No announcement yet.

Every DC has different USN, no errors

  • Filter
  • Time
  • Show
Clear All
new posts

  • Every DC has different USN, no errors

    Every DC in my domain has a different USN. Doesn't this mean that replication is messed up? I do not see any errors on any of the servers that would point to replication problems and it seems that replication is working because changes do get written across the domain. I wasn't here when this domain was set up, but I am guessing something is wrong. Should I even worry?

    Also, what is the difference between the USN of the server (Sites and Services) and the USN for the NTDS settings? Because they differ even when viewed on the same server.
    Thank you,


  • #2
    Re: Every DC has different USN, no errors

    The USN's are going to be different. As AD is a multiple master model, each server can initiate writes and therefore will have a different USN. The key is that each server keeps track of each of the other server's USN's (as well as a few more "counters"). I don't have an answer for your second question.


    • #3
      Re: Every DC has different USN, no errors

      Thank you. I was under the assumption that they all had to match, but they just have match for each server. As long as server1 and server2 show the same USN for server3 as server3 does for itself, I am fine.

      Thank you very much.
      Thank you,



      • #4
        Re: Every DC has different USN, no errors

        Each DC maintains it's own USN numbering. The DCs know what changes to replicate to other DCs using Up-To-Date Vector and High Watermak mechanisms.
        To make the long story short, take a look at the following link:

        After you read it, you will realize that the USN of ntds and server object are different because those are the versions representing the last change to the object in question - this is not the highest USN of the DC.

        1) Highest USN =1000
        2) Create object X ==> Highest USN+1 (USN of X is 1001)
        3) Highest USN is now 1001
        4) Create object Y ==> Highest USN+1 (USN of Y is 1002)
        5) Highest USN is now 1002

        In reality, creation of one object can result in USN being increased by more than 1, depending on the number of actual commits to the AD.
        An example is a creation of user object using ADU&C which is done in several steps. By looking at object's metadata you can actually see how many writes it took to create an object. See the screenshot for an example. You will also see there that userAccountControl was altered 4 times during the account creation and that the password related attributes were changes twice:
        at first user is created as disabled with empty password and after that the password is set.

        You can use repadmin.exe to look at the object's metadata using the following syntax:

        repadmin /showobjmeta <DC Name> <Object DN>

        Will show object's metadata on the DC you specify
        repadmin /showobjmeta "cn=guyt,cn=users,dc=domain,dc=com"

        Ask different DCs about the same object and you will see that the same object has different USNs on each DC.
        Attached Files
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"