USN Rollbacks – Best Practice

I was talking best practices the other day with a customer with regards to what Backup Software to use and the use of Virtualized hosting environments. I recommended to the customer to utilise backup software that uses the Microsoft APIs, or the Software that uses the Microsoft Volume Shadow Copy APIs. If you use Active Directory aware backup programs that use these APIs, then the invocation I.D. is reset before the Active Directory is restarted. Because of this, the “restored” Domain Controller identifies itself as a new Domain Controller . This will prompt the other Domain Controllers to bring the “restored” domain controller up-to-date. 

If this best practice is not followed then you could be in the situation of having to deal with USN Rollbacks. This is a condition that occurs when the Active Directory Domain Controller has not correctly reset its Invocation I.D. before the Active Directory starts. The Active Directory uses a combination of USN,s and invocation I.D.s to track changes to the Active Directory that need to be replicated.

What is the Invocation I.D.?

Well this  ID identifies the version of the Directory Database. If a domain controller is restored from a system state backup then all is well and the i.d. is reset and will trigger replication from its partner DCs; however the situations highlighted below do not do this as a matter of course, and this is where potential problems can occur. (This was extracted from the Kb article 885875 that I recommend to be read to learn more about USN Rollbacks and how to recover from them.)

Software and methodologies that cause USN rollbacks

When the following environments, programs, or subsystems are used, administrators can bypass the checks and validations that Microsoft has designed to occur when the domain controller system state is restored:

•Virtualized hosting environments, including but not limited to Microsoft Virtual Server 2005 and EMC VMWARE

•Software that backs up and restores an Active Directory operating system installation or a hard disk volume that contains that installation
Note Such software includes but is not limited to Norton Ghost.

•Advanced disk subsystems that can selectively copy a volume that contains an Active Directory operating system installation that was saved in the past

The following operations are not supported:

1.Starting an Active Directory domain controller whose operating system was restored to a hard disk by using an imaging program such as Norton Ghost

2.Starting an Active Directory domain controller whose operating system resides in a virtualized hosting environment such as Microsoft Virtual PC, Microsoft Virtual Server 2005, or EMC VMWARE

3.Starting an Active Directory domain controller that is located on a volume where the disk subsystem loads using previously saved images of the operating system without requiring a system state restoration of Active Directory.

So recommendation is,

Thoroughly evaluate your re.tore strategy and software to ensure it follows recommended Best Practice, and utilises the Microsoft APIs,

Comments (5)

  1. ssddfdf says:

  2. qweeqw says: