Today I had (again…) to lobotomize a domain controller which had suffered the dreaded USN rollback; the standard solution to this issue is to demote it and then promote it back again, but the main problem is, the demote isn't going to work, because the USN rollback condition prevents any replication from happening, thus not allowing the DC being demoted to perform its final replication and die gracefully. Usually, you end up shutting down the server, removing any reference to it from Active Directory, and then reinstalling Windows from scratch.
However, you might have other software or data on that server; or, you may just not want to completely rebuild it, if a demote could suffice.
So, my question is: how can I successfully demote a domain controller which has suffered a USN rollback?
What I tried:
I isolated the server from the network, launched the demote process and, when asked, told it it was the last DC in the domain; but it still complained about this not being true.
So I removed all other DCs from its copy of the Active Directory, and then did the same as above; but even this failed again, with an error about being unable to replicate a directory partition (to who? It was supposed to be the only DC around!).
Best Answer
TL;DR:
dcpromo /forceremoval
.Straight from the AskDS blog:
You might have shot yourself in the foot when you did this:
If the advice I pasted above does not work, you should probably burn a support call to MS (and pray that they'll still support you after what you've done.)
Edit: Just to be clear, the answer to your title question, "How can I save a domain controller after a USN rollback?" is "you don't."
I mean, you don't have to completely rebuild the machine, (though most people, including me, would advise you to,) but its use as a DC currently is over. Force remove AD from it, unjoin it from the domain, metadata cleanup on what's left of your domain, fully replicate and ensure the domain is healthy, then rejoin, and finally repromote.