An associate was in the middle of retiring some old servers, and soon migrating to new ones, at the moment, there is 1 domain, 2 sites (vpn), 1 DC at each site, replication failed between sites couple days ago due to USN rollback.
- SiteAServer5 Server 2016 (physical) (FSMO roles, GC)
- SiteBServer4 Server 2012r2 (physical) (GC)
- AD functional level is still 2003 (FRS).
Server5 (problem child) was in the process of being virtualized (not HyperV), and instead of doing an instant cut-over, a live clone was made of that server to a VM... while the old physical server was left running a week... then the VM was put in to service, which of course was using an old USN and triggered a rollback on Server4. The Server5 VM was shutdown and production went back to the physical box.
Server5 is in rollback indicated by this reg key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Dsa Not Writable=4
In retrospect its crystal clear a USN rollback happened, and documented solutions are pretty drawn out, restore system state, or demote and cleanup etc, not thrilled with those. No AD account adds/dels were done during this process, so the AD on either server are usable, or either one could be abandoned.
My question is, could I run a FRS Non-authoritative SYSVOL restore to force Server5 to come back to a functional state and let replication overwrite Server4's copy of AD? Clear the DSA Not Writeable key, run repadmin /syncall /AdeP
http://kpytko.pl/active-directory-domain-services/non-authoritative-sysvol-restore-frs/
Gone over this: https://support.microsoft.com/en-us/help/875495/how-to-detect-and-recover-from-a-usn-rollback-in-windows-server-2003-w
I feel this is a potential alternative, since this is now the mechanism adopted by the MS design of Hyper-V since server 2012 to prevent USN rollbacks in this exact scenario of VM cloning/snapshotting/restoring or P2V procedures:
https://blogs.technet.microsoft.com/reference_point/2012/12/10/usn-rollback-virtualized-dcs-and-improvements-on-windows-server-2012/
From that page: "5. The virtualized DC synchronizes the SYSVOL:
If using FRS, it stops the NTFRS service and sets the BURFLAGS registry value (D2).
It then starts the NTFRS service, thus performing a non-authoritative restore of the SYSVOL."
