No announcement yet.

Delete DSA Not Writable key if I've successfully repaired AD rep but still in USN?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Delete DSA Not Writable key if I've successfully repaired AD rep but still in USN?

    I am not an AD expert so I wanted to see what others thought about my situation.

    I have a 2008 PDC that is in USN mode. The official way to fix this is to demote, clean up meta data, then re-promote. My plan is to demote this server anyways and build a new DC. Rather than go through the entire official process I devised a work around that appears to have resolved the replication issues.

    I took a system state backup of the USN mode server in it’s broken, non-replicating state, rebooted into DSRM, and performed a non authoritative restore from that backup. It being non authoritative, it replicated from the two healthy servers. I ceased receiving log errors and tested replication and am satisfied with the state of AD.

    If I reboot this server though, it still pauses netlogon as it is still in USN mode. At this point, I think the server is okay and no longer needs to be in this protective state. I've seen some mention of deleting the DSA Not Writable key to stop the server from being in DSN mode. I've also read that this is not supported and that "modifying the value removes the quarantine behavior added by the USN rollback detection code."

    I've already bypassed the quarantine behavior (if I'm not mistaken) by unpausing netlogon, fixing replication, and replicating with the rest of the DCs. At this point, I think it might be safe to remove that key without damaging my AD services and have a fully repaired server. Am I missing anything? Do you think it is or isn't a good idea? Thanks in advance.
    Last edited by Esus; 17th March 2015, 00:15.