Windows Server 2008

Directory Service Comparison Tool

Active Directory snapshots in Windows Server 2008 is a cool trick any IT pro should be aware of. By using this feature, you can either manually, or programmatically, create snapshots of the Active Directory database at a given time. These snapshots can be stored on the local hard disk of the Domain Controller (DC), or moved to an offline type of storage. You can read more about this topic on my “Working with Active Directory Snapshots in Windows Server 2008” article.

However, as I wrote on article above, Windows Server 2008 Active Directory snapshots only go half the way. They do allow you to see how the AD DB looked like at the moment of the snapshot creation, what objects existed and other type of information, however, out of the box, it does not allow you to move or copy items or information from the snapshot to the live database. I.e., you can “see” that a user called “John” exists in the snapshot, but you cannot drag and drop it to the live AD DB, not can you use any built-in GUI tool that I am aware of to perform that action. You can use tools such as LDP or other LDAP browsers to browse the offline (snapshot) AD DB. You can also use CSVDE or LDIFDE command line tools to export data out if it into CSV or LDIF files, but these need extra editing to be imported into the live AD DB, and in any case, they cannot be used in this manner to re-create deleted objects.

Note: You might want to read my “Recovering Deleted Items in Active Directory” and “Manually Undeleting Objects in Active Directory” articles for more information about re-animating deleted objects in Active Directory.

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts on our website.

This is why a tool written by Fredrik Lindström has captured my eye, and I felt  it’s well worth posting an article about it here. The tool, called “Directory Service Comparison Tool” (or simply DSCT) can be used to compare an Active Directory instance to a Windows Server 2008 Active Directory snapshot. Besides comparing the object, DSCT can also be used to reanimate deleted objects and populate them with information stored in the snapshot.

The main features of the application are:

  • Display differences between objects in Active Directory and Active Directory snapshots
  • Restore attribute values from snapshots to Active Directory
  • Reanimate deleted objects
  • Restore group membership during reanimation [new]
  • Groups present in the snapshot memberOf field of the recently reanimated object are GUID matched between the two data sources. You will be able to restore membership even if a target group has been renamed/moved in Active Directory since the snapshot was taken.

DSCT acts as a DirSync client and gets the current state of the snapshot by retrieving a DirectorySynchronizationCookie. By supplying this cookie in the query against the DC only the changes that have been made since the snapshot was taken are returned in the form of a searchResultCollection. DSCT examines each object that is returned and looks for the presence of specific attributes and values to determine if the object has been modified, added or deleted since the snapshot was taken.

Download DSCT (both 32 and 64-bit versions are available)

Requirements

  • .NET Framework 2.0
  • MMC 3.0
  • Data sources: Active Directory and a mounted Active Directory Snapshot (Windows Server 2008 feature)

Note: DSCT does not have to be installed on a Domain Controller, it can run on a separate machine.

Getting Started

First, make sure you have a working Active Directory you can connect to. Needless to say, you also need a mounted snapshot of the Active Directory. Read more about how to create and mount AD snapshots on my “Working with Active Directory Snapshots in Windows Server 2008” article.

The tool installs itself as an MMC snap-in. After you add it to an MMC window, open the Connection Settings dialog and connect to your DC and snapshot. Note that you’ll need to have the right servername, LDAP port (used when issuing the DSAMAIN command, see my article above), and, if necessary, the right credentials.

Note: As of September 2008, a bug in Windows Server 2008 causes the value of highestCommittedUsn for the snapshot will be greater than the corresponding value on the DC. This means that the snapshot appears more up to date than the DC from a directory synchronization perspective. Comparing the two data sources will not be possible until the DC highestComittedUsn value is either equal to or greater than the value in the snapshot. DSCT now offers a method of artificially raising the highestCommittedUsn on the DC when connecting to a newly taken snapshot.

No objects will be displayed in DSCT unless differences are detected between the DC and the snapshot.

Click the Resync button if you have just modified an object in Active Directory and want to compare it to its former state in the snapshot.

In order to reanimate deleted objects, if such an object is detected, it will be listed in the “Deleted” tab. By selecting the object you can easily restore it, plus group membership if applicable.

After reanimating the object, you can restore its attributes:

Links

Recent Windows Server 2008 Forum threads

Got a question? Post it on our Windows Server 2008 forums!

Related Topics:

External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

 
Office 365 Coexistence for Mergers & Acquisitions: Don’t Panic! Make it SimpleLive Webinar on Tuesday, November 16, 2021 @ 1 pm ET

In this session, Microsoft MVPs Steve Goodman and Mike Weaver, and tenant migration expert Rich Dean, will cover the four most common steps toward Office 365 coexistence and explain the simplest route to project success.

  • Directory Sync/GAL Sync – How to prepare for access and awareness
  • Calendar Sharing – How to retrieve a user’s shared calendar, or a room’s free time
  • Email Routing – How to guarantee email is routed to the active mailbox before and after migration
  • Domain Sharing – How to accommodate both original and new SMTP domains at every stage

Aimed at IT Admins, Infrastructure Engineers and Project Managers, this session outlines both technical and project management considerations – giving you a great head start when faced with a tenant migration.the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

Sponsored by: