Author: Jan Tiedemann | Version: 1.0.0 | Last Updated: 2026-03-24
Applies to: Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016
Step-by-step procedure for detecting and recovering from a USN (Update Sequence Number) rollback on a Windows Server Domain Controller.
A USN rollback occurs when an older version of the Active Directory database is incorrectly restored or pasted into place — typically by restoring a VM snapshot or disk image instead of using a supported AD-aware backup/restore method.
When a USN rollback happens, modifications on the affected DC do not replicate to other DCs, yet no replication errors are reported. This leads to silent data inconsistency across the forest.
| Cause | Description |
|---|---|
| VM snapshot restore | Reverting a DC VM to a previous snapshot without using AD-aware restore |
| Disk image copy | Copying a previously saved VHD/VMDK back onto a DC |
| Disk subsystem rollback | SAN or storage-level snapshot rollback of the volume hosting ntds.dit |
| Broken mirror boot | Booting from the old half of a broken disk mirror |
| Imaging tools | Using tools like Norton Ghost to restore a DC's OS drive |
Windows Server 2012+ with Hyper-V Generation ID: VMs on Hyper-V (2012+) with Generation ID support detect snapshot restores automatically and reset the Invocation ID, preventing USN rollback. This does not apply to other hypervisors unless they also support VM Generation ID.
- Event ID 2095 in the Directory Services event log.
- The Net Logon service is paused automatically (authentication may fail).
- User/computer accounts created on the affected DC don't appear on other DCs.
- Password changes made on the affected DC are not replicated.
repadmin /showrepsmay show replication as successful (silent inconsistency).- Registry key exists:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters Value: "Dsa Not Writable" = 0x4
- Access to the affected DC and at least one healthy DC
- Domain Admin / Enterprise Admin credentials
- Understanding of which DC is affected (check Event ID 2095)
Script:
Detect-USNRollback.ps1— automates all three detection checks below.
- 1.1 On the suspected DC, open Event Viewer → Applications and Services Logs → Directory Service.
- 1.2 Look for Event ID 2095 with source
Microsoft-Windows-ActiveDirectory_DomainService. - 1.3 The event text will indicate that a remote DC detected the local DC is using already-acknowledged USN numbers.
- 2.1 Open Registry Editor on the affected DC.
- 2.2 Navigate to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters - 2.3 Check for the value
Dsa Not Writable:- Value
0x4= USN rollback detected.
- Value
Warning: Do NOT manually delete or modify the
Dsa Not Writablevalue. This would put the DC in a permanently unsupported state with inconsistent AD data.
- 3.1 Check the Net Logon service status:
sc query netlogon
- 3.2 If the service is paused, this confirms USN rollback quarantine is active.
There are three approaches to recover from a USN rollback. Choose the most appropriate one:
Script:
Repair-USNRollback.ps1— automates the force-demotion step.
This is the safest and most common approach.
-
A.1 Force-demote the affected DC:
Uninstall-ADDSDomainController -ForceRemoval -DemoteOperationMasterRole
Note: On Windows Server 2008/2008 R2,
dcpromo /forceremovalwas used instead. This is not available on Server 2012 and later. -
A.2 Shut down the demoted server.
-
A.3 On a healthy DC, clean up the metadata:
ntdsutil metadata cleanup connections connect to server <HealthyDC.contoso.com> quit select operation target list domains select domain <number> list sites select site <number> list servers in site select server <number> quit remove selected server
Or use AD Users and Computers to delete the DC's computer account (with the "permanently offline" option).
-
A.4 If the affected DC held FSMO roles, seize them on a healthy DC:
Move-ADDirectoryServerOperationMasterRole -Identity "HealthyDC" -OperationMasterRole <RoleNumbers> -Force
-
A.5 Clean up DNS records for the removed DC.
-
A.6 Restart the demoted server.
-
A.7 Re-promote the server as a new Domain Controller:
Install-ADDSDomainController -DomainName "contoso.com" -Credential (Get-Credential)
-
A.8 If the DC was a Global Catalog, re-enable it:
- AD Sites and Services → NTDS Settings → check "Global Catalog".
-
A.9 If the DC previously held FSMO roles, transfer them back:
Move-ADDirectoryServerOperationMasterRole -Identity "Re-promotedDC" -OperationMasterRole <RoleNumbers>
-
A.10 Verify replication:
repadmin /showrepl dcdiag /q
Use this if a valid system state backup exists from before the USN rollback occurred.
- B.1 Verify that a system state backup exists that predates the snapshot/image restore that caused the rollback.
- B.2 Boot the affected DC into Directory Services Restore Mode (DSRM):
- Restart and press F8 → select "Directory Services Restore Mode".
- B.3 Restore the system state:
wbadmin start systemstaterecovery -version:<BackupVersion>
- B.4 Restart the DC normally.
- B.5 Verify the Invocation ID has been reset:
repadmin /showrepl- A new Invocation ID indicates proper recovery.
- B.6 Verify replication health:
dcdiag /q repadmin /showrepl
Use this only for virtual DCs when no system state backup is available.
- C.1 Stop the AD DS service:
net stop ntds - C.2 Use
ntdsutilto set a new Invocation ID:ntdsutil activate instance ntds files set path db "<path_to_ntds.dit>" quit quit
Consult Microsoft documentation for the complete procedure.
- C.3 Restart the AD DS service:
net start ntds - C.4 Verify replication with:
repadmin /showrepl dcdiag /q
| Practice | Description |
|---|---|
| Never restore VM snapshots on DCs | Use only AD-aware backup tools (Windows Server Backup, DPM, etc.) |
| Use VM Generation ID | Ensure your hypervisor supports Generation ID (Hyper-V 2012+, VMware 6.7+) |
| Disable snapshots for DC VMs | Configure hypervisor policies to prevent accidental snapshot creation |
| Monitor Event ID 2095 | Set up alerts for this event across all DCs |
| Regular AD backups | Maintain system state backups within the tombstone lifetime |
| Document restore procedures | Ensure all administrators know to use AD-aware restore methods only |