How to avoid a USN rollback condition
To avoid a USN rollback condition with a recovered Active Directory (AD) server in an environment with one or more additional AD servers, follow the steps below. These steps were provided by Microsoft and then modified for use with our System Recovery Environment (SRE) bootable media.
- Recover the system using the SRE bootable media as described in the kb Computer System Recovery (BMR). Prior to booting the system normally the first time after completing the system recovery you must edit the registry to indicate the AD database was restored from backup. Do not allow the domain controller to restart and boot in normal mode before the registry edit takes place. If you restart and the recovered AD server begins to start in normal mode, turn off the machine to prevent it from completing startup. Microsoft recommends pressing F8 during the initial boot up sequence to initiate the advanced boot option called DSRM that may not be present on the recovered system. Instead, we can boot into the SRE environment again to edit the registry, before the first normal boot of the system. So, after system recovery using the SRE and the prompt to reboot is accepted, the system should still be configured to boot using the SRE. If so, you should see a prompt to 'press any key to boot from CD...' The SRE gives you a short period of time to confirm booting into the SRE. Press the space bar when you see the message to press any key to boot. If you miss the time period and the system starts to boot normally, power off the system and repeat the process until you boot into the SRE.
- Open Registry Editor. To open Registry Editor, on the SRE menu, select the second item to open a command prompt. Type regedit and hit enter. In Registry Editor, click on HKEY_LOCAL_MACHINE, then go to File menu and click 'Load Hive'. Navigate to the restored Windows\System32\config folder and select the SYSTEM file. The restored Windows directory could be on the C: drive but the SRE may have assigned it a different drive letter. Click Open. Give it the name RecoveredSYSTEM.
- Expand the following path: HKEY_LOCAL_MACHINE\RecoveredSYSTEM\CurrentControlSet\Services\NTDS\Parameters. (If there is no CurrentControlSet but there is a CurrentControlSet1, use it instead.) Look for a value named DSA Previous Restore Count. If the value is there, make a note of the setting value. If the value is not there, the setting is equal to the default, which is zero. Do not add a value if you do not see one there.
- Right-click the Parameters key, click New, and then click DWORD (32-bit) Value.
- Type the new name Database restored from backup, exactly as shown, and then press ENTER.
- Double-click the value that you just created to open the Edit DWORD (32-bit) Value dialog box, and then type 1 in the Value data box.
- Restart the domain controller in normal mode.
- When the domain controller restarts, open Event Viewer. To open Event Viewer, click Start, click Control Panel, double-click Administrative Tools, and then double-click Event Viewer.
- Expand Application and Services Logs, and then click the Directory Services log. Ensure that events appear in the details pane.
- Right-click the Directory Services log, and then click Find. In Find what, type 1109, and then click Find Next.
- You should see at least an Event ID 1109 entry. If you do not see this entry, proceed to the next step. Otherwise, double-click the entry, and then review the text confirming that the update was made to the InvocationID:
- Active Directory has been restored from backup media, or has been configured to host an application partition. The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is <time> InvocationID attribute (old value):<Previous InvocationID value> InvocationID attribute (new value):<New InvocationID value> Update sequence number:<USN> The InvocationID is changed when a directory server is restored from backup media or is configured to host a writeable application directory partition.
- Close Event Viewer.
- Use Registry Editor to verify that the value in DSA Previous Restore Count is equal to the previous value plus one. If this is not the correct value and you cannot find an entry for Event ID 1109 in Event Viewer, verify that the domain controller’s service packs are current. You cannot try this procedure again on the same VHD. You can try again on a copy of the VHD or a different VHD that has not been started in normal mode by starting over at step 1.
- Close Registry Editor.