USN Rollback

To salvage AD from a dead computer's disk, the disk must contain the most recent copy of Active Directory that was running on the (now dead) DC.

If you attempt to restore from an image of a disk, one that is older than the most recent running disk (for example, from a snapshot of the disk taken with Symantec Ghost or VMware from several weeks ago), you may encounter errors with replication due to “USN rollback”.

When USN rollback occurs the following message may appear in the Event Log: “The Active Directory database has been restored using an unsupported restoration procedure. Active Directory will be unable to log on users while this condition persists.” (NTDS General, Event ID 2103)

What is USN Rollback?

A domain controller tracks objects in AD based on their Update Serial Numbers (USN). Every object in AD has a USN. As objects are modified, the USN increases monotonically, like an odometer on a car. The latest USN on each DC is called the “high water mark”. During replication each DC compares its USN high water mark with the USN high water mark of its neighbors.

USN rollback happens when an older copy of Active Directory is restored but the computer fails to notify the other domain controllers that it was rolled back to an out-of-date copy of AD (and therefore that its high water mark has rolled back).

When you use UMove to restore AD from a .BKF file, the restored computer recognizes that its high water mark has rolled back, so it notifies the other DCs (by changing its invocationID). The other DCs respond by “playing back” all changes made to AD since then, bringing the restored computer up to date.

However, if you use UMove to restore AD from the image of a dead computer's disk that is out-of-date (for example, if you restore an old disk image created with Symantec Ghost), the computer will be unaware that it has been rolled back. If the restored disk is older than the most recent actual disk that successfully replicated with the other domain controllers, any more recent changes made to AD on other domain controllers will not be “played back” to the out-of-date DC. This is because the restored DC is unaware that it has been rolled back.

USN Rollback With VMware

USN rollback can happen if you use VMware's snapshot feature to roll back a virtual DC to a prior snapshot without simultaneously rolling back all the other virtual DCs.

How to Avoid USN Rollback

To avoid USN rollback, use one of the following procedures:

• Run UMove to restore AD from a .BKF file instead of a disk image.
• Run UMove to restore AD from an image of the most recent disk that had replicated with the other domain controllers. For example, move or ghost the physical disk from the crashed computer.

How to Fix USN Rollback

To correct USN rollback use one of the following procedures:

• Run UMove again, this time using a .BKF file or an image of the most recent disk that replicated with the other domain controllers.
• Last-ditch recovery method: Run DCPROMO.EXE to demote the domain controller, then re-promote it again. You may need to erase the metadata for the demoted DC before promoting it again. (See the KB articles below).

For more information about USN rollback, see the Microsoft Knowledge Base articles “How to detect and recover from a USN rollback in Windows 2000 Server” (Q885875), and “How to detect and recover from a USN rollback in Windows Server 2003” (Q875495).

The above KB articles discuss using an “Active Directory-aware backup utility” versus other methods. When UMove restores a .BKF file it acts like an “Active Directory-aware backup utility”. When UMove restores the image of a dead computer's disk it does not act like an “Active Directory-aware backup utility”.