Fix ERROR_DS_CANT_RETRIEVE_INSTANCE (0X000020D7) Fast
Active Directory can't read an instance type attribute. Usually a replication or schema issue. Here's how to fix it without the fluff.
You're Staring at 0X000020D7
Yeah, that error's a pain. It usually pops up when a domain controller can't grab the instance type attribute from another DC during replication or schema update. I've seen it stall a whole AD migration. Let's fix it.
The Real Fix: Check Replication and Schema
This error almost always comes down to one of two things: a replication link that's broken or a schema update that didn't complete. Don't waste time on DNS or permissions first — rule this out.
Step 1: Fire Up dcdiag and repadmin
Open PowerShell as admin on the problematic DC. Run these in order:
dcdiag /test:replications /v
repadmin /showreplLook for ERROR_DS_CANT_RETRIEVE_INSTANCE or any reference to 0x20D7. If you see a failed replication from a specific source DC, that's your culprit. Had a client last month whose print queue died because a DC couldn't replicate — same error code.
Step 2: Force Sync or Fix the Link
If replication failed, try a forced sync from the source DC:
repadmin /syncall /AdePIf that still throws the error, the link might be stale. Remove and re-add the NTDS connection from Active Directory Sites and Services. Right-click the connection object, delete it, then right-click the source DC and choose 'Check Replication Topology' to rebuild it.
Step 3: Schema Update Stuck?
If the error appeared after applying a schema update (like for Exchange, Lync, or a Windows Server feature roll), the schema master might not have finished propagating. Check the schema master's event logs for Event ID 1925 or 1926. Run this on the schema master:
repadmin /showattr . DN:CN=Schema,CN=Configuration,DC=yourdomain,DC=com /filter:"(objectClass=attributeSchema)" /subtree /attrs:instanceTypeLook for any attribute where instanceType is missing or set to 0. That attribute is corrupt. You'll need to restore the schema master from backup or reapply the schema update. I've had to restore a VM snapshot on a domain controller once because a schema update borked mid-flight.
Why This Works
The instanceType attribute tells AD whether an object is a replica, writable, or read-only. When replication can't fetch it, AD can't decide how to treat the object — so it fails. By fixing replication links or completing the schema update, you let AD re-query the attribute correctly. Simple as that.
Less Common Variations
Sometimes the error masquerades as something else:
- During ADMT migration: I've seen
0x20D7when migrating users between forests and the target DC can't read the source schema. Fix: Verify the schema update on the target forest matches the source. - After a DC restore: If you restore a DC from backup without proper authoritative restore, the attribute can get orphaned. Fix: Use
ntdsutilto mark the schema partition as authoritative and resync. - Third-party software hooks: Had a client whose backup software modified AD schema and broke it. Uninstalling the software and re-running
adprep /forestprepfixed it.
Prevention: Stay Ahead of It
Three things keep this error from coming back:
- Monitor replication health weekly. Use
dcdiagin a scheduled task and email yourself the report. Catch broken links before they cause attribute failures. - Test schema updates in a lab first. Always spin up a test DC, apply the update, and run
dcdiagbefore touching production. - Back up the schema master regularly. If you can restore it quickly, you save days of headache. VM snapshots aren't perfect, but they're better than nothing.
You'll beat this error in under 30 minutes by focusing on replication first, then schema. Skip the DNS scavenging and permissions spelunking — that's a different rabbit hole.
Was this solution helpful?