Domain Controller running Windows Server USN rollback

Detecting a USN rollback on a domain controller that is running Windows Server

Because errors are not logged in the event log or in the replication engine, a USN rollback can be difficult to detect.

One way to detect a USN rollback is to use the Windows Server version of Repadmin.exe to run the repadmin /showutdvec command. This version of Repadmin.exe displays the up-to-dateness vector USN for all domain controllers that replicate a common naming context. To detect a USN rollback, compare the output of the repadmin /showutdvec command on the domain controller with the output of the same command on the domain controller’s replication partners. If the direct replication partners have a higher USN number for the domain controller than the domain controller has for itself, and the repadmin /showreps command does not report replication errors between direct replication partners, you have compelling evidence of a USN rollback.

Note A correctly restored domain controller resets its local invocation ID attribute when it restarts into Active Directory after its system state is restored by using a supported backup and restore method. When the reset invocation ID is outbound-replicated, remote domain controllers in the forest record the reset invocation ID as a new database instance on the restored domain controller. Although the restored domain controller is still the same domain controller, the remote domain controllers acknowledge this restored domain controller as a new replication partner because the invocation ID changed. (The invocation ID is the identity of the database instance.) The restored domain controller itself will accept changes from other remote domain controllers that originated on the remote domain controllers and on the domain controller before it was restored.

The following example shows the output of the repadmin /showutdvec command on RXDC1 and RXDC2 in the remotex.com domain. In this example, the command is run immediately following the rollback in step 5.

C:\>Repadmin /showutdvec rxdc1 dc=remotex,dc=com
Caching GUIDs…
Pune\RXDC1 @ USN 10 @ Time 2013-08-04 15:07:15
Mumbai\RXDC2 @ USN 24805 @ Time 2013-08-04 15:06:59
C:\>Repadmin /showutdvec rxdc2 dc=remotex,dc=com
Caching GUIDs…

Pune\RXDC1 @ USN 50 @ Time 2013-08-04 15:07:15

Mumbai\RXDC2 @ USN 24805 @ Time 2013-08-04 15:06:59

The output from RXDC1 shows a local USN of 10. RXDC2 has inbound-replicated USN 50 and will ignore the Active Directory updates that correspond to the next 40 USN numbers from the originating DC1.