Friday, September 28, 2012

How to restore a Virtualized Domain Controller and prevent USN Rolllback

How to restore a Virtualized Domain Controller and prevent USN Rolllback

Information:
This summarizes the steps needed to properly restore a backup copy of a Virtualized DC to the Active Directory forest. The copied Virtual DC can be returned to the domain and can have all updates replicated to it with the following procedure. Use this procedure only under the following conditions:
•Updates included with Knowledge Base article 875495 (Windows Server 2003) or article 885875 (Windows 2000 Server with SP4) were installed on the domain controller prior to the failure.
•The backup image of the domain controller has not been booted.
•The current domain controller is offline.
•The backup image of the domain controller is not older than the Tombstone lifetime of object in Active Directory (60 days by default).
•The backup image of the domain controller does not hold any FSMO roles.
Note:
This procedure can only be used when the backup image of the Virtualized DC has not been booted since being created.
Important:
When restoring a backup image of a virtualized domain controller using this method do not restart the domain controller in normal operation mode. Simply starting a domain controller in normal operation mode, even if it is disconnected from the network, causes changes in the directory service that will increment USNs on the domain controller. You must start the domain controller in Directory Services Restore mode and then use the recovery steps in the following procedure.
How to restore a Virtualized DC image to prevent USN Rollback from occurring:
1)Using the Virtualized DC image, start the domain controller in Directory Services Restore mode.
a.In a registry editor, if the entry “DSA Previous Restore Count” under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters is visible, make a note of the value. If the entry is not visible, assume a value of 0. Do not add the entry.
b.Add the registry entry “Database restored from backup” under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
i. Data type: REG_DWORD
ii. Value=1
c.This setting creates a valid system state backup and immediately restores the backup.
Note:
The “Database restored from backup” entry is available on domain controllers that are running Windows 2000 Server with SP4 and domain controllers that are running Windows Server 2003 with updates included with Knowledge Base article 875495 installed.
2)Restart the domain controller normally.
3)In the registry, check to be sure that the value in DSA Previous Restore Count is equal to its previous value plus 1.
4)In the Directory Service event log, check to see that event ID 1109 appears.
a.This event confirms that the virtualized DC has been restored and the invocation ID has been changed. Event ID 1109 places the following information in the log:
Active Directory has been restored from backup media, or has been configured to host an application partition. The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is a%n
%nInvocationID attribute (old value):%n%1
%nInvocationID attribute (new value):%n%2
%nUpdate sequence number:%n%3
%n
%n The invocationID is changed when a directory server is restored from backup media or is configured to host a writeable application directory partition.
More Information:
USN Rollback occurs when an Active Directory Domain Controller is restored via a snapshot or imaging process. Microsoft considers this a non-supported method of restoring Active Directory and it is this type of method that causes an Update Sequence Number (USN) rollback, because it results in the USN on the restored DC to be lower than what the other Domain Controllers are using.
To properly backup and restore Active Directory you should use an “Active Directory-aware backup utility” like NTBackup, etc.

Original Post: