Restoring a domain controller may cause inconsistencies between domain controllers

When a domain controller (DC) is restored in Active Directory, there is a possibility of encountering inconsistencies, like deleted objects (lingering objects) being present in the restored DC, or new objects created in the restored DC not being replicated to other DCs.

How to detect or know if a DC restoration operation could lead to inconsistencies? If the Event ID: 1587 occurs, when a domain controller is restored, it could be an indication of possible inconsistency in Active Directory or between DCs. But just the occurrence of this event may not indicate a problem always. If this Event ID is recorded, and if there are issues in objects that are created on the restored DC being replicated to other DCs, there certainly is an inconsistency.

What is the reason for the issue (Event ID: 1587)?

When a DC is restored, its highest committed update sequence number (USN) is rolled back to the value that existed at the time of its backup, and objects that have USN values between the lowest and highest committed USN are not considered for replication. Also, its original invocation ID is replaced with a newly assigned invocation ID.

How can this issue be handled?

When AD inconsistency happens after the restoration of a DC, you can choose to either use a workaround or resolve the issue.

Workaround for this issue:

• Perform a forced replication from the affected DC to another DC
• Demote and then promote the restored DC.

Resolution for this issue

To fix this issue, download and apply the latest patch or the hotfix MS01-036.

For more details about why this issue occurs, and how to go about fixing it, please refer to this MS documentation.

Also, did you know that you can automatically backup AD objects, and even granularly restore, either a single object or even a single attribute of an object, easily? You just have to give ADManager Plus a try, using the free trial, to experience how simple and easy AD backup and recovery can be.

ADManager Plus' AD backup and recovery capabilities include:

• Scheduled full and incremental back up of all AD objects.
• Restoration of objects completely with all attributes intact.
• Granular restoration of any specific object, or just one single attribute of an object.

Download the free 30-day trial of ADManager Plus to experience all the capabilities of this unified AD, Office 365, Exchange and G Suite management and reporting tool.