Mount an Active Directory Backup Using the Database Mounting Tool
In this Ask the Admin, I’ll explain how to use the ADDS Database Mounting Tool to look at backups of AD.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
Restoring Active Directory (AD), or part thereof, is rarely an easy task. One of the first questions that needs to be answered before restoring AD is which backup to use. In cases where you need to restore a complete forest or domain, Microsoft recommends using a trusted backup that’s a few days old to avoid restoring a copy of AD that has the same issues that you are trying to recover from. Using the built-in Windows Server Backup tool, you can restore AD to an alternative location but there’s no way to quickly view the contents of the AD database stored in each backup before restoration.
Starting in Windows Server 2008, the Active Directory management tools include dsamain.exe, which allows you to mount a volume shadow copy snapshot or backup of ntds.dit, and explore it using standard admin tools, like Active Directory Users and Computers (ADUC) and the PowerShell AD cmdlets.
In this article, I’m going to mount an AD backup on a domain controller for the sake of simplicity. In a production environment, you can use the following tools on any device where the Active Directory management tools are installed. If you would prefer to read about how to mount a VSS snapshot instead, take a look at Working with Active Directory Snapshots in Windows Server 2008 on Petri.
Attach a Backup to Windows Server
The first step is to attach a backup made by Windows Server Backup to the server where the AD management tools are installed. You don’t need to restore the backup. The raw backup files are all you need. In this example, the backup files are stored on a dedicated disk on the domain controller.
Windows Server Backup stores backups as images in virtual hard drive format (.vhdx), allowing you to mount the images in Disk Management. Start by identifying the backup that you want to mount. I back up to a dedicated disk and the backup tool automatically creates a folder called WindowsImageBackup. There you’ll find folders for each server backup. Navigate down to the backup folder and locate the .vhdx file for the backup that you want to mount. Sometimes it’s not so easy to understand which .vhdx file represents which backup because the Date modified attribute is updated when Windows Server Backup touches each file.
Once you’ve identified the file that contains the backup you want to mount, open Disk Management with administrator privileges. In Windows Server 2016, you can open Disk Management by right-clicking on the Start menu and selecting Disk Management from the menu.
- In Disk Management, select Attach VHD from the Action menu.
- In the Attach Virtual Hard Disk dialog, click Browse and select the .vhdx file you want to mount.
- Click OK.
- The new disk will appear in Disk Management but without a drive letter. To assign a drive letter, right-click the drive in the Volume column and select Change Drive Letter and Paths… from the menu.
- Click Add… in the Change Drive Letter dialog.
- Check Assign the following drive letter: and select a letter using the drop-down menu.
- Click OK.
Mount the AD Database
Now that the backup is mounted, we’ll use dsamain to mount the AD database stored in the backup. Open a command prompt with local administrator privileges. I backed up just AD, so the path to ntds.dit might differ from your backup, depending on the location of the NTDS folder on your domain controller and the version of Windows Server that you are using. Run the command below, changing the path to ntds.dit as required for your backup.
dsamain –dbpath "Z:\NTDS\ntds.dit" -ldapport 5000
If dsamain is able to mount the database, you’ll see a message saying Microsoft Active Directory Domain Services startup complete. Don’t close the command prompt window. Now you can connect to the database using the standard AD administrative tools.
- Start Active Directory Users and Computers from the Tools menu in Server Manager.
- Right-click Active Directory Users and Computers in the top left of the console window.
- Select Change Domain Controller… from the menu.
- In the Change Directory Server dialog, check This Domain Controller or AD LDS instance.
- Click <Type a Directory Server name[:port] here> and type the name of your server and port number as shown in the screenshot below. Click OK.
- You are now connected to the backup copy of AD as mounted by dsamain.
You can also connect to the mounted database using the Active Directory cmdlets for PowerShell. For example, to get information about a user in the mounted database, just add the server and port using the -Server parameter as shown here:
Get-ADUser -Identity adadmin -Properties * -Server adPDC:5000
Dismount the Database and Backup
Once you’re done, go back to the command prompt where dsamain is running and press CTRL+C to dismount the database. In Disk Management, find the mounted .vhdx file in the list of disks at the bottom of the window. Click the far left-hand box for the disk and select Detach VHD from the menu. Click OK in the Detach Virtual Hard Disk dialog to complete the operation.
In this article, I showed you how to mount a backup of an AD database using dsamain.exe.