Avoiding a USN rollback

If the domain has two or more domain controllers and you have recovered one of the controllers or its database, you need to avoid a situation known as a USN rollback.

Replication and USNs

Active Directory data is constantly replicated between the domain controllers. At any given moment, the same Active Directory object may have a newer version on one domain controller and an older version on another. To prevent conflicts and loss of information, Active Directory tracks object versions on each domain controller and replaces the outdated versions with the up-to-date version.

To track object versions, Active Directory uses numbers called Update Sequence Numbers (USNs). Newer versions of Active Directory objects correspond to higher USNs. Each domain controller keeps the USNs of all other domain controllers.

USN rollback

After you perform a nonauthoritative restore of a domain controller or of its database, the current USN of that domain controller is replaced by the old (lower) USN from the backup. But the other domain controllers are not aware of this change. They still keep the latest known (higher) USN of that domain controller.

As a result, the following issues occur:

• The recovered domain controller reuses older USNs for new objects; it starts with the old USN from the backup.
• The other domain controllers do not replicate the new objects from the recovered domain controller as long as its USN remains lower than the one they are aware of.
• Active Directory starts having different objects that correspond to the same USN, i.e. becomes inconsistent. This situation is called a USN rollback.

To avoid a USN rollback, you need to notify the domain controller about the fact that it has been recovered.

To avoid a USN rollback

1. Immediately after recovering an entire domain controller or its database, boot the recovered domain controller and press F8 during startup.
2. On the Advanced Boot Options screen, select Directory Services Restore Mode.
3. Log on to Directory Services Restore Mode (DSRM), open Registry Editor, and then expand the following registry key:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

4. In that registry key, examine the DSA Previous Restore Count value. If this value is present, write down its setting. Do not add the value if it is absent.
5. Add the following value to that registry key:
   • Value type: DWORD (32-bit) Value
   • Value name: Database restored from backup
   • Value data: 1
6. Restart the domain controller in normal mode.
7. [Optional] After the domain controller restarts, open Event Viewer, expand Application and Services Logs, and then select the Directory Services log. In the Directory Services log, look for a recent entry for Event ID 1109. If you find this entry, double-click it to ensure that the InvocationID attribute has changed. This means that the Active Directory database has been updated.
8. Open Registry Editor and verify that the setting in the DSA Previous Restore Count value has increased by one as compared with step 4. If the DSA Previous Restore Count value was absent in step 4, verify that it is now present and that its setting is 1.

   If you see a different setting (and you cannot find the entry for Event ID 1109), make sure that the recovered domain controller has current service packs, and then repeat the entire procedure.

For more details about USNs and USN rollback, see the following Microsoft Technet article: http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv.aspx.