You take a snapshot on your domain controller virtual machine. After that you make a few update to the domain, and each update or change increases the USN (Update Sequence Number). The information is replicated to other domain controllers in the forest and their metadata got updated accordingly.
Due to whatever reason, you find the domain controller unstable and would like to go back to the state of the snapshot. Hence, you click revert to snapshot button and expect everything goes fine again. Unfortunately, the USN goes back as well and it is much smaller that what other domain controllers expected, so they ignore the data and refuse to replicate the information with it.
This condition is known as USN rollback, and it leads to many unexpected issues, such as the one I posted. After I resolve the USN rollback issue, I can use Authentication type Reuse Session again without any problem. So the root cause is not patch or update of VMware but the USN rollback.
To fix USN rollback issue by following steps:
1. Remove Active Directory from the domain controller to force it to be a stand-alone server. (dcpromo.exe /forceremoval)
2. Shutdown the demoted server.
3. Clean up the metadata of the demoted domain controller on a healthy domain controller. (delete computer object in Active Directory Users and Computers, delete NTDS setting and server object in Active Directory Sites and Services)
4. Transfer or seize the FSMO roles to the healthy domain controller.
5. Start the demoted server.
6. Install Active Directory again on the server.
7. Configure the server to be a global catalog if it was one.
8. Transfer the FSMO back.
Refer to ref1 and ref2 for more detailed information.
The command you may need:
# netdom query fsmo
# repadmin /showrepl
# repadmin /showutdvec dc1 dc=abc,dc=com
No comments:
Post a Comment