question

Prashant-8662 avatar image
0 Votes"
Prashant-8662 asked GaryReynolds-8098 answered

uSNChanged and uSNCreated attributes values to identify the recent changes for more than one DC

Hi,

We are going to write a batch job which will identify the recent changes/creation for AD users and organizations through uSNChanged and uSNCreated attribute.

Batch job will store the previous uSNChanged and uSNCreated max values for a particular DC (Domain Controller) and in next cycle, job will run ldap query in a DC to find out the AD users and Organization which have the uSNChanged and uSNCreated values greater than previous uSNChanged and uSNCreated max values.

This is fine for single DC.
As uSNChanged and uSNCreated is DC specific, if DC is more than one, uSNChanged and uSNCreated values will be different for a objects(User/Organization) in each DC. If at particular time, DC1 is down then need to run ldap query in another DC2,
so we can not get the recent changes as per previous uSNChanged and uSNCreated max values of DC1.
In this case, how can we manage uSNChanged and uSNCreated attributes values to identify the recent changes for more than one DC.

Thanks

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @Prashant-8662

I believe the article below can help you better understand how to solve the problem you are facing now:

https://docs.microsoft.com/en-us/windows/win32/ad/polling-for-changes-using-usnchanged


--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds-8098 avatar image
0 Votes"
GaryReynolds-8098 answered

There is no easy way to change the script to look at another DC for the updated objects based on the USN details, as you have found out the USN are unique to each DC, you could poll all DCs and collect the USN for all objects across all the DCs but this would create a large processing overhead.

As pointed out, you could try one of the notification services offered by AD, but this still wouldn't solve the problem, if the targeted DC went down you wouldn't receive any updates. Have a look on NetTools.net website NetTools has a few features that display objects that have changed using the AD notification options.

The better solution might be to look at the WhenChanged attribute and use that to detect when an object has changed, this time is roughtly the same across all DCs with only replication variation in the timestamp. That way if you connected to a different DC the script would continue to detect changes to objects.

Gary.

Gary.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.