none
highestCommittedUSN attribute at rootDSE

    Question

  • I want to know attribute highestCommittedUSN under rootDSE is same as the highest value of attribute USNChanged?

    Because it is telling committed on Directory replication, what this means?

    Friday, May 17, 2013 2:19 PM

Answers

  • Well, after including the Schema and Configuration partitions I got closer, but still off by a few (19). I suspect I'm missing objects when I search for uSNChanged values, like in cn=system or cn=deleted objects. Since HighestCommittedUSN is always slightly larger, I think it is accurate. I just have trouble finding all objects in all partitions to retrieve uSNChanged values.


    Richard Mueller - MVP Directory Services

    Friday, May 17, 2013 3:31 PM
  • The value of the highestCommittedUSN attribute on rootDSE is equal the the highest USNChanged value on that particular domain controller.  You can use it to determine what objects were changed recently on that DC.  For an overall view of recently changed objects and how they have been replicated, you can perform these queries on each domain controller and compare the results.

    Here is a great technet blog post on tracking recent changes in AD:

    http://blogs.technet.com/b/askds/archive/2009/03/18/how-do-i-find-out-what-changes-are-going-on-in-my-active-directory.aspx

    Friday, May 17, 2013 3:04 PM

All replies

  • The value of the highestCommittedUSN attribute on rootDSE is equal the the highest USNChanged value on that particular domain controller.  You can use it to determine what objects were changed recently on that DC.  For an overall view of recently changed objects and how they have been replicated, you can perform these queries on each domain controller and compare the results.

    Here is a great technet blog post on tracking recent changes in AD:

    http://blogs.technet.com/b/askds/archive/2009/03/18/how-do-i-find-out-what-changes-are-going-on-in-my-active-directory.aspx

    Friday, May 17, 2013 3:04 PM
  • I agree with Neil. Both uSNChanged and HighestCommittedUSN are not replicated so a different value is retrieved from every DC. When I tested I found that the values on any DC are close, but not identical. Of course the values constantly change with each replication cycle, but it seems to me that HighestCommittedUSN is always slightly larger that the largest uSNChanged value on the DC. I suspect that when I filter with (objectCategory=*) I only see objects in the domain partition and I am ignoring objects in other partitions (like the configuration and schema containers). When I get a chance, I may check this.


    Richard Mueller - MVP Directory Services

    Friday, May 17, 2013 3:18 PM
  • Well, after including the Schema and Configuration partitions I got closer, but still off by a few (19). I suspect I'm missing objects when I search for uSNChanged values, like in cn=system or cn=deleted objects. Since HighestCommittedUSN is always slightly larger, I think it is accurate. I just have trouble finding all objects in all partitions to retrieve uSNChanged values.


    Richard Mueller - MVP Directory Services

    Friday, May 17, 2013 3:31 PM
  • Are you remembering ForestDnsZones and DomainDnsZones?  Lab environment with low rate of change would be best for verification.

    Friday, May 17, 2013 5:20 PM
  • Neil is right on the spot this is changes in ALL NCs hosted on a given DC (e.g the higest commited USN can be in any NC)

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Friday, May 24, 2013 7:36 PM
  • Hello All,

    This does not stack up for me on my domain (simply domain no additional application partitions)

    For example, I wrote the following simple script to enumerate the values from each partition

    I have wrapped the lines using the PowerShell escape character ` to help make it more readable

    # Author Ernest Brant (does not take into account any additional application partitions) use AS IS no warrenty 

    $RootDSE = [ADSI]"LDAP://RootDSE"
    $Domain = [ADSI]""
    $Configuration = [adsi]"LDAP://$($RootDSE.configurationNamingContext)"
    $Schema = [adsi]"LDAP://$($RootDSE.schemaNamingContext)"
    $DomainDNS = [adsi]"LDAP://$($RootDSE.namingContexts |
    Where-Object { $_ -match 'DomainDnsZones' })"
    $ForestDNS = [adsi]"LDAP://$($RootDSE.namingContexts |
    Where-Object { $_ -match 'ForestDnsZones' })"

    $highestCommittedUSN = $RootDSE.highestCommittedUSN |
    ForEach-Object {$_}

    $DomainUSNChanged = `
    $Domain.ConvertLargeIntegerToInt64($Domain.UsnChanged[0]) -as [int]

    $ConfigurationUSNChanged = `
    $Configuration.ConvertLargeIntegerToInt64($Configuration.UsnChanged[0]) -as [int]

    $SchemaUSNChanged = `
    $Schema.ConvertLargeIntegerToInt64($Schema.UsnChanged[0]) -as [int]

    $DomainDNSZonesUSNChanged = `
    $DomainDNS.ConvertLargeIntegerToInt64($DomainDNS.UsnChanged[0]) -as [int]

    $ForestDNSZonesUSNChanged = `
    $ForestDNS.ConvertLargeIntegerToInt64($ForestDNS.UsnChanged[0]) -as [int]

    [pscustomobject][ordered]@{

    highestCommittedUSN = $highestCommittedUSN
    DomainUSNChanged  = $DomainUSNChanged
    ConfigurationUSNChanged    = $ConfigurationUSNChanged
    SchemaUSNChanged    = $SchemaUSNChanged
    DomainDNSZonesUSNChanged = $DomainDNSZonesUSNChanged
    ForestDNSZonesUSNChanged = $ForestDNSZonesUSNChanged
    'Total Combined USNChanged'  = $DomainUSNChanged + $ConfigurationUSNChanged + `
    $SchemaUSNChanged + $DomainDNSZonesUSNChanged + $ForestDNSZonesUSNChanged

    }

    The results I get are as follows

    highestCommittedUSN       : 144215230
    DomainUSNChanged          : 144203214
    ConfigurationUSNChanged   : 144203370
    SchemaUSNChanged          : 144203398
    DomainDNSZonesUSNChanged  : 144203248
    ForestDNSZonesUSNChanged  : 144203328
    Total Combined USNChanged : 721016558

    So highestCommittedUSN  does not match DomainUSNChanged  and if you combine all the USNChanged you end up with 721016558 again does not match 

    I ran my script as Domain Admin (single root domain) and as the SYSTEM account same result

    Can a member of the MS directory services team like Ned clear this up ?

    Thanks

    Ernest Brant


    Monday, March 19, 2018 4:40 PM
  • Two things.

    1. Your script do not return Deleted Objects or Recycled Objects

    2. Are you sure you're binding to the same DC for all your LDAP calls?


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Monday, March 19, 2018 10:44 PM
  • OK thanks Enfo,

    I will update the script to add those two elements

    I also tried the current script on quite a new install of a test forest (single domain) and the results are below

    highestCommittedUSN       : 98356
    DomainUSNChanged          : 98336
    ConfigurationUSNChanged   : 12824
    SchemaUSNChanged          : 12825
    DomainDNSZonesUSNChanged  : 12826
    ForestDNSZonesUSNChanged  : 12827
    Total Combined USNChanged : 149638

    Thanks

    Ernest Brant


    Tuesday, March 20, 2018 6:30 AM
  • All,
    I have adjusted my script, firstly to automatically take into account any additional application partitions and also deleted and recycled objects

    When it comes to deleted and recycled objects as you are probably aware an object is marked as isDeleted first, then then the deleted object lifetime expires it is marked as isRecycled. However, it still maintains it's isDeleted attribute set to true. Therefore, I am working on the logic I only need to search for objects which have their isDeleted attribute set to pick up both Deleted and Recycled objects. With that in mind I used Get-AdObject to pick out the deleted/recycled objects. As you can see from the results below I am still a thousands out (8585) when comparing Domain (default naming context) USNChanged and adding this to Deleted/Recycled and comparing it with highestCommittedUSN from the RootDSE.

    DC=MyDomain,DC=net                                           : 100082514
    CN=Configuration,DC=MyDomain,DC=net                   : 100082970
    CN=Schema,CN=Configuration,DC=MyDomain,DC=net : 100083493
    DC=ForestDnsZones,DC=MyDomain,DC=net            : 100082559
    DC=DomainDnsZones,DC=MyDomain,DC=net          : 100082584
    DeletedorRecycled                                                  : 1928
    HighestUSNChanged                                               : 100093027

    script below

    # Author Ernest Brant, use AS IS no warranty
    $RootDSE = [ADSI]"LDAP://RootDSE"
    $HT = [ordered]@{ }
    $HT2 = [ordered]@{ }
    $Array = New-object system.collections.arraylist

    $HighestUSNChanged = $RootDSE.highestCommittedUSN| ForEach-Object {$_}

    foreach ($NamingContext in (($RootDSE).namingContexts))
    {
     $HT.$NamingContext = [ADSI]"LDAP://$NamingContext"
     
    }

    foreach ($NamingContext in ($HT.GetEnumerator()))
    {
     
     $partiton = $NamingContext.Name
     $USNChanged = `
     $RootDSE.ConvertLargeIntegerToInt64(($NamingContext.value).uSNChanged[0]) -as [int]
     $HT2.Add($partiton,$USNChanged )
     
    }

    $DeletedorRecycled = @(Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects)
    $HT2.Add('DeletedorRecycled', $DeletedorRecycled.count)
    $HT2.Add('HighestUSNChanged', $HighestUSNChanged)

    [pscustomobject]$HT2

    Wednesday, March 21, 2018 4:51 PM
  • PS,

    When I say the script will take into account any additional application partitions I mean against the particular DC which is it is run (as application partitions can be no a subset of DCs)

    Did anyone else managed to get the numbers to stack? e.g. USNChanged (Domain/deleted) =
    HighestUSNChanged  ?

    Perhaps Microsofts Get-ADObject -includeDeletedObjects parameter only takes into
    account isDeleted when isRecycled is not also set (e.g. if they are both set does not count it

    it would be nice to get a definitive answer to this from the MS DS team, any way on to other work.

    Ernest Brant



    Thursday, March 22, 2018 8:12 AM