Fix ERROR_DS_NO_SERVER_OBJECT (0X000021AE) in AD

Quick Fix (30 seconds): Check DNS for the DC's SRV record

This error usually pops up when another DC tries to replicate with a domain controller that’s been removed poorly—or the server object got deleted accidentally. Before you do anything heavy, check DNS. Nine times out of ten, the server object in AD is fine but the DNS SRV record for that DC is stale or gone. Replication can’t find the DC because there’s no IP to point at.

1. Open DNS Manager on any working DC (Run → dnsmgmt.msc).
2. Expand your domain’s forward lookup zone, then go to _msdcs.<yourdomain> → dc → _tcp.
3. Look for a _ldap SRV record for the DC that's failing. If it's missing, that's your problem.
4. Right-click the zone, choose New Host (A or AAAA) and create an A record pointing to the DC’s IP. Then right-click _tcp → Other New Records → Service Location (SRV).
5. Fill in: Service = _ldap, Protocol = _tcp, Port = 389, Host = the DC’s FQDN (e.g., dc01.contoso.com).
6. Click OK and wait 5 minutes. Then run repadmin /showrepl from the failing DC to see if replication starts.

Expected outcome: If the SRV record was missing, replication should resume within 5 minutes. If the error persists, move to the moderate fix.

Moderate Fix (5 minutes): Run repadmin to remove orphaned metadata

If DNS is fine, the server object for the DC probably exists in AD but is “orphaned”—the DC itself is gone, but its metadata lingers. Every time replication tries to contact that server object, it fails with 0X000021AE. The fix is to clean up that metadata using repadmin and ntdsutil.

1. On a working DC, open Command Prompt as Administrator.
2. Run: repadmin /showrepl and look for the failed DC’s name. Note the GUID or NTDS Settings object DSA GUID.
3. Run: repadmin /removelingeringobjects <failing_DC_FQDN> <domain_NC_DN> /advisory_mode
   Example: repadmin /removelingeringobjects dc02.contoso.com "dc=contoso,dc=com" /advisory_mode
4. If advisory mode shows lingering objects, run the same command without /advisory_mode to remove them.
5. If that doesn't fix it, use ntdsutil to remove the server object entirely:
   ntdsutil → metadata cleanup → connections → connect to server dc01.contoso.com → quit → select operation target → list domains → select domain <number> → list sites → select site <number> → list servers in site → select server <number> → quit → remove selected server.
6. Confirm when prompted. Then close ntdsutil.

Expected outcome: After metadata cleanup, the orphaned server object is gone. Replication should work. If the failing DC is still physically running and still shows the error after this, it's time for the advanced fix.

Advanced Fix (15+ minutes): Force demote the DC or restore the server object

Sometimes the server object is missing entirely from AD—not just orphaned, but deleted. This happens when someone accidentally deleted the computer object through AD Users and Computers, or a failed authoritative restore wiped it. The DC itself is still running, but AD can’t find its own server object. You have two options: force a demotion (if the DC can be rebuilt) or restore the object from backup.

Option A: Force demote the DC

This is the cleanest fix if the DC is expendable. Once demoted, you can promote it again fresh.

1. Log in to the failing DC (the one throwing the error).
2. Open Windows PowerShell as Administrator.
3. Run: Uninstall-ADDSDomainController -DemoteOperationMasterRole:$false -Force
4. Type Y when it asks to confirm. The server will reboot and become a member server.
5. After reboot, run dcdiag /test:replications from another DC to confirm the error is gone.
6. You can now promote the server again using Server Manager → Add Roles and Features → Active Directory Domain Services.

Option B: Restore the server object from backup

If you can't afford to demote—maybe it's a critical DC with FSMO roles—you'll need to restore the server object. This requires a System State backup from before the deletion.

1. Boot the DC into Directory Services Restore Mode (DSRM). Reboot and press F8 before the Windows logo appears, then select DSRM.
2. Log in with the DSRM password (different from domain admin).
3. Open Windows Server Backup and restore System State from a backup taken before the error started.
4. After restore, the server will reboot into normal mode. Run repadmin /showrepl to verify replication.
5. Caution: This will revert all AD changes made after the backup. Domain member machines that changed passwords in that window will need to rejoin the domain. Use this only as a last resort.

Expected outcome: After either option, the server object should exist again. The ERROR_DS_NO_SERVER_OBJECT error goes away. If it still shows up after these steps, you likely have a deeper replication issue—check event logs for replication ID 1988 or run dcdiag /v to diagnose further.

Real-world trigger: I see this most often after someone deletes a DC’s computer account from ADUC accidentally, thinking they’re cleaning up stale objects. Don’t do that—use the AD DS Remove Roles wizard or ntdsutil metadata cleanup. Always.