How to restore a Virtualized Domain Controller and prevent USN Rolllback

How to restore a Virtualized Domain Controller and prevent USN Rolllback

Information:
This summarizes the steps needed to properly restore a backup copy of a Virtualized DC to the Active Directory forest. The copied Virtual DC can be returned to the domain and can have all updates replicated to it with the following procedure. Use this procedure only under the following conditions:
•Updates included with Knowledge Base article 875495 (Windows Server 2003) or article 885875 (Windows 2000 Server with SP4) were installed on the domain controller prior to the failure.
•The backup image of the domain controller has not been booted.
•The current domain controller is offline.
•The backup image of the domain controller is not older than the Tombstone lifetime of object in Active Directory (60 days by default).
•The backup image of the domain controller does not hold any FSMO roles.

Note:
This procedure can only be used when the backup image of the Virtualized DC has not been booted since being created.

Important:
When restoring a backup image of a virtualized domain controller using this method do not restart the domain controller in normal operation mode. Simply starting a domain controller in normal operation mode, even if it is disconnected from the network, causes changes in the directory service that will increment USNs on the domain controller. You must start the domain controller in Directory Services Restore mode and then use the recovery steps in the following procedure.

How to restore a Virtualized DC image to prevent USN Rollback from occurring:

1)Using the Virtualized DC image, start the domain controller in Directory Services Restore mode.

a.In a registry editor, if the entry “DSA Previous Restore Count” under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters is visible, make a note of the value. If the entry is not visible, assume a value of 0. Do not add the entry.

b.Add the registry entry “Database restored from backup” under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
i. Data type: REG_DWORD
ii. Value=1

c.This setting creates a valid system state backup and immediately restores the backup.

Note:
The “Database restored from backup” entry is available on domain controllers that are running Windows 2000 Server with SP4 and domain controllers that are running Windows Server 2003 with updates included with Knowledge Base article 875495 installed.

2)Restart the domain controller normally.

3)In the registry, check to be sure that the value in DSA Previous Restore Count is equal to its previous value plus 1.

4)In the Directory Service event log, check to see that event ID 1109 appears.

a.This event confirms that the virtualized DC has been restored and the invocation ID has been changed. Event ID 1109 places the following information in the log:

Active Directory has been restored from backup media, or has been configured to host an application partition. The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is a%n
%nInvocationID attribute (old value):%n%1
%nInvocationID attribute (new value):%n%2
%nUpdate sequence number:%n%3
%n
%n The invocationID is changed when a directory server is restored from backup media or is configured to host a writeable application directory partition.

More Information:
USN Rollback occurs when an Active Directory Domain Controller is restored via a snapshot or imaging process. Microsoft considers this a non-supported method of restoring Active Directory and it is this type of method that causes an Update Sequence Number (USN) rollback, because it results in the USN on the restored DC to be lower than what the other Domain Controllers are using.

To properly backup and restore Active Directory you should use an “Active Directory-aware backup utility” like NTBackup, etc.

Advertisements

5 Responses to How to restore a Virtualized Domain Controller and prevent USN Rolllback

  1. I’m now not certain where you are getting your info, however good topic. I must spend some time studying more or figuring out more. Thanks for magnificent info I used to be searching for this information for my mission.

  2. coupon says:

    It’s amazing to visit this web site and reading the views of all friends about this paragraph, while I am also eager of getting experience.

  3. WOW just what I was looking for. Came here by searching for fsfsesfsf

  4. Lakesha says:

    Can I just say what a relief to find someone that actually knows
    what they’re discussing online. You actually know how to bring a problem to light and make it important. More and more people ought to check this out and understand this side of your story. I can’t believe
    you aren’t more popular because you surely have the gift.

  5. Hi to every body, it’s my first pay a visit of this webpage; this blog carries awesome and genuinely good material in favor of visitors.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: