Fix AD Replication issue because of USN Rollback

Active Directory

WARNING: Since this article can cause an issue on your System, take any necessary action before running any command.

Today, I got a replication error from my Active Directory with error 8456 or 8457: “The source | destination server is currently rejecting replication requests”

When I run repadmin /replsummary command, I got “IS_GC DISABLE_OUTBOUND_REPL DISABLE_INBOUND_REPL” on the DSA Options

After some further check, I suspect that My domain controller is in USN Rollback mode.

What is USN Rollback

USN rollback occurred because the Active Directory database was incorrectly rolled back in time.  There are some conditions that can cause the USN Rollback as below:

  • The booting from previously saved virtual machine snapshots of domain controller role computers on Hyper-V or VMWARE hosts
  • Incorrect physical-to-virtual (P2V) conversions in forests that contain more than one domain controller
  • Restoring DC role computers by using imaging products such as Ghost
  • Rolling the contents of a partition that is hosting the active directory database back in time by using an advanced disk subsystem

How to check if my AD is on USN Rollback?

Check the value for “DSA not writable.”

For each domain controller that is logging the 8456 or 8457 error, determine whether one of the three triggering events automatically disabled incoming or outgoing Active Directory Replication by reading the value for “DSA not writable” from the local registry.

When replication is automatically disabled, the operating system writes one of four possible values to “DSA not writable”.

You can find the registry value on the path ” HKLM\System\CurrentControlSet\Services\NTDS\Parameters” and ” DSA not writable” Key.

If your value of “DSA not writable” key is “4”, then your AD is on the USN Rollback state.


  • Remove the “DSA not Writeable” key that you find before.
  • Enable replication by running repadmin /options servername -DISABLE_OUTBOUND_REPL and repadmin /options servername -DISABLE_INBOUND_REPL Note: There is (-) minus character before the “DISABLE” word.
  • Restart the computer.

Once the reboot process is done, you will see the netlogon is working again, You can run repadmin /options to verify the AD Replication.


Please enter your comment!
Please enter your name here