Active Directory | USN Rollback


Unique Sequence Number (USN) USN is an AD database change tracking number. Any change or transaction made in a DC is represented by a USN increment. The USN of DCs in the same domain need not be same. The USN of a DC is particular only to that DC, also the USN of other DCs will be tracked in the HWMV table of a DC.

Server Object GUID (DSA GUID) DSA (Directory System Agent) GUID is used in USNs to track originating writes. It is also used by DC to identify its replication partners. The value of DSA GUID is stored in objectGUID attribure of the NTDS settings object. DSA GUID is created when AD is initially installed on a DC and will not change during its lifetime until or unless the DC is removed from the domain controller. DSA GUID ensures that the DC is recognizable even in case of a DC rename.

Server Database GUID (Invocation GUID) AD database has its own GUID which is used to identify the database version. The value of Invocation GUID is stored in invocationId attribute of NTDS settings object. Unlike DSA GUID, Invocation GUID is changed during an AD restore process to ensure replication consistency. Coming to the USN rollback scenario:

Cause USN Rollback is mainly caused by restoring a DC using non Microsoft restore process like Norton’s Ghost, VMware snapshot etc.. or when we perform a V2V of an existing DC.

Explanation When we restore DC using the conventional methods of AD restoration, the Invocation ID of the DC will be reset which in turn resets the USN to make the DC understand that the database is restored. The Invocation ID tracks the version of the database of DC. The previous Invocation ID will be marked as retired. When we use methods other than the conventional restoration methods, this ID will not be reset. This prevents other DC from replicating with the rolledback DC, the changes made after the image was taken. In this scenario, other DCs will believe that the rolled back DC will be holding updated data and will not replicate, which makes the AD data inconsistent.

Resolution

  1. Forcefully demote the DC
  2. Remove metadata using metadata cleanup
  3. Seize FSMO roles
  4. Re promote the server

Active Directory | Recycle Bin


Active Directory Recycle Bin This is a new feature of Windows 2008 R2 which is disabled by default. This feature will be available only if your forest functional level is Windows 2008 R2 and above. Once you enable this feature, it cannot be disabled. How to enable?

  • There is no GUI to enable AD recycle bin
  • Open powershell execute the below:
    • Import-Module ActiveDirectory
    • Enable-ADOptionalFeature -Identity “Recycle Bin Feature” -Scope ForestOrConfigurationSet -Target “globomantics.local” -whatif
What makes AD Recycle Bin special ?
Normal Deletion process : An object is deleted, it is moved to Deleted Objects container after changing the object attribute IsDeleted to True (Tombstoning). Most of its attributes of the object will be striped off at this point. The striped off object could be retained during TSL and will be deleted permanently after TSL.
AD Recycle Bin process :  All the above process stands good for AD recycle bin as well but except the attribute striping. When an AD object is deleted with recycle bin enabled, the system preserves all of the object’s attributes.
In short, if you want the  attributes of the deleted objects to be available after tombstone reanimation, enable AD recycle Bin.
AD Recycle Bin process
  • An object has been removed from AD and it is now ‘logically deleted’ from AD
  • The deleted object is moved to Deleted Objects container and will remain in the container throughout the duration of the Deleted object lifetime. Within this period the object can be recovered using AD recycle bin or authoritative restore
  • After the deleted object lifetime period, the logically deleted object will become recycled object (which is same as a Tombstoned object).
  • The recycled object will remain in Deleted Container until the Recycled object lifetime expires after which the object will be physically deleted with the help of garbage collection process.

Empty Recycle Bin for all user profiles


As a system administrator it is quite often that you would experience disk space issues in OS. Most often, the culprit would be Recycle Bin space.

When a user deletes a file, it is moved to Recycle Bin (Unless this is done with Shift key pressed). Recycle Bin is specific to user profiles and therefore when we empty recycle bin, all the contents of the particular user’s recycle bin gets emptied.

How can we empty recycle bin of all users ?


rd /s c:\$Recycle.Bin

Change the drive letters according to your configuration.

%d bloggers like this: