5.5.12 for string.
  • The class isn't a structural class. If you're creating an object from an abstract or auxiliary class, it won't have an RDN. You need to use a structural class. Check the objectClassCategory property: 0 is abstract, 1 is structural, 2 is auxiliary. Structural classes (category 1) are the ones you can instantiate.
  • You're hitting this in an LDIF import. If you're using ldifde or a script, make sure the object class you're importing has the RDN attribute populated in the LDIF file. AD ignores the RDN-Att-Id if you don't supply the attribute value.

How to prevent this from happening again

If you're designing custom schema classes, always set the RDN-Att-Id during creation. Here's a quick check before you define a new class:

Before you create a new class in Schema Management, confirm your attribute OIDs are correct and the RDN attribute you want to use exists in schema. Use Show-ADObject in PowerShell to verify: Get-ADObject -Filter {Name -eq 'MyCustomAttribute'} -SearchBase (Get-ADRootDSE).SchemaNamingContext -Properties lDAPDisplayName,attributeSyntax.

Also, don't let third-party applications modify schema without review. I've seen apps leave classes in an incomplete state—no RDN, missing mandatory attributes. Always test schema extensions in a lab first.

Finally, run regular schema audits using repadmin /schema or a simple PowerShell script that checks every class for a non-blank RDN-Att-Id. Catch these before they bite you at 2 AM during a migration.

Was this solution helpful?

0X00002072 ERROR_DS_NO_RDN_DEFINED_IN_SCHEMA Active Directory schema error RDN attribute missing AD user creation fails schema class RDN LDAP error 0x2072 add object fails Windows Server schema fix ADSI Edit schema modification