Fix ERROR_DS_INCOMPATIBLE_VERSION (0X00002177) on Windows Server

Quick Answer

Run adprep /forestprep and adprep /domainprep on the schema master, then force replication with repadmin /syncall. If the offending DC can't be updated, demote it with dcpromo.

What's Going On

You're seeing ERROR_DS_INCOMPATIBLE_VERSION (0X00002177) when a domain controller tries to replicate. This almost always means one DC has a newer Active Directory schema version than another DC in the same forest. The newer DC can't talk to the older one because the schema version defines what objects and attributes it expects. This happens when you add a Windows Server 2019 or 2022 DC into a forest that still has Server 2008 R2 or 2012 R2 DCs without running adprep first. The LSASS process on the newer DC will crash with this error, and you'll see it in the System event log as Event ID 1925 or 1926.

I've seen this bite people who rush domain upgrades. They spin up a new DC on fresh hardware, join it to the domain, and boom — everything stops replicating. The fix is straightforward, but you need to be deliberate about which DC you touch.

Fix Steps — The Main Course

1. Identify the schema master. On any working DC, open a command prompt and run netdom query fsmo. Look for the line that says Schema master. That's the server you need to update.
2. Log into the schema master as a domain admin who's also a member of the Schema Admins group. This is critical — if you're not in Schema Admins, adprep will fail with access denied.
3. Run adprep /forestprep. Insert the Windows Server 2019 or 2022 installation media (or mount an ISO). Navigate to the \support\adprep folder and run:

   adprep /forestprep

   You'll be prompted to confirm. Type C and press Enter. Wait for it to complete — might take 2-5 minutes.
4. Then run adprep /domainprep. Still on the schema master, run:

   adprep /domainprep

   This updates the schema for your domain. It runs faster than forestprep.
5. Force replication. On the newer DC, run:

   repadmin /syncall /A /P /e

   This forces a full sync across all partition replicas. Watch for the error to clear.
6. Reboot the newer DC. Not always necessary, but it clears any lingering schema cache in LSASS.

If That Doesn't Work

Sometimes adprep runs fine but the old DC just can't handle the new schema. The culprit here is almost always a domain controller running Server 2008 or 2008 R2 without SP2. Those old OS versions don't support the schema extensions for Server 2019/2022. You have two options:

• Upgrade the old DC's OS. In-place upgrade from Server 2008 R2 to 2012 R2, then to 2019. This isn't fun, but it works.
• Demote the old DC. If it's a relic, just kill it. Run dcpromo /forceremoval on the old server to forcefully demote it. Clean up its metadata with:

  ntdsutil \n metadata cleanup \n connections \n connect to server NewDC01 \n quit \n select operation target \n list domains \n select domain 0 \n list sites \n select site 0 \n list servers for context in domain \n select server OldDC01 \n quit \n remove selected server

Skip trying to edit the Schema manually — it's a rabbit hole that breaks more than it fixes.

Prevention Tip

Before you add any new DC, run adprep /forestprep and adprep /domainprep on the schema master. Always. Even if you think the schema is already current. Check the current schema version with:

dsquery * cn=schema,cn=configuration,dc=yourdomain,dc=com -scope base -attr objectVersion

Also, keep your domain functional level at least at Server 2012 R2 before introducing Server 2019 or newer. You can check this in Active Directory Domains and Trusts under the domain properties.