If the domain has two or more domain controllers and you need to recover one of the controllers or its database, consider taking action against a USN rollback.
A USN rollback is unlikely to occur when you recover an entire domain controller from a VSS-based disk-level backup.
A USN rollback is highly probable if any of the following is true:
A domain controller was recovered partially: not all disks or volumes were recovered or only the Active Directory database was recovered.
A domain controller was recovered from a backup created without VSS. For example, the backup was created by using bootable media or the Use VSS option was disabled or the VSS provider malfunctioned.
The following information will help you avoid a USN rollback by taking a few simple steps.
Replication and USNs
Active Directory data is constantly replicated between the domain controllers. At any given moment, the same Active Directory object may have a newer version on one domain controller and an older version on another. To prevent conflicts and loss of information, Active Directory tracks object versions on each domain controller and replaces the outdated versions with the up-to-date version.
To track object versions, Active Directory uses numbers called Update Sequence Numbers (USNs). Newer versions of Active Directory objects correspond to higher USNs. Each domain controller keeps the USNs of all other domain controllers.
USN rollback
After you perform a nonauthoritative restore of a domain controller or of its database, the current USN of that domain controller is replaced by the old (lower) USN from the backup. But the other domain controllers are not aware of this change. They still keep the latest known (higher) USN of that domain controller.
As a result, the following issues occur:
The recovered domain controller reuses older USNs for new objects; it starts with the old USN from the backup.
The other domain controllers do not replicate the new objects from the recovered domain controller as long as its USN remains lower than the one they are aware of.
Active Directory starts having different objects that correspond to the same USN, i.e. becomes inconsistent. This situation is called a USN rollback.
To avoid a USN rollback, you need to notify the domain controller about the fact that it has been recovered.
To avoid a USN rollback
Immediately after recovering a domain controller or its database, boot the recovered domain controller and press F8 during startup.
On the Advanced Boot Options screen, select Directory Services Restore Mode, and log on to Directory Services Restore Mode (DSRM).
Open Registry Editor, and then expand the following registry key:
In that registry key, examine the DSA Previous Restore Count value. If this value is present, write down its setting. Do not add the value if it is absent.
Add the following value to that registry key:
Value type: DWORD (32-bit) Value
Value name: Database restored from backup
Value data: 1
Restart the domain controller in normal mode.
[Optional] After the domain controller restarts, open Event Viewer, expand Application and Services Logs, and then select the Directory Services log. In the Directory Services log, look for a recent entry for Event ID 1109. If you find this entry, double-click it to ensure that the InvocationID attribute has changed. This means that the Active Directory database has been updated.
Open Registry Editor and verify that the setting in the DSA Previous Restore Count value has increased by one as compared with step 4. If the DSA Previous Restore Count value was absent in step 4, verify that it is now present and that its setting is 1.
If you see a different setting (and you cannot find the entry for Event ID 1109), ensure that the recovered domain controller has current service packs, and then repeat the entire procedure.