uSNChanged and uSNCreated attributes values to identify the recent changes for more than one DC

Prashant 1 Reputation point
2021-09-24T15:59:55.763+00:00

Hi,

We are going to write a batch job which will identify the recent changes/creation for AD users and organizations through uSNChanged and uSNCreated attribute.

Batch job will store the previous uSNChanged and uSNCreated max values for a particular DC (Domain Controller) and in next cycle, job will run ldap query in a DC to find out the AD users and Organization which have the uSNChanged and uSNCreated values greater than previous uSNChanged and uSNCreated max values.

This is fine for single DC.
As uSNChanged and uSNCreated is DC specific, if DC is more than one, uSNChanged and uSNCreated values will be different for a objects(User/Organization) in each DC. If at particular time, DC1 is down then need to run ldap query in another DC2,
so we can not get the recent changes as per previous uSNChanged and uSNCreated max values of DC1.
In this case, how can we manage uSNChanged and uSNCreated attributes values to identify the recent changes for more than one DC.

Thanks

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,204 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 39,496 Reputation points
    2021-09-27T16:55:30.677+00:00

    Hello @Prashant

    I believe the article below can help you better understand how to solve the problem you are facing now:

    https://learn.microsoft.com/en-us/windows/win32/ad/polling-for-changes-using-usnchanged

    -----------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. Gary Reynolds 9,406 Reputation points
    2021-09-30T03:13:18.22+00:00

    There is no easy way to change the script to look at another DC for the updated objects based on the USN details, as you have found out the USN are unique to each DC, you could poll all DCs and collect the USN for all objects across all the DCs but this would create a large processing overhead.

    As pointed out, you could try one of the notification services offered by AD, but this still wouldn't solve the problem, if the targeted DC went down you wouldn't receive any updates. Have a look on NetTools.net website NetTools has a few features that display objects that have changed using the AD notification options.

    The better solution might be to look at the WhenChanged attribute and use that to detect when an object has changed, this time is roughtly the same across all DCs with only replication variation in the timestamp. That way if you connected to a different DC the script would continue to detect changes to objects.

    Gary.

    Gary.

    0 comments No comments