Fix ERROR_DS_SHUTTING_DOWN (0x000020AC) on Domain Controller

Getting 0x000020AC when trying to connect to Active Directory? That's the directory service telling you it's shutting down. Frustrating when you need it now. Let's fix it.

The Quick Fix: Restart the Directory Service

1. Log into the domain controller (either physically or via Remote Desktop). You'll need local admin rights.
2. Open PowerShell as Administrator. Right-click Start, choose "Windows PowerShell (Admin)".
3. Run this command:
   

   Restart-Service NTDS -Force

   After you hit Enter, you'll see a warning that says "Are you sure you want to perform this action?" Type Y and press Enter.
4. Wait about 15-30 seconds. Then check the service status:
   

   Get-Service NTDS

   You should see Status: Running. If it says Stopped or Starting, wait another 10 seconds and run the check again.
5. Now try your original operation. The error should be gone.

That fixed it? Great. If not, move to the next section.

Why This Works

The NTDS service (Active Directory Domain Services) was in the middle of shutting down. Maybe it hit an error during boot, or a system admin kicked off a restart and walked away. When you force-restart it, you're telling Windows "forget the pending shutdown, start fresh."

The -Force parameter is key. Without it, PowerShell won't restart a service that's in the middle of shutting down. It'll just say "service is stopping" and do nothing.

When the Quick Fix Doesn't Work

If the service won't start at all, or keeps stopping, you've got a bigger problem. Here's what to check:

1. LSASS Crash

The Local Security Authority Subsystem Service (LSASS) manages authentication. If it crashes, AD goes down with it. Check Event Viewer under Windows Logs > System. Look for Event ID 1000 (Application Error) referencing LSASS.EXE. If you see that, you've got a corrupt system file or a bad driver. Run sfc /scannow and then dism /online /cleanup-image /restorehealth from an elevated command prompt.

2. NTDIS.DIT Corruption

The Active Directory database file is at C:\Windows\NTDS\ntds.dit. If this file gets corrupted—from a disk error, bad sector, or incomplete write—the service can't start. Boot into Directory Services Restore Mode (DSRM) by pressing F8 during startup and selecting it. Then run ntdsutil to check the database:

ntdsutil
activate instance ntds
files
integrity

If it reports errors, you'll need to restore from a backup. There's no repair tool for AD database corruption—you can't just run chkdsk.

3. DNS Misconfiguration

AD relies heavily on DNS. If the domain controller can't register its own SRV records, it may shut down replication. Check your DNS server settings on the DC's network adapter. It should point to itself (127.0.0.1) as the primary DNS, and a secondary DNS to another DC if available. Run ipconfig /all to verify. If the DNS server service is stopped, start it with Start-Service DNS.

4. Replication Conflict

If another domain controller pushed a change that this DC can't accept—like a schema update that failed—it may trigger a shutdown. Check Event ID 1925 (DNS registration failure) or Event ID 1988 (replication failure). In that case, you might need to force replication with repadmin /syncall /AdeP or demote and re-promote the domain controller.

Prevention: Keep This From Happening Again

• Monitor LSASS crashes. Set up alerts for Event ID 1000 in System log. If LSASS goes down, you've got maybe 30 seconds before AD stops responding.
• Run regular NTDS health checks. Weekly, run ntdsutil > activate instance ntds > files > integrity. Put this in a scheduled task.
• Keep DNS clean. Remove stale DNS records for old DCs. Use dnscmd /EnumZones to list zones, then dnscmd /ZoneDelete for old entries.
• Don't let disk space run out. AD logs grow fast. Set a 10% free space alert on the volume holding C:\Windows\NTDS.
• Patch regularly. Many LSASS crashes come from unpatched security updates. Keep Windows Update current.

That's it. You've seen the fix, you know why it works, and you've got steps for when it doesn't. The key takeaway: 0x000020AC almost always means the NTDS service is stuck in a shutdown state. Restart it, and 9 times out of 10 you're back online. The other 10% of the time, you're looking at corruption or DNS problems—but now you know how to handle those too.