0X000020F2

Fix ERROR_DS_MISSING_FSMO_SETTINGS (0X000020F2) in Active Directory

Network & Connectivity Intermediate 👁 5 views 📅 Jun 2, 2026

This error hits when a domain controller can't find FSMO role settings. Here's why it happens and how to fix it.

When This Error Hits

You're on a Windows Server 2016 or 2019 domain controller, and you try to seize a FSMO role or run repadmin /showrepl. Suddenly, you get ERROR_DS_MISSING_FSMO_SETTINGS (0x000020F2). I've seen this most often after a domain controller was forcefully demoted or restored from backup without proper cleanup. The AD database on the target DC has a broken reference to FSMO role attributes—usually in the CN=Infrastructure, CN=Domain DNS, or CN=Forest DNS containers.

Root Cause (Plain English)

Every domain controller holds a copy of the NTDS database. Inside that database, special entries called FSMO role attributes tell the server who owns each flexible single master operation role. When those attributes are missing or corrupted—often because the original role holder was wiped out without transferring roles first—Active Directory panics. It can't find the FSMO settings, so it throws 0x000020F2 instead of just telling you "role holder doesn't exist." The fix is to clean up those orphaned references directly in the database.

The Fix: Use ntdsutil

Skip the GUI here. It won't help. You need the command line. I've done this dozens of times, so trust me on the exact steps.

  1. Open Command Prompt as Administrator — Right-click Start, choose Command Prompt (Admin) or PowerShell (Admin).
  2. Launch ntdsutil — Type ntdsutil and press Enter.
  3. Enter the metadata cleanup context — Type metadata cleanup and hit Enter.
  4. Connect to the problematic server — Type connections, then connect to server YourDCName (replace with your DC's FQDN). Press Enter. Type quit to go back.
  5. Select the operation target — Type select operation target, then press Enter.
  6. List and select the domain — Type list domains and note the number. Type select domain 0 (use the correct index).
  7. List and select the site — Type list sites, then select site 0.
  8. List and select the server — Type list servers in site, then select server 0 (the one with the error).
  9. Quit the selection — Type quit twice to return to the metadata cleanup prompt.
  10. Remove selected server — Type remove selected server. Confirm any warnings.
  11. Seize the roles properly — Exit ntdsutil with quit. Then run ntdsutil roles connections connect to server GoodDC quit seize RoleName for each FSMO role. Common roles: schema master, domain naming master, PDC, RID pool manager, infrastructure master.
  12. Reboot the DC — Restart the server you cleaned up. Then run repadmin /showrepl to verify replication.

If It Still Fails

Sometimes the database is too corrupted for ntdsutil. In that case:

  • Run dcdiag /v and check for other errors like NTDS or KCC failures. Fix those first.
  • Check the NTDS database integrity with esentutl /g %SystemRoot%\NTDS\ntds.dit. If it fails, you may need a repair or restore from backup.
  • If the DC is irreparable, demote it forcefully using dcpromo /forceremoval (deprecated — use Remove-ADDomainController in PowerShell on Server 2016+). Then promote a new DC.

One more thing — always verify DNS before assuming FSMO issues. A missing _ldap._tcp.dc._msdcs.domain SRV record can mimic this error. Run nslookup -type=srv _ldap._tcp.dc._msdcs.domain to check.

Was this solution helpful?

ERROR_DS_MISSING_FSMO_SETTINGS 0X000020F2 FSMO missing settings Active Directory error domain controller FSMO roles AD replication error FSMO role holder missing AD database error Windows Server FSMO ntdsutil fix FSMO