Possible Active Directory Inconsistency After You Restore a Domain Controller

Restoring a domain controller may cause inconsistencies between domain controllers. If this occurs, some lingering objects may be present on the restored domain controller. Also, new objects on the restored domain controller are not replicated out.

This problem occurs because the domain controller assigns a new invocation ID, but uses the original highwater mark.

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base: To resolve this issue, obtain the hotfix that is described in the following Microsoft Knowledge Base article:

To work around this problem, demote and then promote the restored domain controller. Before you demote the affected server, force a full replication of the affected server to another domain controller. (The full synchronization can be resource intensive for larger domains.) Perform the full synchronization on the domain partition and on the configuration partition. The following line shows the syntax of the Repadmin command that you use to perform the synchronization:The following line is an example use of this command: In the example command,

• "DC=domain,DC=root" is the domain naming context.
• "good_DC" is the destination DC. This is the good partner that will receive the updates.
• The DSA GUID is the replication GUID for the restored DC. You can get this by running Repadmin /showreps on the restored server. The GUID is listed at the top under "DC Object Guid".

If the synchronization is successful, you receive the following message:

Repeat the process for the configuration naming context by using a command similar to the following: The problem is not likely to be solved after you do this. After you do this, install the hotfix or demote and then promote the domain controller to solve the problem.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.

When you restore a domain controller, the highest committed USN is rolled back to the point when the backup was created. The domain controller's invocation ID is retired and a new one is assigned. When a partner tries to replicate the first time after the restoration, the follow message is recorded: This event is typical for a restored domain controller. By itself, this does not indicate a problem. This is a problem if objects that are created on the restored domain controller "silently" do not replicate out.

In the problem scenario, the highest USN is rolled back. However, during the bookmark (or "up-to-dateness" vector reset), the source domain controller supplies the highest USN value that was present before the restoration. Objects that have USNchanged values between the upper and lower highestCommittedUSN attribute value are never considered for replication.

For example: Assume that domain controller 1 has a highest USN of 100. Its replication partner, domain controller 2, has an "up-to-dateness" vector of 100 for domain controller 1.

You restore domain controller 1 from a backup on which the highest USN is 50. After the next replication with domain controller 2, domain controller 1 resets the bookmark to 100 (it should be 50). domain controller 1 originates changes 51, 52, and 53. When domain controller 2 negotiates replication, it never considers the changes because it believes that it has changes up through 100. domain controller 1 continues to make changes and eventually reaches 101. Change 101 is replicated, but changes 51 through 100 are not.

In some cases, you can detect this state. Use Ldp or ADSI Edit to read the current highestCommittedUSN attribute on the rootDSE object on the restored domain controller. Then, compare that to the output from the repadmin /showreps /verbose command on one of its partners. In the Repadmin output, look for the "USN ###/OU" value for the restored domain controller for each naming context. If the value in Repadmin is higher than the highestCommittedUSN attribute, the restored domain controller is experiencing the problem.

Note that if the restored domain controller has originated enough updates that its highestCommittedUSN attribute has reached or exceeded the "up-to-dateness" vector that is recorded on the other domain controllers (as in the example in this article), some changes will never be considered for replication. However, new changes are replicated out. The unreplicated changes are referred to as "lingering objects." For additional information about lingering objects, click the following article number to view the article in the Microsoft Knowledge Base: