Re: EventID 2103 USN Rollback

To help in the understanding of USN rollback and Virtual DC's, check out an
article I have explaining this at:

http://www.pbbergs.com/windows/articles.htm
Select Restore a Virtual DC form a Snapshot

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"W" <> wrote in message
news: ...
> Our forest is a single domain with two Windows 2003 domain controllers.
> The domain controller that held all the primary roles had its system drive
> enlarged, and during that process an image of the disk was restored and
> apparently this caused an "illegal" restoration of the AD database. Now
> I need to recover and want to confirm some steps before I dig us an even
> bigger hole.
>
> First, as I understand it, the root of the 2103 error message is that our
> other domain controller has a "newer" version of the affected domain
> controller's database. Why isn't there some very simple option to simply
> let the other domain controller use its "newer" version to overwrite the
> affected domain controller's database? That would bring all domain
> controllers into agreement with each other, and things could proceed from
> there. Having to transfer FSMO roles and demote domain controllers is a
> big deal, and I don't understand why Microsoft doesn't allow a more
> straightforward recovery procedure, when you have a second domain
> controller that is in good shape.
>
> I am going to transfer all roles to the domain controller that is
> functioning well. One question here is the Infrastructure Master role.
> I put a Global Catalog onto the good domain controller, and apparently
> when you try to transfer Infrastructure Master role to that domain
> controller it objects that you shouldn't have the IM role on a DC with a
> GC. Can I just ignore that message and leave the GC and IM role on the
> one domain controller, since the DC with EventID 2103 may need to be
> demoted?
>
> I have good System State backups for the DC affected by 2103. Thank God
> we have the discipline to automatically take Daily, Weekly, and Monthly
> System State backups on our DCs! Is recovery from this situation as
> easy as simply finding a System State backup for the 2103 affected DC from
> before the date the 2013 started, and then restoring just System State on
> that DC?
>
> With the System State restored, the AD will be out of date and on the next
> replication will be replaced by the good remaining DC?
>
> What about the FSMO roles and the GC? Will the status of those be
> replaced from the good remaining DC during the first healthy replication
> after restoring System State?
>
> Finally, I guess I will need to re-apply any Windows Updates that might
> have taken place in the two weeks since the 2103 started.
>
> Am I missing anything in the required recovery procedure?
>
> --
> W
>

No, you will experience USN rollback. Guaranteed!

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"W" <> wrote in message
news: ...
> "Paul Bergson [MVP-DS]" <> wrote in message
> news:...
>> To help in the understanding of USN rollback and Virtual DC's, check out
> an
>> article I have explaining this at:
>>
>> http://www.pbbergs.com/windows/articles.htm
>> Select Restore a Virtual DC form a Snapshot
>
> If I am just restoring the entire "System State" from an older backup of
> the
> affected DC, do I need to use any part of your procedure? I thought
> restoring the DC to an older state alone would be sufficient to allow the
> domain to self repair using the remaining good DC?
>
> --
> W
>
>
>> "W" <> wrote in message
>> news: ...
>> > Our forest is a single domain with two Windows 2003 domain controllers.
>> > The domain controller that held all the primary roles had its system
> drive
>> > enlarged, and during that process an image of the disk was restored and
>> > apparently this caused an "illegal" restoration of the AD database.
> Now
>> > I need to recover and want to confirm some steps before I dig us an
>> > even
>> > bigger hole.
>> >
>> > First, as I understand it, the root of the 2103 error message is that
> our
>> > other domain controller has a "newer" version of the affected domain
>> > controller's database. Why isn't there some very simple option to
> simply
>> > let the other domain controller use its "newer" version to overwrite
>> > the
>> > affected domain controller's database? That would bring all domain
>> > controllers into agreement with each other, and things could proceed
> from
>> > there. Having to transfer FSMO roles and demote domain controllers
>> > is
> a
>> > big deal, and I don't understand why Microsoft doesn't allow a more
>> > straightforward recovery procedure, when you have a second domain
>> > controller that is in good shape.
>> >
>> > I am going to transfer all roles to the domain controller that is
>> > functioning well. One question here is the Infrastructure Master
>> > role.
>> > I put a Global Catalog onto the good domain controller, and apparently
>> > when you try to transfer Infrastructure Master role to that domain
>> > controller it objects that you shouldn't have the IM role on a DC with
>> > a
>> > GC. Can I just ignore that message and leave the GC and IM role on
>> > the
>> > one domain controller, since the DC with EventID 2103 may need to be
>> > demoted?
>> >
>> > I have good System State backups for the DC affected by 2103. Thank
> God
>> > we have the discipline to automatically take Daily, Weekly, and Monthly
>> > System State backups on our DCs! Is recovery from this situation as
>> > easy as simply finding a System State backup for the 2103 affected DC
> from
>> > before the date the 2013 started, and then restoring just System State
> on
>> > that DC?
>> >
>> > With the System State restored, the AD will be out of date and on the
> next
>> > replication will be replaced by the good remaining DC?
>> >
>> > What about the FSMO roles and the GC? Will the status of those be
>> > replaced from the good remaining DC during the first healthy
>> > replication
>> > after restoring System State?
>> >
>> > Finally, I guess I will need to re-apply any Windows Updates that might
>> > have taken place in the two weeks since the 2103 started.
>> >
>> > Am I missing anything in the required recovery procedure?
>> >
>> > --
>> > W
>> >
>>
>>
>
>

I should have prefaced, unless you are using an AD aware restore process.
If you are then it shouldn't be a problem.

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"W" <> wrote in message
news: ...
> "Paul Bergson [MVP-DS]" <> wrote in message
> news:...
>> To help in the understanding of USN rollback and Virtual DC's, check out
> an
>> article I have explaining this at:
>>
>> http://www.pbbergs.com/windows/articles.htm
>> Select Restore a Virtual DC form a Snapshot
>
> If I am just restoring the entire "System State" from an older backup of
> the
> affected DC, do I need to use any part of your procedure? I thought
> restoring the DC to an older state alone would be sufficient to allow the
> domain to self repair using the remaining good DC?
>
> --
> W
>
>
>> "W" <> wrote in message
>> news: ...
>> > Our forest is a single domain with two Windows 2003 domain controllers.
>> > The domain controller that held all the primary roles had its system
> drive
>> > enlarged, and during that process an image of the disk was restored and
>> > apparently this caused an "illegal" restoration of the AD database.
> Now
>> > I need to recover and want to confirm some steps before I dig us an
>> > even
>> > bigger hole.
>> >
>> > First, as I understand it, the root of the 2103 error message is that
> our
>> > other domain controller has a "newer" version of the affected domain
>> > controller's database. Why isn't there some very simple option to
> simply
>> > let the other domain controller use its "newer" version to overwrite
>> > the
>> > affected domain controller's database? That would bring all domain
>> > controllers into agreement with each other, and things could proceed
> from
>> > there. Having to transfer FSMO roles and demote domain controllers
>> > is
> a
>> > big deal, and I don't understand why Microsoft doesn't allow a more
>> > straightforward recovery procedure, when you have a second domain
>> > controller that is in good shape.
>> >
>> > I am going to transfer all roles to the domain controller that is
>> > functioning well. One question here is the Infrastructure Master
>> > role.
>> > I put a Global Catalog onto the good domain controller, and apparently
>> > when you try to transfer Infrastructure Master role to that domain
>> > controller it objects that you shouldn't have the IM role on a DC with
>> > a
>> > GC. Can I just ignore that message and leave the GC and IM role on
>> > the
>> > one domain controller, since the DC with EventID 2103 may need to be
>> > demoted?
>> >
>> > I have good System State backups for the DC affected by 2103. Thank
> God
>> > we have the discipline to automatically take Daily, Weekly, and Monthly
>> > System State backups on our DCs! Is recovery from this situation as
>> > easy as simply finding a System State backup for the 2103 affected DC
> from
>> > before the date the 2013 started, and then restoring just System State
> on
>> > that DC?
>> >
>> > With the System State restored, the AD will be out of date and on the
> next
>> > replication will be replaced by the good remaining DC?
>> >
>> > What about the FSMO roles and the GC? Will the status of those be
>> > replaced from the good remaining DC during the first healthy
>> > replication
>> > after restoring System State?
>> >
>> > Finally, I guess I will need to re-apply any Windows Updates that might
>> > have taken place in the two weeks since the 2103 started.
>> >
>> > Am I missing anything in the required recovery procedure?
>> >
>> > --
>> > W
>> >
>>
>>
>
>

"The domain controller that held all the primary roles had its system drive
enlarged, and during that process an image of the disk was restored and
apparently this caused an "illegal" restoration of the AD database. "

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"W" <> wrote in message
news:EYWdneGhFdKcm37WnZ2dnUVZ_g-...
> "Paul Bergson [MVP-DS]" <> wrote in message
> news:%...
>> I should have prefaced, unless you are using an AD aware restore process.
>> If you are then it shouldn't be a problem.
>
> What in my original post made you think we are not using an AD aware
> restore
> process?
>
> We booted in directory services restore more and did a full restore of an
> older System State, then rebooted.
>
> So far it appears to have worked.
>
> --
> W
>
>
>> "W" <> wrote in message
>> news: ...
>> > "Paul Bergson [MVP-DS]" <> wrote in message
>> > news:...
>> >> To help in the understanding of USN rollback and Virtual DC's, check
> out
>> > an
>> >> article I have explaining this at:
>> >>
>> >> http://www.pbbergs.com/windows/articles.htm
>> >> Select Restore a Virtual DC form a Snapshot
>> >
>> > If I am just restoring the entire "System State" from an older backup
>> > of
>> > the
>> > affected DC, do I need to use any part of your procedure? I thought
>> > restoring the DC to an older state alone would be sufficient to allow
> the
>> > domain to self repair using the remaining good DC?
>> >
>> > --
>> > W
>> >
>> >
>> >> "W" <> wrote in message
>> >> news: ...
>> >> > Our forest is a single domain with two Windows 2003 domain
> controllers.
>> >> > The domain controller that held all the primary roles had its system
>> > drive
>> >> > enlarged, and during that process an image of the disk was restored
> and
>> >> > apparently this caused an "illegal" restoration of the AD database.
>> > Now
>> >> > I need to recover and want to confirm some steps before I dig us an
>> >> > even
>> >> > bigger hole.
>> >> >
>> >> > First, as I understand it, the root of the 2103 error message is
>> >> > that
>> > our
>> >> > other domain controller has a "newer" version of the affected domain
>> >> > controller's database. Why isn't there some very simple option to
>> > simply
>> >> > let the other domain controller use its "newer" version to overwrite
>> >> > the
>> >> > affected domain controller's database? That would bring all domain
>> >> > controllers into agreement with each other, and things could proceed
>> > from
>> >> > there. Having to transfer FSMO roles and demote domain
>> >> > controllers
>> >> > is
>> > a
>> >> > big deal, and I don't understand why Microsoft doesn't allow a more
>> >> > straightforward recovery procedure, when you have a second domain
>> >> > controller that is in good shape.
>> >> >
>> >> > I am going to transfer all roles to the domain controller that is
>> >> > functioning well. One question here is the Infrastructure Master
>> >> > role.
>> >> > I put a Global Catalog onto the good domain controller, and
> apparently
>> >> > when you try to transfer Infrastructure Master role to that domain
>> >> > controller it objects that you shouldn't have the IM role on a DC
> with
>> >> > a
>> >> > GC. Can I just ignore that message and leave the GC and IM role on
>> >> > the
>> >> > one domain controller, since the DC with EventID 2103 may need to be
>> >> > demoted?
>> >> >
>> >> > I have good System State backups for the DC affected by 2103.
>> >> > Thank
>> > God
>> >> > we have the discipline to automatically take Daily, Weekly, and
> Monthly
>> >> > System State backups on our DCs! Is recovery from this situation
> as
>> >> > easy as simply finding a System State backup for the 2103 affected
>> >> > DC
>> > from
>> >> > before the date the 2013 started, and then restoring just System
> State
>> > on
>> >> > that DC?
>> >> >
>> >> > With the System State restored, the AD will be out of date and on
>> >> > the
>> > next
>> >> > replication will be replaced by the good remaining DC?
>> >> >
>> >> > What about the FSMO roles and the GC? Will the status of those be
>> >> > replaced from the good remaining DC during the first healthy
>> >> > replication
>> >> > after restoring System State?
>> >> >
>> >> > Finally, I guess I will need to re-apply any Windows Updates that
> might
>> >> > have taken place in the two weeks since the 2103 started.
>> >> >
>> >> > Am I missing anything in the required recovery procedure?
>> >> >
>> >> > --
>> >> > W
>
>

On Thu, 6 May 2010 11:10:07 -0700, "W" <>
wrote:

>"Paul Bergson [MVP-DS]" <> wrote in message
>news:%...
>> I should have prefaced, unless you are using an AD aware restore process.
>> If you are then it shouldn't be a problem.
>
>What in my original post made you think we are not using an AD aware restore
>process?
>
>We booted in directory services restore more and did a full restore of an
>older System State, then rebooted.
>
>So far it appears to have worked.

I am trying to follow the thread. Originally you stated you did an
image restore, as Paul pointed out, yet then you stated you did a
System restore botting in DSRM.

If you use any type of image restoration method, whether it's Ghost,
Acronis, etc, the USN Rollback issue is expected, hence why it's not
supported.

If after the image retore you ran a Non-Authoratative restore (in DSRM
using a previous System State), then I would expect it to be
successful.

Is that the procedure or steps you followed?

Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

On Sat, 8 May 2010 13:40:56 -0700, "W" <>
wrote:

>"Ace Fekay [MVP - Directory Services, MCT]" <>
>wrote in message news:...
>> On Thu, 6 May 2010 11:10:07 -0700, "W" <>
>> wrote:
>>
>> >"Paul Bergson [MVP-DS]" <> wrote in message
>> >news:%...
>> >> I should have prefaced, unless you are using an AD aware restore
>process.
>> >> If you are then it shouldn't be a problem.
>> >
>> >What in my original post made you think we are not using an AD aware
>restore
>> >process?
>> >
>> >We booted in directory services restore more and did a full restore of an
>> >older System State, then rebooted.
>> >
>> >So far it appears to have worked.
>>
>> I am trying to follow the thread. Originally you stated you did an
>> image restore, as Paul pointed out, yet then you stated you did a
>> System restore botting in DSRM.
>
>We did an "illegal" image restore, which caused the USN Rollback.
>
>We then did a "legal" restore to the affected domain controller, which fixed
>the USN Rollback. The "legal" restore was a System State restore - dated
>before the date of the illegal restore - performed in directory services
>recovery mode.
>
>
>> If after the image retore you ran a Non-Authoratative restore (in DSRM
>> using a previous System State), then I would expect it to be
>> successful.
>>
>> Is that the procedure or steps you followed?
>
>Exactly.

I apologize for the late response, but I am glad to hear you've
resolved it with a Non-authoratative restore.

Ace