Active Directory Backup and USN Rollback – What Should You Consider?

If you have already restored an Active Directory Domain Controller, or DC for short, from a backup without paying attention to anything specific, you may be familiar with the following phenomena:

• The restored Domain Controller no longer replicates properly but may not report any replication errors
• Active Directory objects such as users or computers have different attributes on different Domain Controllers
• Active Directory objects exist on one Domain Controller but not on another

All of this is related to a so-called USN rollback that occurred due to the Domain Controller restore.

USN - Update Sequence Number

USN stands for "Update Sequence Number" and describes a running number that increases with each change to an AD object. A Domain Controller knows its USN and only synchronizes objects that have a higher USN than itself. This ensures that new or modified objects are efficiently distributed throughout the AD structure.

And this is exactly where problems begin when a Domain Controller restore is not performed properly.

USN Rollback

A USN rollback typically occurs when a Domain Controller is improperly restored, for example, when a Domain Controller is restored using an unsupported backup method (e.g., with snapshot or imaging tools that are not AD-aware).

In this case, the Domain Controller is restored to an earlier state or point in time, where its USN is also reset, leading to discrepancies in the replication process.

Consequences of a USN Rollback

Other Domain Controllers do not recognize the changes made on the restored Domain Controller because they view these changes as outdated since the restored Domain Controller now has a lower USN - the one from the time of backup.

This can result in the restored Domain Controller not properly replicating data with other Domain Controllers, leading to inconsistent AD objects and replication errors.

USN Rollbacks Can Be Prevented with the Right Backup Method

For backing up and restoring Domain Controllers, only Active Directory-capable backup solutions should be used. Do not use snapshots or imaging tools that are not specifically designed for AD. This also applies to all hypervisor snapshot technologies. Regularly monitor replication status and event logs to detect potential problems early.

How Do I Detect a USN Rollback?

The event logs (Event ID 2095) on the Domain Controllers can provide indicators of a USN rollback. Tools like "repadmin" can help identify replication problems that might indicate a USN rollback.

How Can a USN Rollback Be Fixed?

To restore the consistency of objects in Active Directory after a USN rollback, the following should be done:

• Isolate the affected Domain Controller from the network
• Demote and re-promote the affected Domain Controller to ensure it fully replicates all AD objects from the error-free Domain Controllers
• Ensure that the metadata for the demoted Domain Controller is properly cleaned from AD to avoid orphaned objects

Microsoft Active Directory

Active Directory (AD) is a directory service developed by Microsoft for Windows networks that serves to manage permissions and access to network resources and store information about objects such as users, groups, and computers.

Your Partner for AD Backups

Our solution ensures that your Domain Controllers can be backed up and restored correctly and securely without risking a USN rollback. Our specialized technology and comprehensive experience in data protection make us your ideal partner for Active Directory backups. Learn more now.