How to fix Windows error 0x000020D2
By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-25
| Error code | 0x000020D2 |
|---|---|
| Decimal | Not assigned |
| Symbolic name | ERROR_DS_CANT_CACHE_CLASS |
| Platform | Windows |
| Subsystem | Active Directory Domain Services |
| Official message | The class could not be cached. |
| Source | Microsoft MS-ERREF (HRESULT) (https://learn.microsoft.com/en-us/windows/win32/adschema/active-directory-schema) |
What is 0x000020D2?
0x000020D2 (commonly seen as ERROR_DS_CANT_CACHE_CLASS) is a status code returned by the Active Directory Domain Services on Windows. This code comes from Active Directory Domain Services (the ntdsa subsystem) and usually surfaces during schema operations, replication, or directory writes. The error is raised by the LDAP or DRSUAPI layers when an object, attribute, or class violates a directory invariant. In practical terms, the system is reporting that the class could not be cached. If you see this in a log, it almost always means the calling component hit a precondition that the OS could not satisfy, rather than a hardware fault.
When does 0x000020D2 appear?
The most common real-world triggers for ERROR_DS_CANT_CACHE_CLASS are the ones the subsystem itself reports most often:
- Schema extension scripts running against an out-of-date forest
- Replication between domain controllers when one DC is missing an attribute or class
- LDAP modify operations that reference a non-existent attribute or auxiliary class
- Domain controller promotion (dcpromo) on a downlevel forest functional level
- Group Policy or PSO writes that hit a stale schema cache
- Third-party AD tools (ADSI Edit, AdMod, PowerShell AD module) running with insufficient rights
If your situation does not match any of the bullets above, capture the failing call with Process Monitor (filter by the failing PID and the last non-success Result) before you start guessing. The exact preceding operation almost always pins the root cause.
How to fix 0x000020D2
Work through the steps in order. The PowerShell block triages the issue, the second block applies the most common fix, and the verify section at the bottom confirms the failure cleared.
Detect (PowerShell, run as Administrator)
# Show the current AD schema version and forest functional level.
Get-ADRootDSE | Select-Object schemaNamingContext, forestFunctionality
(Get-ADObject (Get-ADRootDSE).schemaNamingContext -Properties objectVersion).objectVersion
# Pull the last 200 Directory Service events that mention this code.
Get-WinEvent -LogName 'Directory Service' -MaxEvents 200 |
Where-Object { $_.Message -match 'ERROR_DS' } |
Select-Object TimeCreated, Id, Message | Format-List
Apply the fix (PowerShell, run as Administrator)
# 1. Confirm replication health across every DC in the forest.
repadmin /replsummary
repadmin /showrepl * /csv | ConvertFrom-Csv | Where-Object { $_.'Number of Failures' -ne '0' }
# 2. Run the Active Directory diagnostic suite.
dcdiag /v /e /c /f:C:\Temp\dcdiag.log
# 3. If the failure happened during a schema extension, re-run after the
# schema master is fully reachable and the rights are correct.
Get-ADDomainController -Filter { OperationMasterRoles -like '*Schema*' } |
Select-Object HostName, Site, OperationMasterRoles
# 4. For a schema cache mismatch, force an immediate cache reload.
ldifde -i -f \\?\GLOBALROOT\Device\HarddiskVolume1\Windows\System32\schemaUpdateNow.ldf
Companion cmd commands
rem Run as Domain Admin. Inspect the AD service event log.
wevtutil qe "Directory Service" /c:50 /rd:true /f:text
rem Force inbound replication from every partner.
repadmin /syncall /AdeP
If you cannot fix it immediately
If you cannot resolve it immediately, restart the affected service, log the error context, and capture the call stack with a debugger or Process Monitor so the root cause survives a reboot. Treat the code as a signal, not a root cause.
How to verify the fix worked
Run the verification block below in the same elevated PowerShell session, then re-run the operation that originally raised the error. If both the verification commands and the original operation come back clean, the fix held.
# Re-run the failing operation and confirm the event log is silent.
Get-WinEvent -LogName 'Directory Service' -MaxEvents 50 |
Where-Object { $_.LevelDisplayName -in 'Error','Warning' }
# Re-check replication health.
repadmin /replsummary
Also re-check the relevant Windows event log for the next 24 hours. Codes from this subsystem sometimes return after a scheduled job, a policy refresh, or a service restart fires.
Frequently asked questions
What does 0x000020D2 mean exactly?
It is the Active Directory Domain Services reporting a specific precondition failure. The symbolic name ERROR_DS_CANT_CACHE_CLASS describes the precondition in compiler-style abbreviated form; the at-a-glance table shows the official one-line description.
Is 0x000020D2 dangerous?
This is a status signal in most cases, not a breach indicator. The code is a status, not a fault. The deeper problem is whatever upstream call passed in bad inputs or hit a stale piece of state. Treat the code as a signpost.
Will reinstalling Windows fix 0x000020D2?
Almost never, and reinstalling is the wrong first move. The fix is almost always a config repair, a permission grant, or a service restart. Reserve a reinstall for the rare case where SFC and DISM both fail to repair the component store.
How is 0x000020D2 different from neighbouring codes in the same range?
Codes in the same numeric range come from the same subsystem and the same source file, so they share the surrounding context. The specific failure mode is what changes from code to code. Inspect the symbol name to spot the exact precondition.
Does Microsoft have a public reference for ERROR_DS_CANT_CACHE_CLASS?
Yes. The canonical reference is https://learn.microsoft.com/en-us/windows/win32/adschema/active-directory-schema. The MS-ERREF spec (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/) lists every HRESULT, NTSTATUS, and Win32 system error code with its numeric value and symbolic name.
Related error codes
Codes near this one in the numeric range usually come from the same source file in the Windows tree, so the same fix often resolves them:
- How to fix Windows error 0x000020D0
- How to fix Windows error 0x000020D1
- How to fix Windows error 0x000020D3
- How to fix Windows error 0x000020D4
- How to fix Windows error 0x000020D5
If a neighbouring page has not been published yet, the link will 404 - re-check after the next batch.
Related fixes
Related guides worth a look while you sort this one out:
- How to fix Windows error 0x000020CC
- How to fix Windows error 0x000020CD
- How to fix Windows error 0x000020CE
- How to fix Windows error 0x000020CF
- How to fix Windows error 0x000020D0
- How to fix Windows error 0x000020D1
References
- Microsoft Learn — Active Directory Domain Services: https://learn.microsoft.com/en-us/windows/win32/adschema/active-directory-schema
- Microsoft MS-ERREF (full Windows error code reference): https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/
- Win32 system error codes: https://learn.microsoft.com/en-us/windows/win32/debug/system-error-codes
- Subsystem deep dive: https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/troubleshooting-ad-replication
- This article's underlying data row: code=
0x000020D2, symbol=ERROR_DS_CANT_CACHE_CLASS, source=Microsoft MS-ERREF (HRESULT).
This guide was assembled from the official Microsoft MS-ERREF reference and the Active Directory Domain Services documentation on 2026-05-25. Always confirm against the vendor reference before applying changes in production.
Field notes from real Windows incidents
When I work on the 0x000020D2 symptom the rhythm I lean on is the one I have built over years of these tickets. Reliability Monitor is the single most underused triage surface in Windows, it gives 30 days of crash history without writing a query. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver. Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away.
Tools I actually reach for
For the 0x000020D2 symptom on Windows the cheapest signal I can land usually comes from Process Monitor (procmon), then Event Viewer (eventvwr.msc), Windows Error Lookup Tool (err.exe), Reliability Monitor (perfmon /rel) when Process Monitor (procmon) cannot see the layer the fault sits in, and Windows Performance Recorder for the cases where neither of those answers cleanly. That ordering is not academic. It matches the layers the failure tends to surface through, so the cheap signal lands first and the heavier tooling only comes out when the simpler answer does not hold up under scrutiny.
Verification I run before I close the ticket
Before I mark the 0x000020D2 symptom resolved on a Windows unit, the verification loop below is what I actually run. Each step proves a different layer is green, and the order matters - the cheap checks gate the more expensive ones.
sfc /scannowIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
DISM /Online /Cleanup-Image /RestoreHealthIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
wevtutil epl System system.evtx # export for offline reviewIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
Get-WinEvent -FilterHashtable @{LogName='System'; Level=1,2; StartTime=(Get-Date).AddDays(-7)}If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
err.exe 0xXXXXXXXX # symbolic decodeOnly when every line above runs clean do I close the ticket and update the runbook with the timestamps.
Where I check first when the docs disagree
When two sources contradict each other on a Windows detail, the disambiguation order I lean on is stable. I usually start at github.com/microsoft/Windows-Driver-Frameworks for the ground-truth view on Windows. I usually start at learn.microsoft.com/windows/win32/debug/system-error-codes for the ground-truth view on Windows. I usually start at techcommunity.microsoft.com/category/windows for the ground-truth view on Windows. I usually start at support.microsoft.com for the ground-truth view on Windows. Random blog posts and reseller wikis are signal, not ground truth, and I treat them as such until the references above either confirm or contradict the claim.
Pitfalls I have walked into on this exact path
The shortcuts that look smart on the 0x000020D2 symptom have a habit of biting back. The pitfalls below are the ones I have personally walked into on a Windows unit, not things I read about. Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver. DISM RestoreHealth needs network or a known-good source image; the most common cause of a failed RestoreHealth is a blocked Windows Update endpoint. When in doubt I revert to the slower path that the manual prescribes - the time I save by skipping it is always smaller than the time I spend cleaning up afterwards.
What I tell the next on-call
When I hand the 0x000020D2 symptom off to the next person on rotation, the three lines I leave in the runbook are these. First, the symptom signature for Windows on the Windows family - not a paraphrase, the exact string that surfaces. Second, the diagnostic that gave the highest signal in the least time. Third, the exact verification command whose green output justified closing the ticket. That trio is what turns a one-off fix into a runbook entry the next engineer can use without paging me at three in the morning.
I also add a one-line note on the cost of getting this wrong. For the 0x000020D2 symptom on a Windows unit, the cost is rarely the replacement part. It is the downtime, the second site visit, and the trust deficit you spend with whoever owns the asset when the fix does not hold. That framing keeps the next on-call from choosing the cheap-looking shortcut that ends up costing the most in elapsed hours and goodwill.