0X000020C1

Fix ERROR_DS_EXISTS_IN_MUST_HAVE (0X000020C1) in Active Directory

Windows Errors Advanced 👁 1 views 📅 May 28, 2026

Can't delete a schema attribute because it's still in another class's Must-Contain list. Here's how to find and remove that reference, then retry.

What's Happening Here

You tried to delete an attribute from the Active Directory schema and got ERROR_DS_EXISTS_IN_MUST_HAVE (0x000020C1). It means that attribute is still listed as a required (mustContain) attribute for some class in the schema. For example, if you extended the schema and added a custom attribute to the user class's mustContain list, you can't delete that attribute until you yank it out of that list first.

This usually happens after a botched schema extension or when cleaning up old Exchange or Lync attributes. Don't worry, it's fixable. You'll need Domain Admin rights and schema admin membership to proceed.

The 30-Second Fix: Check Your Permissions

Before diving into the schema, make sure you're logged in with an account that's a member of the Schema Admins group. Without that, the Schema Management snap-in won't let you change anything.

  1. Open a command prompt as an administrator.
  2. Type whoami /groups | findstr "Schema Admins" and press Enter.
  3. If you see "Schema Admins" in the output, you're good. If not, get a Domain Admin to add you to that group. You'll need to log out and back in for it to take effect.

Still getting the error? Let's move to the moderate fix.

The 5-Minute Fix: Find the Offending Class

You need to identify which class still requires this attribute. We'll use LDP.exe, a tool built into Windows Server.

  1. Press Windows + R, type ldp.exe, and hit Enter.
  2. In LDP, click Connection > Connect. Type your domain controller's hostname (e.g., dc01.contoso.com) and click OK.
  3. Click Connection > Bind. Use your current credentials (or the schema admin account) and click OK.
  4. Click View > Tree. In the BaseDN dropdown, pick CN=Schema,CN=Configuration,DC=contoso,DC=com (your domain name will differ). Click OK.
  5. In the left pane, find your attribute. It's listed under CN=yourAttributeName. Double-click it.
  6. In the attribute window, look for attributeID or lDAPDisplayName so you know the exact name. Write it down.
  7. Now we need to search for classes that reference it. Click Browse > Search. Set BaseDN to the Schema container again. Set Filter to (objectCategory=classSchema). Set Scope to Subtree.
  8. Click Options. In the Attributes field, type mustContain systemMustContain. Click OK.
  9. Click Run. A list of classes appears. Look for any class that has your attribute's lDAPDisplayName in the mustContain column.

If you see it there, that's the class you need to edit. Note the class name (like CN=myCustomClass). If you don't see any matches, you might be looking at the wrong attribute. Double-check the attribute's lDAPDisplayName.

The 15+ Minute Fix: Remove the Must-Contain Reference

Now we'll edit the class to remove the attribute from its mustContain list. We'll use ADSI Edit, not the Schema snap-in.

  1. Open ADSI Edit. If it's not installed, install it via Server Manager under Features > Remote Server Administration Tools > AD DS and AD LDS Tools.
  2. Right-click ADSI Edit in the left pane and choose Connect to.
  3. In Select a well known Naming Context, pick Configuration. Click OK.
  4. Navigate to CN=Configuration,DC=contoso,DC=com > CN=Schema.
  5. Find the class you identified earlier. Right-click it and choose Properties.
  6. In the Attribute Editor tab, scroll down to mustContain (or systemMustContain if the class is system-defined). Select it and click Edit.
  7. In the list of values, find the attribute's lDAPDisplayName (e.g., "myCustomAttribute"). Select it and click Remove.
  8. Click OK twice.
  9. Now repeat the same for the systemMustContain attribute if it's also listed there.

After removing it, you must wait for replication to finish. Or force it: open a command prompt as admin, run repadmin /syncall /AdeP. This replicates the schema changes to all domain controllers.

Once replication is done, try deleting the attribute again through the Schema snap-in or via ADSI Edit. Right-click the attribute in the Schema container and choose Delete. It should work now.

Still Stuck? One Last Check

Sometimes the attribute is referenced in mayContain or systemMayContain lists. Those won't cause this error, but the class might still block deletion. Check those lists too and remove the attribute if present.

Also, verify the attribute isn't used in any attributeSchema object itself — like a memberOf backward link. That's a different error code (0x000020C2 usually), but it's worth checking if you still hit a wall.

If after all this it still fails, consider deactivating the attribute instead of deleting it. Set isDefunct to TRUE in the attribute's properties. That hides it from the schema but doesn't remove it. Not ideal, but it's a solid workaround if you're in a hurry.

Was this solution helpful?

ERROR_DS_EXISTS_IN_MUST_HAVE 0X000020C1 Active Directory schema deletion must-contain attribute schema attribute cleanup AD schema editor ldp.exe attribute mustContain remove attribute from class Windows Server schema fix