Domain – one of the single dc per domain DCs has suffered USN rollback

active-directorydomainreplication

I've inherited an Active Directory forest that is laid out very badly. It has a single forest with a domain tree for each site, each with a single domain controller. No domain is a child of any other domain.

Now one of the DCs, lets call it M1 for domain M, had a problem when we were moving the VM from one hypervisor to another so we went back to the working one, it has caused USN rollback, and the 2008r2 DC M1 has detected this. During this fudge up there were 2 DNS entries made in the domain M, that were likely the only things lost during the rollback as no users were active in domain M at the time. Currently DC M1 has had its inbound and outbound replication re-enabled with repadmin /options M1 -DISABLE_INBOUND_REPL and repadmin /options M1 -DISABLE_OUTBOUND_REPL and its netlogon service continued after it starts in a paused state with event id 2103.

The solution I'd like is to make a new single domain for all 10 sites and start over. However, apart from the annoyance of netlogon starting in a paused state it seems to be working ok anyway. The questions I have are:

  1. Any less severe suggestions or would it be just as much work to start again and do it properly?
  2. If I just delete the registry key HKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA Not Writable and ignore the rollback, what will be the effect on the single DC domain in a multi-domain forest?

Because it is a single DC we cannot perform

  • demote then promote the DC to replicate from another existing DC as there are none in the same domain to replicate from
  • Do a non-authoritative system state restore as this requires a functioning healthy DC to replicate from as well.

Edit: yes we have, or can make a system state backup from an old system image, that is younger than the tombstone lifetime.

Best Answer

I think the safest thing to do is to call Microsoft Support and have them guide you through it. The thing is, doing something as simple as manually modifying the Dsa Not Writable registry entry can land you in a permanently unsupported state.

With that disclaimer out of the way, the thing with USN rollbacks is that you need another DC in the domain to be the authoritative standard to roll back to for your domain. Since you have only 1 DC in the domain, you don't have that.

You have a system state backup?

A correctly restored domain controller resets its local invocation ID attribute when it restarts into Active Directory after its system state is restored by using a supported backup and restore method. When the reset invocation ID is outbound-replicated, remote domain controllers in the forest record the reset invocation ID as a new database instance on the restored domain controller. Although the restored domain controller is still the same domain controller, the remote domain controllers acknowledge this restored domain controller as a new replication partner because the invocation ID changed. (The invocation ID is the identity of the database instance.) The restored domain controller itself will accept changes from other remote domain controllers that originated on the remote domain controllers and on the domain controller before it was restored.

This is pretty much your bible on this matter: http://support.microsoft.com/kb/875495/en-US

Don't have a system state backup? You could set the AD database to give itself a new invocation ID:

http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#backup_and_restore_considerations_for_virtualized_domain_controllers

None of that worked? Then look on the bright side: at least you only lost one domain!

Related Topic