Recovering from USN Rollback When reverting to a VM snapshot of DC

Posted on 2013-10-27
Last Modified: 2013-10-30
I made a mistake and reverted to a snapshot of my Primary Domain Controller while trouble shooting a problem. The back up Domain Controller took over primary role while I rebooted the server and when the revert was finished there was a conflict and I had USN rollback issues. My primary DC that I reverted recovered the Active Directory and stopped netlogon so nobody could logon to the server. The secondary lost connection with the primary and no longer had a populated active directory. I took down the secondary DC thinking it was causing conflict but that moment had passed. This happened yesterday during down time so I restored my primary domain controller from my netapp snapshot to a time when it was the primary and had no conflict. I power it up while leaving the secondary offline.

Things seem to be operational on the primary now but the secondary is shutdown thinking it has the primary role. How can I bring this back online and take the secondary position again? If I power up as is will it recognize the primary and take its place or do I have to do an unauthoritative restore and force it to talk to the primary? Last couple of options is to restore the secondary DC with the same time stamp from netapp or demote/rebuild the secondary server, strip the meta data from the primary and rejoin?

whats the best/easiest/less risk thing to do? other options?

Question by:RobMes
  • 3
  • 3
  • 2
LVL 118

Accepted Solution

Andrew Hancock (VMware vExpert / EE MVE) earned 250 total points
ID: 39604196
I would forget about the secondary, and Transfer Roles from the Secondary to the Primary.

or, what is commonly known as SIEZE the Roles. Then destroy the secondary server, rebuild and re-install from new, and then Promote to a Domain Controller.

See Microsofts Aerticles on how to complete this operation.

How to view and transfer FSMO roles in the graphical user interface

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain

Author Comment

ID: 39604224
How do I get rid of the reference to the secondary dc in the primary? Does Sieze the role do that?

I  have a follow up question. We are in the process of moving from a physical to virtual environment to handle growth. We started with the terminal server also being domain controller. I then migrated that to a vm and built the secondary dc with the intention of rebuilding the terminal server in vm running 2008 instead of 2003 we are running now. Everything is moving to 2008. I read that 2003 does not demote nicely so what steps what you recommend to avoid this usn problem during this upgrade. I was thinking rebuild sec dc and dcpromo it and demote the primary dc which is the 2003 ts but I don't think that's possible because ts needs ad to work. Thoughts?

Thanks again,
LVL 118
ID: 39604451
You follow the Microsoft articles, which will delete the failed DC.
LVL 19

Assisted Solution

compdigit44 earned 250 total points
ID: 39610288
Here is the Microsoft article you need to follow in order to remove reference to an old DC in AD...

Good Luck
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.


Author Closing Comment

ID: 39610605
I ended up falling back on a Netapp restore point for the Primary DC/TS for when it actually had the primary role. That brought it back online. Then I rolled back the secondary DC from the same Netapp restore point when it actually had the secondary role. I started in AD restore mode so the to talked and since there was nothing to actually fix I rebooted and all was good. Not always the best solution but this happened on a weekend and there was no data loss by rolling back to a couple hours earlier.

Thanks for the help.
LVL 19

Expert Comment

ID: 39611268
Just an FYI. Vsphere 5.1 is VmGeneraware aware which can help protect USN role backs with AD DC's.

Author Comment

ID: 39611417
I'm running Vsphere 5.1 and VMware does have this to help sort out its VM snapshots but I don't think that in it self would do anything about USN Rollback. When I reverted the snapshot originally, the VM's started with no issue and I think that feature could have some part in that. Only in Server 2012 has Microsoft provided the ability to give an ID to the VM layer to help DC's replicate. Basically it may exist but unless your running Server 2012 you still have to be very careful about restoring any DC no matter if it's a VM or not.

Good info but just for anyone else reading I wanted to point out you need Server 2012. Don't rely on it with anything earlier. Hell not sure if you should rely on it at all! This stuff scares the crap out of me. lol
LVL 19

Expert Comment

ID: 39611721
You are correct RobMEs, I forgot to mention this is a new feature in Windows 2012..

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Server Backup for Exchange incremental 15 48
Convert VMWare to Hyper-V 8 64
Veeam Manuall Backup 2 53
Linux VM 6 44
When we have a dead host and we lose all connections to the ESXi, and we need to find a way to move all VMs from that dead ESXi host.
Veeam Backup & Replication has added a new integration – Veeam Backup for Microsoft Office 365.  In this blog, we will discuss how you can benefit from Office 365 email backup with the Veeam’s new product and try to shed some light on the needs and …
Teach the user how to delpoy the vCenter Server Appliance and how to configure its network settings Deploy OVF: Open VM console and configure networking:
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now