Fix ERROR_DS_INVALID_SEARCH_FLAG (0X00002134) in Active Directory
This error means an attribute's searchFlags in AD schema is corrupted or set wrong. Here's the fix, plain and simple.
The Short Fix
You're staring at ERROR_DS_INVALID_SEARCH_FLAG (0X00002134) — probably after a schema update or an attribute change. Don't panic. The root cause is nearly always a bitwise mismatch on the searchFlags attribute for some object class in your AD schema. Here's how to nail it in under 10 minutes.
Step 1: Identify the Bad Attribute
Open a Command Prompt as Administrator on a domain controller. Run:
dcdiag /test:connectivityIf that passes, run a more targeted check:
repadmin /syncall /AdePLook for events in Event Viewer under Directory Service with ID 1084 or 1644. Those events usually name the exact attribute that's misconfigured. Had a client last month whose msExchRecipientTypeDetails attribute was the culprit — someone edited searchFlags via ADSI Edit and accidentally set bit 3 when bit 1 was already active.
Step 2: Fix searchFlags with ADSI Edit
Backup first. Export the affected attribute's schema object to a text file using ldifde:
ldifde -f backup.ldf -d "CN=Your-Attribute-Name,CN=Schema,CN=Configuration,DC=YourDomain,DC=com"Now open ADSI Edit. Connect to the Schema partition:
- Right-click ADSI Edit → Connect to.
- Select Configuration in the dropdown, then expand to CN=Schema,CN=Configuration,...
- Find the attribute named in the event log.
- Right-click → Properties → locate
searchFlags. - Set it to the correct value. The most common valid values:
| Value | Meaning |
|---|---|
| 1 | Indexed |
| 5 | Indexed + Containerized |
| 9 | Indexed + Tuple matching |
| 0 | No indexing |
If you're unsure what it should be, check the attribute's original schemaIDGUID in a clean test environment or consult the application documentation. Don't guess — setting bit 1 (index) on an attribute that's already indexed and containerized (bit 0 and bit 2) will throw this error.
Step 3: Reload Schema Cache
After fixing the value, force a schema reload. Run on the DC:
repadmin /syncall /AdePThen restart the Active Directory Domain Services service or reboot the DC. You can also force a cache reload by modifying the registry key HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Schema Cache Reload — set it to 1 and restart NTDS.
Why This Works
Active Directory uses searchFlags to tell the database engine how to index an attribute. The engine is strict — it validates the bitmask against the attribute's existing index state. If you set a flag that conflicts with what's already stored in the database (like turning on index when the attribute already has a different index type), the engine throws 0X00002134 instead of silently breaking. It's a safety check. Fixing the bitmask to a valid combination restores consistency.
Less Common Variations
Sometimes the error isn't in the schema at all. I've seen it happen when:
- Third-party apps like Exchange, SharePoint, or an old backup tool modify
searchFlagsduring installation and botch it. - Schema restore from backup — if you restore a schema snapshot from a different build, the bit values can shift.
- Cross-forest trust issues — a poorly-written sync tool tries to replicate an attribute with mismatched flags between forests.
- Corrupted DIT file — rare but possible. Run
ntdsutil→files integrityto check.
In those cases, the fix is the same: identify the attribute, correct the searchFlags value, reload schema. If the DIT is corrupt, restore from known-good backup.
Prevention
You can avoid this entirely with a few simple rules:
- Don't edit schema attributes manually unless you absolutely know the valid bitmask combinations.
- Test schema changes in a lab — spin up a test DC with a full replica of your AD, make the change, run
dcdiag /test:schemainfrastructurebefore touching production. - Document every schema modification — note the original searchFlags value and what you changed it to.
- Use Group Policy to enforce consistent schema across all DCs, especially if you have multiple versions of Windows Server.
One last thing: if you see this error during a domain controller upgrade or migration, it's almost always a schema mismatch between old and new DCs. Sync the schema first, then proceed.
Was this solution helpful?