Fix ERROR_DS_DUP_LDAP_DISPLAY_NAME (0x000020BE) Schema Update
Active Directory schema update fails because two attributes or classes share the same LDAP display name. Here's how to find and fix the duplicate.
Cause 1: Two schema objects share the same ldapDisplayName
What's actually happening here is that your schema update — either adding a new attribute or class — is trying to register an ldapDisplayName that's already taken. The error 0x000020BE fires when the schema engine validates uniqueness on that property. I've seen this most often when someone tries to import a schema extension from a vendor that conflicts with a custom attribute you already have, or when you're restoring a schema backup that includes duplicate display names.
How to find the duplicate
Open ADSI Edit (you'll need to install the AD DS Remote Server Administration Tools if you haven't already). Connect to the Schema naming context — it's typically CN=Schema,CN=Configuration,DC=yourdomain,DC=com.
- Right-click the Schema container and choose Find.
- In the Find dialog, set the Find dropdown to
attributeSchemaorclassSchema— run the search twice, once for each object type. - In the Advanced tab, search for
ldapDisplayName=YourDuplicateName.
The search returns exactly one object per type if the name's unique. If you get more than one, that's your duplicate. The second object is the one that should not exist — probably a stale or incorrectly imported attribute.
The fix
You can't directly delete an attributeSchema object if it's still being referenced by a class. First check its isDefunct attribute. If it's FALSE, set it to TRUE using ADSI Edit — this marks it defunct and allows deletion later. Then de-index it by setting searchFlags to 0. After that, you can delete the object outright if you're confident it's not used by any critical application.
// Using PowerShell to find duplicates
Get-ADObject -SearchBase "CN=Schema,CN=Configuration,DC=yourdomain,DC=com" -Filter "ldapDisplayName -eq 'YourDuplicateName'" -Properties ldapDisplayName | Select-Object Name, ldapDisplayName, ObjectClass
The reason step 3 works is that the schema engine only enforces uniqueness at object creation and modification time — it doesn't retroactively check. So once you remove the duplicate object, a schema update with that same name will succeed.
Cause 2: Schema cache is stale
Sometimes the schema update itself is fine, but the local DC's schema cache doesn't reflect the current state. This is rarer, but I've hit it when running schema updates right after a domain controller reboot or after a schema master role transfer. The error message will be the same, but you won't find any real duplicate in ADSI Edit.
How to confirm this
Run repadmin /showattr against the schema master and compare with a replica DC. If the schema master shows no duplicate but the replica throws the error, the cache is your culprit.
The fix
- Force schema cache refresh on the DC where the update failed:
net stop "Active Directory Domain Services"
net start "Active Directory Domain Services"
That's a heavy hammer — it restarts the whole AD DS service on that DC. If you can't take the downtime, run the update directly on the schema master instead.
Alternatively, trigger a cache reload via registry: set HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Schema Update Allowed to 1 (if it's not already) and run repadmin /syncall. But honestly, restarting the service is the only way I've seen reliably clear a stale cache.
Cause 3: Conflict with system-generated display names for linked attributes
This one's subtle. When you create a linked attribute pair (forward and back link), Active Directory automatically generates a display name for the back link based on the forward link's ldapDisplayName. If someone manually creates a back-link attribute with the same name as the auto-generated one, you get this error on the next schema update that tries to register something with that name.
For example, if you have a forward link named myCustomLink, AD creates a back link named myCustomLinkBL. If you later try to create an attribute with ldapDisplayName=myCustomLinkBL, it'll fail with 0x000020BE.
How to find linked attributes
In ADSI Edit, search for attributeSchema objects where linkID is set. The linkID value is odd for back links (usually 1.2.840.113556.1.2.50 or similar). Look for the forward link's name, then check if a back link exists already with the same base name plus BL suffix.
The fix
You have two choices:
- Rename your new attribute to something that doesn't conflict. Use a suffix like
Custominstead ofBL. - Remove the manually created back link if it was a mistake. Mark it defunct first, then delete.
I'd lean toward renaming — it's safer and doesn't require touching auto-generated objects that AD manages.
Quick-reference summary
| Cause | Symptom | Fix | Tools |
|---|---|---|---|
| Duplicate ldapDisplayName | ADSI Edit shows 2+ objects with same name | Delete or mark defunct the extra object | ADSI Edit, PowerShell Get-ADObject |
| Stale schema cache | No duplicate found, but error persists | Restart AD DS service | net stop/start, repadmin |
| Auto-generated back link conflict | Error after creating linked pair manually | Rename new attribute or remove rogue back link | ADSI Edit, check linkID |
The real fix is almost always Cause 1. Don't waste time rebooting DCs unless you've confirmed the duplication doesn't exist. And if you're dealing with a third-party schema extension, always check the vendor's ldapDisplayName list before importing — I've seen two different products ship attributes named extensionAttribute1.
Was this solution helpful?