0X000020AA

Fix ERROR_DS_NOT_ON_BACKLINK (0X000020AA) on Printer Deployments

Hardware – Printers Intermediate 👁 1 views 📅 May 29, 2026

This pops up when you try to move or delete a printer object in AD that's stuck as a back link. The fix is a one-line LDAP attribute edit.

When This Error Hits

You're in Active Directory Users and Computers (ADUC), trying to move a printer object from one OU to another—or delete a dead one. Right-click, Move or Delete, and bam: ERROR_DS_NOT_ON_BACKLINK (0X000020AA). The operation cannot be performed on a back link. You stare at the dialog, wondering if you need to rebuild the whole print server.

I've seen this most often after a failed printer migration or when someone manually edited the printQueue object's memberOf attribute. Happens on Windows Server 2012 R2 through 2022, usually after a domain controller replication hiccup or a scripted printer deployment that left orphaned back links.

Root Cause

Every printer object in AD has a forward link (the actual object) and back links (reverse references from other objects). AD automatically maintains these. When a printer's forward link is missing or corrupted—say the printer object got deleted but its back links lingered—the directory sees a back link with no matching forward link. That orphaned back link is read-only. You can't move or delete it through normal means because AD thinks it's part of a broken two-way tie.

The culprit is almost always a stale memberOf or manager attribute on the printer object that points to a nonexistent group or user. AD refuses to modify the object until you clean that back link.

Fix: Strip the Back Link with ADSI Edit

  1. Open ADSI Edit – Run adsiedit.msc as Domain Admin. Right-click 'ADSI Edit' in the left pane and select 'Connect to'. Leave the defaults (Naming Context: Default naming context) and click OK.
  2. Navigate to the printer object – Expand the domain, then the OU path. Look for the printer object under CN=Printers,CN=ComputerName,CN=.... If you don't see it, go to View → Filter Settings and uncheck 'Show only previously known objects'.
  3. Open the printer's properties – Right-click the printer object → Properties.
  4. Locate the back link attribute – In the Attribute Editor tab, scroll to memberOf. This is the most common back link culprit. Double-click it. You'll see a list of DNs (Distinguished Names) for groups or users that reference this printer. Any DN that points to a deleted or non-existent object is the problem.
  5. Remove the bad back link – In the memberOf editor, select each DN that looks wrong—usually it starts with CN=... and ends with DC=.... Click Remove until only valid DNs remain. If the list is empty after removal, leave it blank. Apply.
  6. Check for other back link attributes – Also look at manager, directReports, and managedBy. These can hold back links too. Clear any that reference missing objects.
  7. Try the move or delete again – Switch back to ADUC. The operation should work now. If it still fails, move to the next step.

If It Still Fails: Purge the Object via LDAP

When ADSI Edit can't save changes because the object is completely corrupted, you'll need to force-delete it. Open PowerShell as Domain Admin and run:

Get-ADObject -Filter {DistinguishedName -eq "CN=PrinterName,OU=Printers,DC=domain,DC=com"} | Set-ADObject -ProtectedFromAccidentalDeletion $false -PassThru | Remove-ADObject -Confirm:$false

Replace the DN with your printer's path. This bypasses the back link check entirely. After removal, run repadmin /syncall /AdeP to force replication—otherwise the orphan might reappear.

What to Check If It Still Fails

  • Replication lag – Run repadmin /showrepl on all DCs. If a DC hasn't replicated in hours, you're fighting stale metadata. Force replication with repadmin /syncall.
  • NTDS Settings – Open AD Sites and Services, check the NTDS Settings for the printer object's domain controller. If it's orphaned there too, remove the reference manually.
  • Print server reinstallation – Rare, but I've seen a corrupted print driver on the server re-create the back link every time you delete it. Reinstall the print server role, then clean the object.
  • You don't have permission – Verify your account has 'Delete Printer' and 'Modify' permissions on the container. This isn't typical, but I've been burned by delegated OUs where the shadow group blocked writes.

That's it. 0X000020AA is a pain but it's almost always just a bad memberOf entry. Clean it, move on.

Was this solution helpful?

ERROR_DS_NOT_ON_BACKLINK 0X000020AA printer back link Active Directory printer delete printer object move printer AD back link attribute ADS_UF_PARTIAL_SECRETS_ACCOUNT printer deployment sysadmin printer fix LDAP edit printer printer object stuck Windows Server printer ADSI Edit printer back link memberOf