highestCommittedUSN attribute at rootDSE

Hello All,

This does not stack up for me on my domain (simply domain no additional application partitions)

For example, I wrote the following simple script to enumerate the values from each partition

I have wrapped the lines using the PowerShell escape character ` to help make it more readable

# Author Ernest Brant (does not take into account any additional application partitions) use AS IS no warrenty 

$RootDSE = [ADSI]"LDAP://RootDSE"
$Domain = [ADSI]""
$Configuration = [adsi]"LDAP://$($RootDSE.configurationNamingContext)"
$Schema = [adsi]"LDAP://$($RootDSE.schemaNamingContext)"
$DomainDNS = [adsi]"LDAP://$($RootDSE.namingContexts |
Where-Object { $_ -match 'DomainDnsZones' })"
$ForestDNS = [adsi]"LDAP://$($RootDSE.namingContexts |
Where-Object { $_ -match 'ForestDnsZones' })"

$highestCommittedUSN = $RootDSE.highestCommittedUSN |
ForEach-Object {$_}

$DomainUSNChanged = `
$Domain.ConvertLargeIntegerToInt64($Domain.UsnChanged[0]) -as [int]

$ConfigurationUSNChanged = `
$Configuration.ConvertLargeIntegerToInt64($Configuration.UsnChanged[0]) -as [int]

$SchemaUSNChanged = `
$Schema.ConvertLargeIntegerToInt64($Schema.UsnChanged[0]) -as [int]

$DomainDNSZonesUSNChanged = `
$DomainDNS.ConvertLargeIntegerToInt64($DomainDNS.UsnChanged[0]) -as [int]

$ForestDNSZonesUSNChanged = `
$ForestDNS.ConvertLargeIntegerToInt64($ForestDNS.UsnChanged[0]) -as [int]

[pscustomobject][ordered]@{

highestCommittedUSN = $highestCommittedUSN
DomainUSNChanged  = $DomainUSNChanged
ConfigurationUSNChanged    = $ConfigurationUSNChanged
SchemaUSNChanged   = $SchemaUSNChanged
DomainDNSZonesUSNChanged= $DomainDNSZonesUSNChanged
ForestDNSZonesUSNChanged = $ForestDNSZonesUSNChanged
'Total Combined USNChanged'  = $DomainUSNChanged + $ConfigurationUSNChanged + `
$SchemaUSNChanged + $DomainDNSZonesUSNChanged + $ForestDNSZonesUSNChanged

}

The results I get are as follows

highestCommittedUSN       : 144215230
DomainUSNChanged          : 144203214
ConfigurationUSNChanged   : 144203370
SchemaUSNChanged          : 144203398
DomainDNSZonesUSNChanged  : 144203248
ForestDNSZonesUSNChanged  : 144203328
Total Combined USNChanged : 721016558

So highestCommittedUSN  does not match DomainUSNChanged  and if you combine all the USNChanged you end up with 721016558 again does not match 

I ran my script as Domain Admin (single root domain) and as the SYSTEM account same result

Can a member of the MS directory services team like Ned clear this up ?

Thanks

Ernest Brant