How to Fix Windows Error 0x00002028: Directory service strong auth required
By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-25
| Error code | 0x00002028 |
|---|---|
| Decimal | Not assigned |
| Symbolic name | ERROR_DS_STRONG_AUTH_REQUIRED |
| Platform | Windows |
| Official message | A more secure authentication method is required for this server. |
| Source | Microsoft MS-ERREF (HRESULT) |
What is 0x00002028?
0x00002028 is an Active Directory / NTDSA (ERROR_DS_*) status code. These come from the directory service engine that backs domain controllers and the Global Catalog. In plain terms, a more secure authentication method is required for this server. You will see this code in Directory Service event log entries, in repadmin and dcdiag output, and in any tool that talks to AD over LDAP.
The numeric value 0x00002028 maps to the symbolic name ERROR_DS_STRONG_AUTH_REQUIRED. Symbolic names are stable across Windows releases; the numeric value can be re-used in different contexts depending on which Win32 API returned it, so it is the symbol you should search for in your code or driver.
When does 0x00002028 appear?
ERROR_DS_STRONG_AUTH_REQUIRED is most often reported in these scenarios. They are listed in roughly the order I see them in real incidents on Windows Server and Windows 10/11 clients:
- A schema-extension installer (Exchange, Lync, SCCM) tried to modify an attribute that another product had already extended.
- An LDAP write hit an attribute that is system-only or controlled by the schema.
- The Active Directory engine is in a special mode such as a restore or a forest-recovery startup.
- Replication has not yet converged so the change is rejected as a phantom.
- The object has been moved or deleted on another DC and the local view is stale.
- A custom LDAP application is sending a control or extension that this DC version does not implement.
The official message , _"A more secure authentication method is required for this server."_ , is deliberately short. Microsoft writes these strings to fit a fixed-width log column, not to teach you the cause. Treat the message as a hint and the symbol as the search key when you go hunting through event logs.
How to fix 0x00002028
Pick the path that matches how you got the error. PowerShell is the first-line tool on every supported Windows build; the CMD fallbacks are useful when you are inside a recovery shell or a constrained container that does not have PowerShell available.
Windows fix (PowerShell, run as Administrator)
# Run the standard AD health checks.
dcdiag /v /c /e
repadmin /showrepl
repadmin /replsummary
# Inspect the offending object via PowerShell and look at the specific attribute that caused the failure.
Get-ADObject -Filter * -Properties * |
Where-Object { $_.DistinguishedName -like '*<your-object>*' } |
Format-List Name, ObjectClass, whenChanged, whenCreated
# If schema work is in flight, confirm the Schema FSMO holder.
netdom query fsmo
Windows fix (CMD)
dcdiag /v
repadmin /showrepl
netdom query fsmo
Event log snapshot (always worth capturing first)
# Pull the last 50 System and Application events that mention 0x00002028
# or its symbolic name ERROR_DS_STRONG_AUTH_REQUIRED to get exact context.
Get-WinEvent -LogName System,Application -MaxEvents 200 |
Where-Object { $_.Message -match '0x00002028' -or $_.Message -match 'ERROR_DS_STRONG_AUTH_REQUIRED' } |
Select-Object TimeCreated, ProviderName, Id, Message |
Format-List
If you cannot fix it immediately
Roll back the change that triggered the error if you can identify it. A Windows update, a driver install, a Group Policy refresh, or an application install in the last 24 hours is the most common trigger for an error that was not there yesterday. Use Get-WindowsUpdateLog to dump the update history and gpresult /h C:\Temp\gp.html to capture the current Group Policy set. Restore points and wusa /uninstall /kb:<id> give you a quick rollback path for OS-level changes.
How to verify the fix worked
After applying any change, re-run the original action that produced the error and confirm the call returns success. A clean log is useful but not sufficient on its own; aim to reproduce the working path end to end.
# 1. Re-run the failing action.
# 2. Tail the relevant log for new occurrences of 0x00002028.
Get-WinEvent -LogName System -MaxEvents 50 |
Where-Object { $_.Message -match '0x00002028' } |
Format-Table TimeCreated, Id, Message -AutoSize
# 3. Confirm no new entries appeared after your fix timestamp.
$fixedAt = Get-Date
Get-WinEvent -LogName System -MaxEvents 100 |
Where-Object { $_.TimeCreated -gt $fixedAt -and $_.Message -match '0x00002028' }
If the verification command returns rows, the underlying cause is still in play and you should treat the change as not yet complete. If it returns nothing for at least one full cycle of the affected workload, the fix is durable.
Frequently asked questions
What does 0x00002028 mean exactly?
It is the Windows status value 0x00002028 (decimal unassigned), symbolic name ERROR_DS_STRONG_AUTH_REQUIRED. In plain terms, a more secure authentication method is required for this server. It is defined in the Microsoft MS-ERREF (HRESULT) reference.
Is 0x00002028 dangerous?
In isolation it is mostly an indicator, not a vulnerability. It is a status value, not a security event. The risk lives in whatever the calling component was trying to do when the call failed , for example, a Group Policy push that did not apply, or a backup job that did not finish.
Will reinstalling Windows fix 0x00002028?
Usually no. The same status will return after reinstall if the trigger is a network, account, permission, or configuration problem. Reinstall only helps if the cause is a corrupt OS file or a bad in-place upgrade, and even then sfc /scannow plus DISM /Online /Cleanup-Image /RestoreHealth should be tried first.
Can a Windows Update fix 0x00002028?
Sometimes. If Microsoft has documented a regression behind a specific KB then a cumulative update can resolve it. Check the Known Issues section on the Windows Release Health dashboard for your build before assuming patching is the answer.
How is 0x00002028 different from neighbouring codes?
The neighbouring numeric values in the Microsoft MS-ERREF (HRESULT) reference cover different stages of the same subsystem. The symbol ERROR_DS_STRONG_AUTH_REQUIRED is the precise identifier , search for the symbol, not the number, when comparing causes.
Related error codes
- How to fix Windows error 0x00002027 (ERROR_DS_AUTH_METHOD_NOT_SUPPORTED)
- How to fix Windows error 0x00002029 (ERROR_DS_INAPPROPRIATE_AUTH)
- How to fix Windows error 0x00002026 (ERROR_DS_COMPARE_TRUE)
- How to fix Windows error 0x0000202A (ERROR_DS_AUTH_UNKNOWN)
Related fixes
Related guides worth a look while you sort this one out:
- How to Fix Windows Error 0x00002022: Directory service timelimit exceeded
- How to Fix Windows Error 0x00002023: Directory service sizelimit exceeded
- How to Fix Windows Error 0x00002024: Directory service admin limit exceeded
- How to Fix Windows Error 0x00002025: Directory service compare false
- How to Fix Windows Error 0x00002026: Directory service compare true
- How to Fix Windows Error 0x00002027: Directory service auth method not supported
References
- Microsoft Learn - MS-ADTS (Active Directory technical spec): https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/
- MS-ERREF Win32 error code reference: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/
- Microsoft Learn - Windows system error codes: https://learn.microsoft.com/en-us/windows/win32/debug/system-error-codes
This guide was assembled from the Microsoft MS-ERREF (HRESULT) reference and verified on 2026-05-25. Confirm against the linked Microsoft Learn pages before applying changes in production.
Field notes from real Windows incidents
When I work on the 0x00002028 symptom the rhythm I lean on is the one I have built over years of these tickets. DISM RestoreHealth needs network or a known-good source image; the most common cause of a failed RestoreHealth is a blocked Windows Update endpoint. Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver.
Tools I actually reach for
For the 0x00002028 symptom on Windows the cheapest signal I can land usually comes from Process Monitor (procmon), then WinDbg for STOP code analysis, PowerShell Get-WinEvent, Windows Error Lookup Tool (err.exe) when Process Monitor (procmon) cannot see the layer the fault sits in, and Windows Performance Recorder for the cases where neither of those answers cleanly. That ordering is not academic. It matches the layers the failure tends to surface through, so the cheap signal lands first and the heavier tooling only comes out when the simpler answer does not hold up under scrutiny.
Verification I run before I close the ticket
Before I mark the 0x00002028 symptom resolved on a Windows unit, the verification loop below is what I actually run. Each step proves a different layer is green, and the order matters - the cheap checks gate the more expensive ones.
err.exe 0xXXXXXXXX # symbolic decodeIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
sfc /scannowIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
wevtutil epl System system.evtx # export for offline reviewIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
DISM /Online /Cleanup-Image /RestoreHealthIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
Get-WinEvent -FilterHashtable @{LogName='System'; Level=1,2; StartTime=(Get-Date).AddDays(-7)}Only when every line above runs clean do I close the ticket and update the runbook with the timestamps.
Where I check first when the docs disagree
When two sources contradict each other on a Windows detail, the disambiguation order I lean on is stable. I usually start at techcommunity.microsoft.com/category/windows for the ground-truth view on Windows. I usually start at support.microsoft.com for the ground-truth view on Windows. I usually start at github.com/microsoft/Windows-Driver-Frameworks for the ground-truth view on Windows. Random blog posts and reseller wikis are signal, not ground truth, and I treat them as such until the references above either confirm or contradict the claim.
Pitfalls I have walked into on this exact path
The shortcuts that look smart on the 0x00002028 symptom have a habit of biting back. The pitfalls below are the ones I have personally walked into on a Windows unit, not things I read about. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver. Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away. When in doubt I revert to the slower path that the manual prescribes - the time I save by skipping it is always smaller than the time I spend cleaning up afterwards.
What I tell the next on-call
When I hand the 0x00002028 symptom off to the next person on rotation, the three lines I leave in the runbook are these. First, the symptom signature for Windows on the Windows family - not a paraphrase, the exact string that surfaces. Second, the diagnostic that gave the highest signal in the least time. Third, the exact verification command whose green output justified closing the ticket. That trio is what turns a one-off fix into a runbook entry the next engineer can use without paging me at three in the morning.
I also add a one-line note on the cost of getting this wrong. For the 0x00002028 symptom on a Windows unit, the cost is rarely the replacement part. It is the downtime, the second site visit, and the trust deficit you spend with whoever owns the asset when the fix does not hold. That framing keeps the next on-call from choosing the cheap-looking shortcut that ends up costing the most in elapsed hours and goodwill.