Is this USN Rollback

active-directorydomain-controllerwindows-server-2008-r2

I have 6 Windows 2008 R2 Domain Controllers, all GCs, across multiple locations (2+2+2).

On my main site I have a clone of one of our DCs done a few month ago, usually totally isolated from the network. This morning I made a mistake of accidentally linking this clone to my standard network. (Never right click on edit settings without selecting the correct VM) I left this connected for 25 minutes until I noticed the issue. I ran dcdiag on a different site without particular issue notified.

I would like help to see if I am in big trouble per the Microsoft Support article How to detect and recover from a USN rollback. I don't fully understand it.

This is the output of repadmin:
This is the clone of DC1 that I powered on this morning..

C:\Users\admin>repadmin /showutdvec DC1 dc=mydomain,dc=local
Caching GUIDs.
..
mainsite\DC2                   @ USN  28895532 @ Time 2014-02-26 12:41:58
mainsite\DC1                      @ USN 202723681 @ Time 2014-02-26 12:42:29

C:\Users\admin>repadmin /showutdvec DC2 dc=mydomain,dc=local
Caching GUIDs.
..
mainsite\DC2                   @ USN  28895538 @ Time 2014-02-26 12:42:30
mainsite\DC1                      @ USN 202723672 @ Time 2014-02-26 12:42:11

As I can see, I have:

DC2: usn value for DC1: 202723672
DC1: usn value for DC1: 202723681

As 202723681 is greater than 202723672 is that all ok ?

To be sure the replication is OK, I did the following tests:

Test 1
- Block all traffic from my computer except to DC1.
- Change my password
- Try to authenticate with this new password on another computer –> OK
Test 2
- Block all traffic from my computer except to DC2
- Change my password
- Try to authenticate with this new password on another computer –> OK

Are these tests results relevant?

Best Answer

Your verbiage could be a little more clear, but assuming you ran repadmin /showutdvec on and against the actual DC1 (not its clone), those results indicate that you probably have not suffered a USN rollback.

From the article you linked (emphasis added):

One way to detect a USN rollback is to use the Windows Server version of Repadmin.exe to run the repadmin /showutdvec command. This version of Repadmin.exe displays the up-to-dateness vector USN for all domain controllers that replicate a common naming context. To detect a USN rollback, compare the output of the repadmin /showutdvec command on the domain controller with the output of the same command on the domain controller's replication partners. If the direct replication partners have a higher USN number for the domain controller than the domain controller has for itself, and the repadmin /showreps command does not report replication errors between direct replication partners, you have compelling evidence of a USN rollback.

DC1 has a higher USN number for itself than DC2 has for it, so this does not indicate a USN rollback situation.

To be safe, run the same test against all replication partners (DCs 3, 4, 5 and 6), but it looks like the clone of DC1 you brought online was either rejected as a replication partner, or the IP conflict situation prevented replication.

Best Answer

Related Solutions

Domain controller offline over 2 months, now can’t sync

The sysvol permissions for one or more GPOs on this domain controller are not in sync with the permissions for the GPOs on the baseline domain

Related Topic