We have been writing a ton of information to Active Directory lately! From computer serial numbers, device models, and our current logged in user, we’ve greatly extended the everyday practical benefits of Active Directory. But does this come at a price? Reading the comments of a few different websites, you would certainly think so. Here is a sample:
if you do it [write to a computer] after every logon, you can quickly exhaust the USN for the whole AD domain! And then the domain is dead.
Wow! So, according to this guy – our whole domain will die? That doesn’t seem right. Unfortunately, I do not know enough to accept or deny this statement so I did some research (and contacted Microsoft).
What is a USN?
Update Sequence Number (USN) are essentially a measuring stick used to help a domain controller restore itself. Each object has a unique attribute named uSNChanged.
When an object has been updated, this uSNChanged attribute is updated one number above the current highest USN (also known as the highestcommittedusn). If you are interested to see your highestcommittedusn, launch LDP.exe from a domain controller. Press Connection and then connect to a DC. Scroll down to the highestcommittedusn line.
When would I run out?
In the screenshot above, my test domain has had almost 70,000 updates! That is insane for a single client/single domain controller environment! But lucky for me, the current USN is a 64 bit counter. In other words, it would take 18 quintillion changes to exhaust it. If we ever managed to reach that point, well – it would just loop over and start back at one!
But couldn’t that cause some issues?
According to Microsoft, no. Even if you wanted to run out, it would be nearly impossible to do. To quote, Ned Pyle:
Let’s say I want to run out of USNs though, so I create a script that makes 100 object write updates per second on at DC. It would take me 54 days to hit the first 1 billionth USN. At that rate, this means I am adding ~6.5 billion USN changes a year. Which means at that rate, it would take just under 3 billion years to run out on that DC. Which is probably longer than your hardware warranty.
So there you have it! While our scripts may not be the most efficient in terms of writing data, they certainly save us a ton of time finding users and managing inventory. Best of all, they won’t accidently blow up our domain!
If you are interested in reading Ned’s complete explanation, the link is below.
If you are interested in exactly how USN replicates, you’ll enjoy this: