User guide

ManualsBrandsACRONIS ManualsSoftwareBackup & Recovery 11.5 Server for Windows

211

212

213

214

215

216

217

218

219

220

USN rollback

After you perform a nonauthoritative restore of a domain controller or of its database, the current

USN of that domain controller is replaced by the old (lower) USN from the backup. But the other

domain controllers are not aware of this change. They still keep the latest known (higher) USN of that

domain controller.

As a result, the following issues occur:

 The recovered domain controller reuses older USNs for new objects; it starts with the old USN

from the backup.

 The other domain controllers do not replicate the new objects from the recovered domain

controller as long as its USN remains lower than the one they are aware of.

 Active Directory starts having different objects that correspond to the same USN, i.e. becomes

inconsistent. This situation is called a USN rollback.

To avoid a USN rollback, you need to notify the domain controller about the fact that it has been

recovered.

To avoid a USN rollback

1. Immediately after recovering an entire domain controller or its database, boot the recovered

domain controller and press F8 during startup.

2. On the Advanced Boot Options screen, select Directory Services Restore Mode.

3. Log on to Directory Services Restore Mode (DSRM), open Registry Editor, and then expand the

following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

4. In that registry key, examine the DSA Previous Restore Count value. If this value is present, write

down its setting. Do not add the value if it is absent.

5. Add the following value to that registry key:

 Value type: DWORD (32-bit) Value

 Value name: Database restored from backup

 Value data: 1

6. Restart the domain controller in normal mode.

7. [Optional] After the domain controller restarts, open Event Viewer, expand Application and

Services Logs, and then select the Directory Services log. In the Directory Services log, look for a

recent entry for Event ID 1109. If you find this entry, double-click it to ensure that the

InvocationID attribute has changed. This means that the Active Directory database has been

updated.

8. Open Registry Editor and verify that the setting in the DSA Previous Restore Count value has

increased by one as compared with step 4. If the DSA Previous Restore Count value was absent

in step 4, verify that it is now present and that its setting is 1.

If you see a different setting (and you cannot find the entry for Event ID 1109), make sure that

the recovered domain controller has current service packs, and then repeat the entire

procedure.

For more details about USNs and USN rollback, see the following Microsoft Technet article:

http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualizatio

n_hyperv.aspx.