This one bit me in the behind a while back. Essentially, the AD server was restored from a snapshot but had USN numbers that were younger than another servers’ USN numbers which was trying to connect to the AD server. This put the AD server into “disabled” mode so it wasn’t being used for AD stuff. The only way I could permanently fix my USN rollback issue was by keeping the other server off and restoring it to a previous snapshot as well. Long story short, this sucked to fix.

 

Couple of links:

http://exchangeserverpro.com/recovering-a-single-domain-controller-from-a-usn-rollback

http://social.technet.microsoft.com/Forums/zh/winserverDS/thread/8d287ba9-fff8-4a93-998a-86e64e4b85f8