Backup & Recovery

 View Only

  • 1.  Active Directory USN Rollback question

    Posted Feb 24, 2015 10:11 PM

    Hi Guys,

    To all the AD Admins out there, does Veeam deal with this issue well when using Application aware backup and restore?

    I have been reading up on it, as I like to be aware of the possible issues when restoring a DC. I am having trouble getting my head round how USN rollback works exactly.

    I have tested it out in a test environment, by backing up DC2 using application aware backup , binning the actual VM and then restoring it using the backup.

    What is the maximum age of the backup that you should use when recovering a domain controller?

    I let it restore and set it to auto boot, when I came back to it, it was at the login screen and it was in Safe Mode (as expected) I had an issue where the 100mb system partition wasn't mounted, I mounted that and ran the commands as per the KB article http://www.veeam.com/kb1277

    Replication seems to be working fine, across my Domain controllers DC,DC1,DC2 (recovered). DC is the original main controller.

    I have run the repadmin /showutdvec command on DC2 (the recovered Domain Controller)

    DC2 @USN 345605 @ Time 2015-02-24 21:37

    DC1 @USN 334552 @ Time 2015-02-24- 21:30

    DC2 (retired) @USN 341361 @ Time 2015-02-24 15:59

    DC @USN 300711 @ Time 2015-02-24 21:37

    I have run repadmin /showutdvec on DC1

    DC2 @USN 345280 @Time 2015-02-24 20:59:30

    DC1 @USN 334621 @Time 215-02-24 21:38:41

    DC2 (retired) @USN 341361 @Time 2015-02-24 15:59:31

    DC @USN 300716 @Time 2015-02-24 21:38:24

    on DC2 the USN is higher then the value held by DC1, does this mean I have a rollback issue?

    Cheers,

    Bilal



  • 2.  RE: Active Directory USN Rollback question

    Posted Feb 25, 2015 11:20 AM

    Ok after further investigation, it looks like I am in the clear rollback wise:

    If the direct replication partners have a higher USN number for the domain controller than the domain controller has for itself, and the repadmin /showreps command does not report replication errors between direct replication partners, you have compelling evidence of a USN rollback.


    In the attached screen shot of my 3 Domain Controllers you can see DC2 has a higher number for itself than the other DCs do. The same goes for the other DCs when compared to their replication partners.


    repadmin /showreps - shows replication is running and shows inbound neighbors

    HKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA not Writable - This does not exist on DC2

    Directory Services Events – Look for the following events in the Directory Services log: 2095, 1113, 1115. - Don't exist


    I have done gpupdate /force a few times and it all appears to be good.


    So it looks like my restore went well.


    If anyone has other ideas, or further tests I can perform, please let me know!