USN Rollback

		UMove Help		Your account \| Cart
				Search

UMove for Active Directory

	Introduction
	Choice of Operation
	Loading Active Directory
	Advanced Topics
	Error Messages
		Override of Warning Messages
		Duplicate Computer on Network
		Lingering Objects
		Need License Code
		NTBACKUP Failed
		Must Copy Internet Information Services
		USN Rollback
		Fatal Error: Cannot Recover From Error

USN Rollback

Instead of using UMove, if you attempt to move or copy Active Directory using a disk image utility (for example VMware, Symantec Ghost, or Acronis True Image), you may encounter errors with replication due to “USN rollback”.

When USN rollback occurs the following message may appear in the Event Log: “The Active Directory database has been restored using an unsupported restoration procedure. Active Directory will be unable to log on users while this condition persists.” (NTDS General, Event ID 2103)

What is USN Rollback?

A domain controller tracks objects in AD based on their Update Serial Numbers (USN). Every object in AD has a USN. As objects are modified, the USN increases monotonically, like an odometer on a car. The latest USN on each DC is called the “high water mark”. During replication each DC compares its USN high water mark with the USN high water mark of its neighbors.

USN rollback happens when an older copy of Active Directory is restored but the computer fails to notify the other domain controllers that it was rolled back to an out-of-date copy of AD (and therefore that its high water mark has rolled back).

When you use UMove to restore AD it notifies the other DCs that it has been rolled back. The other DCs respond by “playing back” all changes made to AD since then, bringing the restored computer up to date.

However, if you use a disk imaging utility (for example, if you restore an old disk image created with Symantec Ghost or Acronis True Image), the computer will be unaware that it has been rolled back. If the restored disk is older than the most recent actual disk that successfully replicated with the other domain controllers, any more recent changes made to AD on other domain controllers will not be “played back” to the out-of-date DC. This is because the restored DC is unaware that it has been rolled back.

USN Rollback With VMware

USN rollback can happen if you use VMware's snapshot feature to roll back a virtual DC to a prior snapshot without simultaneously rolling back all the other virtual DCs.

How to Avoid USN Rollback

To avoid USN rollback, always use UMove to restore or move Active Directory. UMove can restore AD from any disk image including a VM snapshot. UMove will contact the other DCs and arrange to play back all changes to bring the restored DC up to date.

How to Fix USN Rollback

If USN rollback has already happened, use one of the following procedures:

Use UMove to replace the bad AD database with a good copy. The good copy can come from from any supported source such as a VM snapshot, a dead hard disk, NTBACKUP file, or a Windows Server Backup (Windows Server 2008). UMove will arrange to play back all changes to bring the good copy up to date.
Last-ditch recovery method: Run DCPROMO.EXE to demote the domain controller, then re-promote it again. You may need to erase the metadata for the demoted DC before promoting it again. (See the KB articles below).

For more information about USN rollback, see the Microsoft Knowledge Base articles “How to detect and recover from a USN rollback in Windows 2000 Server” (KB885875), and “How to detect and recover from a USN rollback in Windows Server 2003” (KB875495).

The above KB articles discuss using an “Active Directory-aware backup utility” versus other methods. UMove is an “Active Directory-aware backup utility”.

	Home -- Products -- FAQs -- Shop -- Download -- Reseller -- Privacy -- Contact
	Copyright © 2010, Algin Technology LLC