Solved

Active Directory USN Rollback question

Posted on 2015-02-24
7
125 Views
Last Modified: 2016-02-25
Hi,

In my test lab I have deleted a domain controller (DC2) and restored it from a Veeam Backup.

I am trying to understand USN Rollback, and I am having a little trouble getting my head round it.

I have 3 DCs
DC
DC1
DC2

I have attached screen shots of the replication status info from repadmin regarding USN. The Active Directory Replication Tools says everything is fine.

I've read the technet article but I am looking at it and I am just unsure, so if someone can tell me exactly whats up and how to easily see if its an issue please let me know!
usnrollback.jpg
0
Comment
Question by:piedthepiper
  • 4
  • 3
7 Comments
 
LVL 2

Author Comment

by:piedthepiper
Comment Utility
Hi Guys,

To all the AD Admins out there, does Veeam deal with this issue well when using Application aware backup and restore?

I have been reading up on it, as I like to be aware of the possible issues when restoring a DC. I am having trouble getting my head round how USN rollback works exactly.

I have tested it out in a test environment, by backing up DC2 using application aware backup , binning the actual VM and then restoring it using the backup.

What is the maximum age of the backup that you should use when recovering a domain controller?

I let it restore and set it to auto boot, when I came back to it, it was at the login screen and it was in Safe Mode (as expected) I had an issue where the 100mb system partition wasn't mounted, I mounted that and ran the commands as per the KB article http://www.veeam.com/kb1277

Replication seems to be working fine, across my Domain controllers DC,DC1,DC2 (recovered). DC is the original main controller.

I have run the repadmin /showutdvec command on DC2 (the recovered Domain Controller)

DC2 @USN 345605 @ Time 2015-02-24 21:37
DC1 @USN 334552 @ Time 2015-02-24- 21:30
DC2 (retired) @USN 341361 @ Time 2015-02-24 15:59
DC @USN 300711 @ Time 2015-02-24 21:37

I have run repadmin /showutdvec on DC1

DC2 @USN 345280 @Time 2015-02-24 20:59:30
DC1 @USN 334621 @Time 215-02-24 21:38:41
DC2 (retired) @USN 341361 @Time 2015-02-24 15:59:31
DC @USN 300716 @Time 2015-02-24 21:38:24

on DC2 the USN is higher then the value held by DC1, does this mean I have a rollback issue?

Cheers,

Bilal
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
In figure already DC2 is showing as retired
I think probably DC2 has lost some changes from 341361 to 345605 and again started replicating
In fact If you have made any change since last backup and then restored VM from backup, you should be able to locate USN rollack

Check DC2 event logs (Directory service) for event ID 2095

If you got event, it means USN roll back occurred on that specific DC
If you run the command repadmin /options <The DC Name> without bracket OR repadmin /showreps on DC2, you can verify that inbound and outbound replication is disabled. You will see something similar to this:

Current DC Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
If its shows none, then probably you have lost some changes on DC2, however DC2 is still replicating new changes

U may try below command:
repadmin /showutdvec * dc=domain,dc=com

Normally what happens every DC keep its partner invocation ID track
Invocation ID contains last USN received by partner DC along with up to date vector
When you roll back DC from snap shot, its get old invocation ID and then it tried to replicate changes with this invocation ID to its partner

Partner already has source DC last invocation ID (last updated) which is more up to  date than it received now and hence it will simply reject changes received from that source DC and tell it that it has outdated database
Source DC will stop its replication to other DCs
Check below article for more infio
https://windorks.wordpress.com/2014/07/25/ad-replication-issues-usn-rollback-and-the-invocation-id/
http://blogs.technet.com/b/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx
And lastly:
http://blogs.technet.com/b/reference_point/archive/2012/12/10/usn-rollback-virtualized-dcs-and-improvements-on-windows-server-2012.aspx

I think you might have gone through above articles already.
0
 
LVL 2

Author Comment

by:piedthepiper
Comment Utility
Ok after further investigation, it looks like I am in the clear rollback wise:
 
If the direct replication partners have a higher USN number for the domain controller than the domain controller has for itself, and the repadmin /showreps command does not report replication errors between direct replication partners, you have compelling evidence of a USN rollback.

My 3 Domain Controllers :

DC2 has a higher number for itself than the other DCs do. The same goes for the other DCs when compared to their replication partners.

repadmin /showreps - shows replication is running and shows inbound neighbors
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA not Writable - This does not exist on DC2
Directory Services Events – Look for the following events in the Directory Services log: 2095, 1113, 1115. - Don't exist

I have done gpupdate /force a few times and it all appears to be good.

So it looks like my restore went well.

If anyone has other ideas, or further tests I can perform, please let me know!
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
If you could please post output
repadmin /options <The DC Name>    -  without bracket
OR
repadmin /showreps

If DSA_Options show "None" you are safe.

also check if event id 2095 is there on restored DC?
If not you are safe.
0
 
LVL 2

Author Comment

by:piedthepiper
Comment Utility
Hi Mahesh,

C:\Users\Administrator.GOTHAM>repadmin /showreps
Default-First-Site-Name\DC2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: b9af0653-9f98-4788-8817-a665717f48a5
DSA invocationID: 2d0fd2b1-adf2-445c-8b24-ef8accbb88ca

==== INBOUND NEIGHBORS ======================================

DC=gotham,DC=com
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: 6b9b05c6-d89b-4913-8c00-2d0c8998fbc4
        Last attempt @ 2015-02-25 14:43:45 was successful.
    Default-First-Site-Name\DC via RPC
        DSA object GUID: dd0b85a6-f121-497c-8825-7505b4821196
        Last attempt @ 2015-02-25 14:43:51 was successful.

CN=Configuration,DC=gotham,DC=com
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: 6b9b05c6-d89b-4913-8c00-2d0c8998fbc4
        Last attempt @ 2015-02-25 14:42:52 was successful.
    Default-First-Site-Name\DC via RPC
        DSA object GUID: dd0b85a6-f121-497c-8825-7505b4821196
        Last attempt @ 2015-02-25 14:42:52 was successful.

CN=Schema,CN=Configuration,DC=gotham,DC=com
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: 6b9b05c6-d89b-4913-8c00-2d0c8998fbc4
        Last attempt @ 2015-02-25 14:42:52 was successful.
    Default-First-Site-Name\DC via RPC
        DSA object GUID: dd0b85a6-f121-497c-8825-7505b4821196
        Last attempt @ 2015-02-25 14:42:52 was successful.

DC=DomainDnsZones,DC=gotham,DC=com
    Default-First-Site-Name\DC via RPC
        DSA object GUID: dd0b85a6-f121-497c-8825-7505b4821196
        Last attempt @ 2015-02-25 14:43:45 was successful.
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: 6b9b05c6-d89b-4913-8c00-2d0c8998fbc4
        Last attempt @ 2015-02-25 14:43:48 was successful.

DC=ForestDnsZones,DC=gotham,DC=com
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: 6b9b05c6-d89b-4913-8c00-2d0c8998fbc4
        Last attempt @ 2015-02-25 14:43:59 was successful.
    Default-First-Site-Name\DC via RPC
        DSA object GUID: dd0b85a6-f121-497c-8825-7505b4821196
        Last attempt @ 2015-02-25 14:44:03 was successful.

C:\Users\Administrator.GOTHAM>repadmin /options dc2
Current DSA Options: IS_GC

All this looks fine to me?

My Current DSA options shows IS_GC and not "None" like you have said?


I have had Veeam confirm that their application aware backups make sure  USN rollback doesnt happen, so I should be good
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
Yes, you are right

DC health is OK

The output "DSA Options: IS_GC" is the important one and denotes that you don't have any problems

USN roll back has not occurred
0
 
LVL 2

Author Closing Comment

by:piedthepiper
Comment Utility
Follow up questions and feedback helped lead to conclusion
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now