December 2010


Changes Invoked by A USN Rollback On DC That Should NOT Be Undone

December 24th, 2010 by and tagged ,

If you encounter “Netlogon Paused” or “Rebuilding Indices” error, the recommended approach is to demote and re-promote the DC. The workaround mentioned below shall only be used  in a SINGLE forest DC but not as a practice.

The below explanation [In Italics]was provided by Arren Conner[MS].

[ The disabling of inbound & outbound replication, the pausing of the NETLOGON service plus the rejection of writes to NTDS.DIT are the configuration changes that the OS makes in response to a USN rollback. Undoing these protections is an example of exactly what an administrator should NOT do in response to a USN rollback except in a very specific senario – the recovery of a single DC in a single DC forest

The point of pausing NETLOGON is to prevent DSGETDC calls from discovering DCs in USN Rollbacks. The point of setting the “DS not writable” registry key is to avoid data loss by writing object creates, modifies and deletes to a compromised DC. The point of disabling replication is to prevent inconsistencies in object and attribute values in the local copies of Active Directory on replica DCs. Undoing this projections is an example of exactly what NOT to do in the event of a USN rollback.

The logging of the NTDS General event 2103 means that an AD Database was rolled back in time using an unsupported method. Known triggers for this error include

 ·         P2V conversions of live DCs in a multi-DC forest

·         Booting virtualized DCs from a snapshot restore

·         Booting previous images of a DC made from an imaging  program like Ghost

·         Booting from an older of the two images of a DC installed on a mirrored drive

 Operations that are tolerated (but perhaps with smaller side effects like restoring a member computer to a version that predates the current password change)) on member computers become unsupported by applications like Active Directory that rely on USN version #s’.]

In order to avoid complete infrastructure failure, it is always better to run at least two domain controllers per domain followed by regular system state backup of the DC.

You might have seen the below error rarely while working on the AD. The error “Netlogon Paused” occurs due to either restoring AD database using snapshot or abnormal restart of the DC which corrupts AD database called NTDS,DIT.  Another error known as “Rebuilding Indices” occurs when a domain controller is restored from the snapshot or rebooted abnormally . When the Netlogon service goes into the pause mode it deprives users from authenticating through that DC.

Event Type:      Error Event Source:      NTDS General Event Category:      Service Control Event ID:      2103 Date:            11/29/2009 Time:            12:16:22 AM User:            NT AUTHORITY\ANONYMOUS LOGON Computer:      Server Description: The Active Directory database has been restored using an unsupported restoration procedure. Active Directory will be unable to log on users while this condition persists.

The below is not the best way to get rid of netlogon pause, but surely this trick worked for me lot of times, saving my time from demote & promote the DC.

To resolve Netlogon pause issue,do the below operation.

-To get a single domain controller out of USN Rollback: -Open Regedit -Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Locate the key Dsa Not Writable=dword:00000004 -Delete the entire key
-Enable replication by running repadmin /options servername -DISABLE_OUTBOUND_REPL and repadmin /options servername -DISABLE_INBOUND_REPL -Reboot.

Again, the better way to handle this kind of issue is to demote and promote the DC.

Thanks to Arren Conner for suggesting appropriate title for this article and his explanation.


Posted in Directory Services | No Comments »

Leave a Reply