Windows Server 2008

Automating The Creation Of Active Directory Snapshots

Windows Server 2008 has a new feature allowing administrators to create snapshots of the Active Directory database for offline use. There are quite a few scenarios for using AD snapshots. For example, if someone has changes properties of AD objects and you need to revert to their previous values, you can mount a copy of a previous snapshot to an alternate port and easily export the required attributes for every object that was changed. These values can then be imported into the running instance of AD DS. You can also restore deleted objects or simply view objects for diagnostic purposes.

The process of working with AD snapshots is described in detail in my “Working with Active Directory Snapshots in Windows Server 2008” and “Exporting Information from Active Directory Snapshots in Windows Server 2008” articles, and there’s more info in the “Directory Service Comparison Tool” article.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

If you’ve read the above articles, you’ve learned that the NTDSUTIL command is nested. Therefore, you can enter the entire sequence of commands in one long line, and put that into a batch file or script, then configure that batch or script to run at a specific time by using Task Scheduler.

In order to automate the creation of an Active Directory snapshot follow these steps:

  1. Create a new batch file with the following lines:
  2. @echo off
    ntdsutil snapshot "activate instance ntds" create quit quit

    Save the file as “ad-snapshot.bat” or similar, and place it in a location of your choice. I used C:’Scripts.

  3. Check to see if the script works by manually running it once. You need to run is after logging in as a member of the Domain Admins group to one of your Windows Server 2008 Domain Controllers.
  4. Open Task Scheduler from the Administrative Tools folder, or from Server Manager > Configuration.
  5. On the left node, right-click Task Scheduler (Local) and choose Create Basic Task.
  6. In the Create Basic Task window, give the new task a name and description. I used “Create AD snapshot”. Click on the Next button.
  7. In Task Trigger window, select the appropriate schedule for the task to run. I used Weekly. Click on the Next button.
  8. In Weekly window, select the appropriate schedule for the task to run. I used Friday at 8:00PM. Click on the Next button.
  9. In Action window, select Start a Program. Click on the Next button.
  10. In Start a Program window, browse to the batch file you’ve created. Click on the Next button.
  11. In Summary window, browse to the batch file you’ve created. Click on the Finish button.
  12. Back in the Task Scheduler console, in the Task Scheduler Library area, check to see if the task was properly configured.
  13. Double-click on the task and take a look at the General tab. By default, the task is configured to only run when a user is currently logged on to that computer. Being a Domain Controller, it’s most likely that that will not happen that often. We want to configure the task to run even when no user is logged on, and we will do this by supplying a user name and password for the task to run as. Click on the “Run whether user is logged on or not” checkbox. Then click on the “Change User or Group” button.
  14. In the Select User or Group window, enter the name of the user that the task will run as. You can use the Administrator’s account, but it’s better if you create a special account for such scripts. I used the Administrator’s default account for the purpose of this article. Click Ok.
  15. Enter the password for the account you chose, then click Ok.
  16. To check if the task runs correctly, you can right-click on it and select Run. You can then look at the current snapshots to see if a new one has been created.

The task you’ve created will run at the specified interval.


Recent Windows Server 2008 Forum threads

Got a question? Post it on our Windows Server 2008 forums!

Related Topics:

Live Webinar - Thursday, December 2nd! Active Directory Masterclass: AD Configuration Strategies for Stronger SecurityREGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: