What Is an Update Sequence Number (USN)?

Updated on September 29, 2025

An Update Sequence Number (USN) is a 64-bit number assigned by an Active Directory domain controller to every change made to its database. Serving as a logical timestamp, the USN is a critical component of the Active Directory replication process. It provides a unique, monotonically increasing identifier for each write transaction, ensuring that domain controllers (DCs) can reliably track and synchronize changes with their replication partners without conflicts. For system administrators, understanding USNs is essential for troubleshooting replication issues and managing the health of a distributed Active Directory environment.

Definition and Core Concepts

An Update Sequence Number is a counter value that is incremented for every modification—creation, deletion, or attribute change—to an object or attribute within the local copy of the Active Directory database on a specific domain controller. Each DC maintains its own unique USN counter.

Foundational concepts include:

• Monotonically Increasing: A USN always increases with each new change. It never decreases or resets, ensuring a clear and consistent order of events.
• Local to a Domain Controller: A USN is only unique within the context of a single domain controller. The same object on different DCs will have different USNs.
• High Watermark: During replication, a DC informs its partners about the last USN it has processed from them. This “high water-mark” allows the partners to know exactly where to start sending changes from.
• Replication Metadata: The USN is part of the replication metadata for each object and attribute. This metadata tracks the USN of the last change for that specific object and attribute, the originating DC, and the timestamp.

How It Works

The USN is central to the Active Directory replication process, particularly the replication source and destination tracking. The process ensures that each DC always requests only the changes it hasn’t seen yet from its partners, preventing redundant data transfers and ensuring all changes eventually propagate throughout the forest.

The process follows these steps:

1. Change Origination: A user changes their password on a domain controller (DC-A). DC-A writes this change to its local database, and in the process, it assigns a new, incremented USN to this transaction. This USN is the Originating USN for this change.
2. Replication Request: A different domain controller (DC-B), which is a replication partner of DC-A, periodically checks for changes. It sends a replication request to DC-A, including the highest USN it has previously received from DC-A—its high water-mark.
3. Change Delivery: DC-A receives the request, identifies that its current USN is greater than DC-B’s high water-mark, and sends all changes with a USN greater than that mark.
4. Local Application: DC-B receives the changes, applies them to its own database, and assigns its own local, incremented USN to the transactions. It also stores the Originating USN and the originating DC’s Globally Unique Identifier (GUID) as part of the object’s replication metadata.

Key Features and Components

The USN model underpins several key features of Active Directory replication. These features ensure that the directory service remains consistent and efficient across a distributed network.

• Collision-Free Replication: By using unique USNs on each DC, Active Directory avoids conflicts when the same object is modified on different domain controllers simultaneously.
• Efficiency: USNs enable an efficient pull-based replication model where DCs only request changes they haven’t seen, reducing network traffic.
• Replication Consistency: The USN model guarantees eventual consistency across the entire Active Directory forest by ensuring that all originating changes are eventually replicated to every domain controller.
• Metadata Tracking: The USN is a core part of the replication metadata, which provides a detailed audit trail of when, where, and by whom a change was made.

Troubleshooting and Considerations

While the USN mechanism is robust, certain conditions can disrupt replication and require administrative intervention. Understanding these issues is critical for maintaining a healthy Active Directory environment.

• USN Rollback: This is a critical error condition that occurs when a DC’s USN is reset to an older value, for example, by restoring a DC from a backup without proper “authoritative restore” procedures. The DC will fail to replicate, as its partners believe they have already seen all changes up to its current but now old USN. This leads to replication stalls and potential data divergence.
• USN Catch-Up: In large environments, a DC might be offline for an extended period, causing its high water-mark to fall far behind its partners. When it comes back online, it must process a large number of changes, which can impact performance.
• Monitoring: Administrators should monitor Active Directory replication status using tools like repadmin /showrepl to identify any replication failures or stalled replication that might be caused by USN-related issues.

Key Terms Appendix

• Domain Controller (DC): A server in an Active Directory domain that stores a copy of the domain database and handles authentication and authorization requests.
• Replication: The process by which changes made on one domain controller are propagated to other domain controllers in the same domain.
• Globally Unique Identifier (GUID): A unique, 128-bit number used in Active Directory to identify objects.
• Originating USN: The USN assigned to a change on the domain controller where the change was originally made.
• High Water-Mark: The highest USN value that a domain controller has received from a specific replication partner.