Menu

USN Rollback

Instead of using U-Move, if you attempt to move or copy Active Directory using a disk image utility (for example VMware, Symantec Ghost, or Acronis True Image), you may encounter errors with replication due to “USN rollback”.

When USN rollback occurs the following message may appear in the Event Log: “The Active Directory database has been restored using an unsupported restoration procedure. Active Directory will be unable to log on users while this condition persists.” (NTDS General, Event ID 2103)

What is USN Rollback?

A domain controller tracks objects in AD based on their Update Sequence Numbers (USN). Every object in AD has a USN. As objects are modified, the USN increases monotonically, like an odometer on a car. The latest USN on each DC is called the “high water mark”. During replication each DC compares its USN high water mark with the USN high water mark of its neighbors.

USN rollback happens when an older copy of Active Directory is restored but the computer fails to notify the other domain controllers that it was rolled back to an out-of-date copy of AD (and therefore that its high water mark has rolled back).

When you use U-Move to restore AD it notifies the other DCs that it has been rolled back. The other DCs respond by “playing back” all changes made to AD since then, bringing the restored computer up to date.

However, if you use a disk imaging utility (for example, if you restore an old disk image created with Symantec Ghost or Acronis True Image), the computer will be unaware that it has been rolled back. If the restored disk is older than the most recent actual disk that successfully replicated with the other domain controllers, any more recent changes made to AD on other domain controllers will not be “played back” to the out-of-date DC. This is because the restored DC is unaware that it has been rolled back.

USN Rollback With VMware or Hyper-V

USN rollback can happen if you use VMware or Hyper-V to roll back a virtual DC to a prior snapshot without simultaneously rolling back all the other virtual DCs. .

When running a DC inside a virtual machine (VM), USN Rollback is generally not an issue if the guest OS is running Windows Server 2012 or later and the VM host is running at least VMware version 9 or Hyper-V version 3. This is because VMware and Hyper-V will change the VM Generation ID to allow the restored VM to notify the other DCs that it was rolled back.

Consequences of USN Rollback

When another DC detects a replication request with a rolled-back USN, it instructs the rolled-back DC to initiate the following “quarantine” procedure:

• Pause the NETLOGON service in order to prevent the processing of any further user logon requests or user password change requests
• Disable any further replication
• Generate Event ID 2103 in the Directory Service event log
• Generate Event ID 2095 in the Directory Service event log: “During an Active Directory replication request, the local domain controller (DC) identified a remote DC which has received replication data from the local DC using already-acknowledged USN tracking numbers. Because the remote DC believes it is has a more up-to-date Active Directory database than the local DC, the remote DC will not apply future changes to its copy of the Active Directory database or replicate them to its direct and transitive replication partners that originate from this local DC. The most probable cause of this situation is the improper restore of Active Directory on the local domain controller. User Actions: If this situation occurred because of an improper or unintended restore, forcibly demote the DC.”

How to Avoid USN Rollback

To prevent USN rollback always use an Active Directory-aware backup utility such as U-Move to restore or move Active Directory. U-Move can restore AD from any disk image including a VM snapshot. U-Move will contact the other DCs and arrange to play back all changes to bring the restored DC up to date.

How to Fix USN Rollback

If the DC has been quarantined due to USN rollback, use one of the following procedures to recover the DC:

• Restore Active Directory from a System State backup that was taken before Event ID 2095 was generated. Note that the System State can only be restored on the same VM or computer from where the backup was taken.
• Use U-Move to replace the bad AD database with a good copy. The good copy can come from from any supported source such as a VM snapshot, a Volume Shadow Copy (Previous Version) snapshot, an unbootable hard disk, a .BKF file, or a Windows Server Backup image. U-Move will arrange to play back all changes to bring the good copy up to date. (If the Windows Server Backup was written to DVD or BD disks use a utility such as U-Recover to read the backup image from the disks.)
• Run DCPROMO or Server Manager to demote the domain controller, then re-promote it again. This requires that you have a second good DC that is serving the domain. You might need to erase the metadata for the demoted DC before promoting it again. (See the technical articles below).

To avoid this problem in the future, run U-Move on each DC to schedule quick automatic daily backups of AD.

For more information

For more information about USN rollback see the Microsoft articles:

• Safely virtualizing Active Directory Domain Services (AD DS). This article contains a good explanation of USN rollback and how to avoid it.
• A Windows Server domain controller logs Directory Services event 2095 when it encounters a USN rollback (KB875495)
• Running Domain Controllers in Hyper-V

The above articles discuss using an “Active Directory-aware backup utility” versus other methods. U-Move is an “Active Directory-aware backup utility”.