Windows Server 2008

Automating The Creation Of Active Directory Snapshots

Windows Server 2008 has a new feature allowing administrators to create snapshots of the Active Directory database for offline use. There are quite a few scenarios for using AD snapshots. For example, if someone has changes properties of AD objects and you need to revert to their previous values, you can mount a copy of a previous snapshot to an alternate port and easily export the required attributes for every object that was changed. These values can then be imported into the running instance of AD DS. You can also restore deleted objects or simply view objects for diagnostic purposes.

The process of working with AD snapshots is described in detail in my “Working with Active Directory Snapshots in Windows Server 2008” and “Exporting Information from Active Directory Snapshots in Windows Server 2008” articles, and there’s more info in the “Directory Service Comparison Tool” article.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

If you’ve read the above articles, you’ve learned that the NTDSUTIL command is nested. Therefore, you can enter the entire sequence of commands in one long line, and put that into a batch file or script, then configure that batch or script to run at a specific time by using Task Scheduler.

In order to automate the creation of an Active Directory snapshot follow these steps:

  1. Create a new batch file with the following lines:
  2. @echo off
    ntdsutil snapshot "activate instance ntds" create quit quit
    exit
    

    Save the file as “ad-snapshot.bat” or similar, and place it in a location of your choice. I used C:’Scripts.

  3. Check to see if the script works by manually running it once. You need to run is after logging in as a member of the Domain Admins group to one of your Windows Server 2008 Domain Controllers.
  4. Open Task Scheduler from the Administrative Tools folder, or from Server Manager > Configuration.
  5. On the left node, right-click Task Scheduler (Local) and choose Create Basic Task.
  6. In the Create Basic Task window, give the new task a name and description. I used “Create AD snapshot”. Click on the Next button.
  7. In Task Trigger window, select the appropriate schedule for the task to run. I used Weekly. Click on the Next button.
  8. In Weekly window, select the appropriate schedule for the task to run. I used Friday at 8:00PM. Click on the Next button.
  9. In Action window, select Start a Program. Click on the Next button.
  10. In Start a Program window, browse to the batch file you’ve created. Click on the Next button.
  11. In Summary window, browse to the batch file you’ve created. Click on the Finish button.
  12. Back in the Task Scheduler console, in the Task Scheduler Library area, check to see if the task was properly configured.
  13. Double-click on the task and take a look at the General tab. By default, the task is configured to only run when a user is currently logged on to that computer. Being a Domain Controller, it’s most likely that that will not happen that often. We want to configure the task to run even when no user is logged on, and we will do this by supplying a user name and password for the task to run as. Click on the “Run whether user is logged on or not” checkbox. Then click on the “Change User or Group” button.
  14. In the Select User or Group window, enter the name of the user that the task will run as. You can use the Administrator’s account, but it’s better if you create a special account for such scripts. I used the Administrator’s default account for the purpose of this article. Click Ok.
  15. Enter the password for the account you chose, then click Ok.
  16. To check if the task runs correctly, you can right-click on it and select Run. You can then look at the current snapshots to see if a new one has been created.

The task you’ve created will run at the specified interval.

Links

Recent Windows Server 2008 Forum threads

Got a question? Post it on our Windows Server 2008 forums!

Related Topics:

External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

 
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: