Fix ERROR_DS_OBJ_STRING_NAME_EXISTS (0x00002071) in Active Directory
This error means you're trying to add an object with a name already in use. We'll clean up duplicates, check replication, or force a rename.
What This Error Actually Means
You're trying to create a new user, group, or computer in Active Directory, and Windows kicks back error 0x00002071 with the message "An attempt was made to add an object to the directory with a name that is already in use." Straight from the horse's mouth: the object name already exists somewhere in the directory. But here's the kicker — it might not be in the same OU. It could be in a deleted objects container, a conflict object from a replication glitch, or even a lingering tombstone. I've seen this happen when someone manually created an AD object with a tool like ADSI Edit and didn't clean up properly, or when a replication collision mashed two DCs together.
Fix 1: Quick Name Swap (30 seconds)
Try this before anything else. Open Active Directory Users and Computers (ADUC). Find the object you're trying to create. If it's already there with the same name in a different OU, just rename the existing object or delete it. Quick check: right-click the target OU, go to Find, and search for the exact name. If it shows up, rename it to something like "Old-Name-DELETE" or delete it if it's unused. I had a client last month who spent an hour fighting this error — turned out a temp account from three years ago with the same sAMAccountName was sitting in a disabled users OU.
Fix 2: ADSI Edit Cleanup (5 minutes)
If the object isn't visible in ADUC, it's hiding. Time to use ADSI Edit — Microsoft's raw directory editor. Don't be scared, just be careful.
- Open ADSI Edit from Administrative Tools (or install it via RSAT).
- Right-click ADSI Edit in the left pane and choose Connect to.
- Under Select a well-known Naming Context, pick Configuration and click OK.
- Navigate to
CN=Configuration,DC=yourdomain,DC=com→CN=Deleted Objects. - Look for objects with a name matching your target. They'll have a prefix like
DEL:orCNF:(conflict objects). - Right-click and delete any you find. Be sure you're not deleting something critical. Check the
lastKnownParentattribute to see where it originally lived.
The most common culprit here is a conflict object from a replication collision. If two admins created the same user at nearly the same time on different DCs, AD creates a conflict object with CNF: in the name. That object blocks any further creation with that name. Delete it, and you're golden.
Fix 3: Force Replication Check and Tombstone Reanimation (15+ minutes)
If you still can't create the object, replication might be out of sync or a tombstone (deleted object) hasn't been fully purged. Here's how to dig deeper.
Step 1: Check Replication Status
Open Active Directory Sites and Services. Expand your site, then the server, and right-click NTDS Settings → Replicate Now. If it fails, run repadmin /showrepl from an admin command prompt to see which DCs are behind.
Step 2: Search for Tombstone Objects
Use PowerShell to search across all DCs for the exact name:
Get-ADObject -Filter {Name -eq "YourObjectName"} -IncludeDeletedObjects -Server DC1,DC2,DC3This will return any deleted object still lingering. If it shows up, you need to either restore it (if accidentally deleted) or permanently remove it by authoritatively restoring the tombstone. For permanent removal, use ntdsutil to perform a metadata cleanup.
Step 3: Force Tombstone Cleanup (Advanced)
If the tombstone is stuck, you can force garbage collection on a DC:
repadmin /syncall /AdePThen run garbage collection from ADSI Edit on the configuration partition: right-click CN=Configuration → Tasks → Garbage Collect. This forces the DC to purge tombstones older than the tombstone lifetime (default 180 days). I've seen this fix a case where a stubborn object from a failed domain rename wouldn't let go.
When to Walk Away and Rebuild
If after all this you still hit the error, the object name is likely hard-coded in a system attribute or tied to a schema conflict. At this point, I'd save the attributes you need, delete the domain controller's copy of the object via ntdsutil metadata cleanup, and promote a fresh DC. That's a nuclear option, but sometimes the forest is just dirty. I've only done it twice in 15 years, but both times it beat chasing a ghost for three days.
Real talk: most people stop at fix 1 or 2. Fix 3 is for when you've got a sticky replication issue or a tombstone that won't die. Start simple, get your object created, and move on with your day.
Was this solution helpful?