USN Rollback

Instead of using UMove, if you attempt to move or copy Active Directory using a disk image utility (for example VMware, Symantec Ghost, or Acronis True Image), you may encounter errors with replication due to “USN rollback”.

When USN rollback occurs the following message may appear in the Event Log: “The Active Directory database has been restored using an unsupported restoration procedure. Active Directory will be unable to log on users while this condition persists.” (NTDS General, Event ID 2103)

Windows Server 2012: USN Rollback is generally not an issue on Windows Server 2012 under Hyper-V. This is because Hyper-V increments the VM Generation ID to allow the restored VM to notify the other DCs that it was rolled back.

What is USN Rollback?

A domain controller tracks objects in AD based on their Update Sequence Numbers (USN). Every object in AD has a USN. As objects are modified, the USN increases monotonically, like an odometer on a car. The latest USN on each DC is called the “high water mark”. During replication each DC compares its USN high water mark with the USN high water mark of its neighbors.

USN rollback happens when an older copy of Active Directory is restored but the computer fails to notify the other domain controllers that it was rolled back to an out-of-date copy of AD (and therefore that its high water mark has rolled back).

When you use UMove to restore AD it notifies the other DCs that it has been rolled back. The other DCs respond by “playing back” all changes made to AD since then, bringing the restored computer up to date.

However, if you use a disk imaging utility (for example, if you restore an old disk image created with Symantec Ghost or Acronis True Image), the computer will be unaware that it has been rolled back. If the restored disk is older than the most recent actual disk that successfully replicated with the other domain controllers, any more recent changes made to AD on other domain controllers will not be “played back” to the out-of-date DC. This is because the restored DC is unaware that it has been rolled back.

USN Rollback With VMware or Hyper-V

USN rollback can happen if you use VMware or Hyper-V to roll back a virtual DC to a prior snapshot without simultaneously rolling back all the other virtual DCs. .

Consequences of USN Rollback

When another DC detects a replication request with a rolled-back USN, it instructs the rolled-back DC to initiate the following “quarantine” procedure:

• Pause the NETLOGON service in order to prevent the processing of any further user logon requests or user password change requests
• Disable any further replication
• Generate Event ID 2103 in the Directory Service event log
• Generate Event ID 2095 in the Directory Service event log: “During an Active Directory replication request, the local domain controller (DC) identified a remote DC which has received replication data from the local DC using already-acknowledged USN tracking numbers. Because the remote DC believes it is has a more up-to-date Active Directory database than the local DC, the remote DC will not apply future changes to its copy of the Active Directory database or replicate them to its direct and transitive replication partners that originate from this local DC.. The most probable cause of this situation is the improper restore of Active Directory on the local domain controller. User Actions: If this situation occurred because of an improper or unintended restore, forcibly demote the DC.”

How to Avoid USN Rollback

To prevent USN rollback always use an Active Directory-aware backup utility such as UMove to restore or move Active Directory. UMove can restore AD from any disk image including a VM snapshot. UMove will contact the other DCs and arrange to play back all changes to bring the restored DC up to date.

How to Fix USN Rollback

If the DC has been quarantined due to USN rollback, use one of the following procedures to recover the DC:

• Restore Active Directory from a System State backup that was taken before Event ID 2095 was generated. Note that the System State can only be restored on the same VM or computer from where the backup was taken.
• Use UMove to replace the bad AD database with a good copy. The good copy can come from from any supported source such as a VM snapshot, a dead hard disk, NTBACKUP file, or a Windows Server Backup (Windows Server 2008). UMove will arrange to play back all changes to bring the good copy up to date. (If the Windows Server Backup was written to DVD discs use URecover to read the backup image from the discs.)
• Last-ditch recovery method: Run DCPROMO.EXE to demote the domain controller, then re-promote it again. This requires that you have a second good DC that is serving the domain. You may need to erase the metadata for the demoted DC before promoting it again. (See the technical articles below).

For more information about USN rollback see the Microsoft Knowledge Base article “How to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2” (KB875495) and the TechNet article “Running Domain Controllers in Hyper-V: Operational Considerations for Virtual Domain Controllers” (http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv.aspx).

The above articles discuss using an “Active Directory-aware backup utility” versus other methods. UMove is an “Active Directory-aware backup utility”.