USN rollback on Windows Server domain controller- 875495 hotfix

Detecting a USN rollback on a Windows Server domain controller that has the 875495 hotfix (or an operating system that includes this hotfix) installed

 

Because a USN rollback is difficult to detect, a Windows Server domain controller that has the 875495 hotfix functionality installed logs event 2095 when a source domain controller sends a previously acknowledged USN number to a destination domain controller without a corresponding change in the invocation ID.

To prevent unique originating updates to Active Directory from being created on the incorrectly restored domain controller, the Net Logon service is paused. When the Net Logon service is paused, user and computer accounts cannot change the password on a domain controller that will not outbound-replicate such changes. Similarly, Active Directory administration tools will favor a healthy domain controller when they make updates to objects in Active Directory.

On a domain controller that has the 875495 hotfix functionality installed, event messages that resemble the following are recorded if the following conditions are true:

A source domain controller sends a previously acknowledged   USN number to a destination domain controller.
There is no corresponding change in the invocation ID.

Message 1

Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 2095
Date: 3/10/2013
Time: 4:26:51 PM
User: remotex\ameyar$
Computer: RXPC1
Description: During an Active Directory replication request, the local domain controller (DC) identified a remote DC which has received replication data from the local DC using already-acknowledged USN tracking numbers. Because the remote DC believes it is has a more up-to-date Active Directory database than the local DC, the remote DC will not apply future changes to its copy of the Active Directory database or replicate them to its direct and transitive replication partners that originate from this local DC. If not resolved immediately, this scenario will result in inconsistencies in the Active Directory databases of this source DC and one or more direct and transitive replication partners. Specifically the consistency of users, computers and trust relationships, their passwords, security groups, security group memberships and other Active Directory configuration data may vary, affecting the ability to log on, find objects of interest and perform other critical operations. To determine if this misconfiguration exists, query this event ID using http://support.microsoft.com or contact your Microsoft product support. The most probable cause of this situation is the improper restore of Active Directory on the local domain controller. User Actions: If this situation occurred because of an improper or unintended restore, forcibly demote the DC. Remote DC: b55ee67f-ed73-4970-b2d4-7dc6f571439f Partition: CN=Configuration,DC=remotex,DC=com USN reported by Remote DC: 24707 USN reported by Local DC: 20485 For more information, see Help and Support Center at http://support.microsoft.com.

Message 2

Event Type: Warning
Event Source: NTDS General
Event Category: Replication
Event ID: 1113
Date: 3/10/2013
Time: 4:26:51 PM
User: Remotex\ameyar$
Computer: RXPC1
Description: Inbound replication has been disabled by the user. For more information, see Help and Support Center at http://support.microsoft.com.

Message 3

Event Type: Warning
Event Source: NTDS General
Event Category: Replication
Event ID: 1115
Date: 3/10/2013
Time: 4:26:51 PM
User: Remotex\ameyar$
Computer: RXPC1
Description: Outbound replication has been disabled by the user. For more information, see Help and Support Center at http://support.microsoft.com

Message 4

Event Type: Error
Event Source: NTDS General
Event Category: Service Control
Event ID: 2103
Date: 3/10/2013
Time: 4:26:51 PM
User: remotex\ameyar$
Computer: RXPC1
Description: The Active Directory database has been restored using an unsupported restoration procedure. Active Directory will be unable to log on users while this condition persists. As a result, the Net Logon service has paused. User Action See previous event logs for details.

These events may be captured in the Directory Service event log. However, they may be overwritten before they are observed by an administrator.

You may suspect that a USN rollback has occurred. However, you do not see the correlating events in the Directory Service event log. In this scenario, check for the Dsa Not Writable registry entry. This entry provides forensic evidence that a USN rollback has occurred.

Registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Registry entry: Dsa Not Writable
Value: 0x4

Deleting or manually changing the Dsa Not Writable registry entry value puts the rollback domain controller in a permanently unsupported state. Therefore, such changes are not supported. Specifically, modifying the value removes the quarantine behavior added by the USN rollback detection code. The Active Directory partitions on the rollback domain controller will be permanently inconsistent with direct and transitive replication partners in the same Active Directory forest.

Recovering from a USN rollback

There are two approaches to recover from a USN rollback:

Remove the Domain Controller from the domain, following these steps:

  • Remove Active Directory from the domain controller to force it to be a stand-alone server.
  • Shut down the demoted server.
  • On a healthy domain controller, clean up the metadata of the demoted domain controller.
  • If the incorrectly restored domain controller hosts operations master roles, transfer these roles to a healthy domain controller.
  • Restart the demoted server.
  • If you are required to, install Active Directory on the stand-alone server again.
  • If the domain controller was previously a global catalog,   configure the domain controller to be a global catalog.
  • If the domain controller previously hosted operations   master roles, transfer the operations master roles back to the domain   controller

Restore the system state of a good backup.

  • Evaluate whether valid system state backups exist for this domain controller. If a valid system state backup was made before the rolled-back domain controller was incorrectly restored, and the backup contains recent changes that were made on the domain controller, restore the system state from the most recent backup.