Printout Header
RSS Feed

Table of Content > Attributes for Active Directory Users >uSNCreated

Attributes for AD Users : uSNCreated

The Active Directory attribute uSNCreated stores the local update sequence number (USN) of the regarding domain controller at the time of the creation of that user object. Since each DC has its own USN values, the value of uSNChanged for a user differs on each domain controller - the attribute is not replicated between DCs!


uSNCreated


LDAP name uSNCreated
Data type Integer8 (64 bit signed numeric)
Multivalue (Array) No
System Flags

0x13
Search Flags 0x09
In Global Catalog? Yes
Attribute ID 1.2.840.113556.1.2.120
AD DB attribute name USN-Created
ADSI datatype 10 - LargeInteger
LDAP syntax 1.2.840.113556.1.4.906 - Microsoft Large Integer
Used in ... > W2K
Schema Info Microsoft - MSDN

There is another values which is updated each time the object is changed: uSNChanged.

The value of uSNChanged can only be set by the system - but scripts can read it. Because it's a Large Integer value, we have to handle the uSNChanged attribute in a special way in scripts. These Large Integers are signed numeric values of 8 Byte (64 bit) - those are often called Integer8 values for this reason:


Minimum value:
-9223372036854775808 (-2^63)  or
hex 0x8000000000000000

Maximum value:

9223372036854775807 (2^63 - 1) or
hex 0x7FFFFFFFFFFFFFFF


Integer8 values have to be handled as two parts in VB scripts (the HighPart and the LowPart). However, you can combine these parts into one single numeric value as shown in the example:

Set user = GetObject("LDAP://cn=Philipp,ou=USR,dc=ldapexplorer,dc=com")

Set usnRaw = user.Get("uSNCreated")
usnHigh = usnRaw.HighPart
usnLow = usnRaw.LowPart
If (usnLow < 0) Then
     usnHigh = usnHigh + 1
End If
usnValue = (usnHigh * (2 ^ 32)) + usnLow

WScript.Echo user.name
WScript.Echo "USN Created: " & usnValue

An LDAP filter which searches all objects which are changed after a certain Update Sequence Number could look like this:

(uSNChanged>=504031)

The uSNChanged attribute is required for the technical handling of the incremental Active Directory replication - the domain controller can determine here what changes he has to replicate to other DCs. The USN values are numbers which are incremented by each domain controllers on each change within the entire AD database. The importance of these values is explained in the following videos:



http://youtu.be/5548E15egWY?hd=1

It becomes obvious that each DC carries its own numbering of the vectors and, accordingly, own USN values for all objects and attributes in its database. Is not clear, however, how these values are used to identify those attributes that are actually need to be replicated. But let's look at the last replication operation of the video again in detail: DC2 has just changed the attributes for password and email address. DC1 will now trigger the replication:




http://youtu.be/milqj3_AQ-Y?hd=1

To illustrate the internal decision making process for incremental replication even more, we add another detail to this scenario: Replication has not occurred yet between DC1 and DC2, DC2 just made the changes to the the attributes for password and email address. In addition, now an attribute is changed to another DC. The change is known to both of our DCs. How does DC2 now understand that this change must NOT be sent to DC1 in the next replication? Let's look again at another video.



http://youtu.be/LNNQr2hFDaw?hd=1


The current global USN value for a domain controller can be examined in the RootDSE entry as an attribute called highestCommitedUSN (the
Screenshot was made with the commercial LDAP Browser LEX):

USN Number in the RootDSE

< back to attribute list

< back to SelfADSI home