Published: Jan 06, 2009
A snapshot is a shadow copy—created by the Volume Shadow Copy Service (VSS)—of the volumes that contain the Active Directory database and log files. With Active Directory snapshots, you can view the data inside such a snapshot on a domain controller without the need to start the server in Directory Services Restore Mode.
Windows Server 2008 has a new feature allowing administrators to create snapshots of the Active Directory database for offline use.
With AD snapshots you can mount a backup of AD DS under a different set of ports and have read-only access to your backups through LDAP.
You should take measures to protect AD snapshots in a manner that is similar to protecting your regular DC backups. For example, use encryption or other data security precautions with AD DS snapshots to help mitigate the chance of unauthorized access to them.
There are quite a few scenarios for using AD snapshots. For example, if someone has changed properties of AD objects and you need to revert to their previous values, you can mount a copy of a previous snapshot to an alternate port and easily export the required attributes for every object that was changed. These values can then be imported into the running instance of AD DS. You can also restore deleted objects or simply view objects for diagnostic purposes.
AD snapshots, when mounted and connected to, allow you to see how the AD DB looked like at the moment of the snapshot creation, what objects existed and other type of information. However, out of the box, it does not allow you to move or copy items or information from the snapshot to the live database. In order to do that you will need to manually export the relevant objects or attributes from the snapshot, and manually import them back to the live AD database. You can read more on that in my “Directory Service Comparison Tool” and “Exporting Information from Active Directory Snapshots in Windows Server 2008” articles.
While the process of creating a snapshot, mounting it, connecting to it, disconnecting, unmounting and (perhaps) deleting it may seem a little confusing at first, after running through it a few times you’ll get the hang of it. In any case it’s a lot better than the alternative – taking down the DC, rebooting into DSRM, restoring the System State from a backup, and then exporting the attributes.
Here’s how to do it.
In order to create an Active Directory snapshot you need to use the NTDSUTIL command. NTDSUTIL is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role or the AD LDS server role installed.
Please follow these steps:
Note: You must run NTDSUTIL from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
ntdsutil
snapshot
Note: NTDSUTIL uses nested menu commands that you type one after the other. You can type “?” at any time to get the different command options at any menu level. Also note that you can usually type in the first few letters of each command. For example, instead of typing “snapshots” you can simply type “sna”.
activate instance ntds
In the CMD window, type the following command:
activate instance ntds
The result should look like this:
snapshot: Activate Instance ntds Active instance set to "ntds".
create
The result should look like this:
snapshot: create Creating snapshot... Snapshot set {3a861a35-2f33-4d7a-8861-a10e47afdaba} generated successfully.
list all
The result should look like this:
snapshot: create snapshot: List All 1: 2008/10/25:03:14 {ec53ad62-8312-426f-8ad4-d47768351c9a} 2: C: {15c6f880-cc5c-483b-86cf-8dc2d3449348}
Note: NTDSUTIL allows you to run the above commands in one line. Run the following command:
ntdsutil "Activate Instance NTDS" snapshot create quit quit
You can easily automate this process. Read my “Automating the Creation of Active Directory Snapshots” article for more info.
Before connecting to the snapshot we need to mount it. By looking at the results of the List All command in step #8 above, identify the snapshot that you wish to mount, and note the number next to it.
In order to mount an Active Directory snapshot follow these steps:
Note: You must run NTDSUTIL from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
ntdsutil
snapshot
list all
The result should look like this:
snapshot: List All 1: 2008/10/25:03:14 {ec53ad62-8312-426f-8ad4-d47768351c9a} 2: C: {15c6f880-cc5c-483b-86cf-8dc2d3449348}
In the CMD window, type the following command:
mount 2
The result should look like this:
snapshot: mount 2 Snapshot {15c6f880-cc5c-483b-86cf-8dc2d3449348} mounted as C:'$SNAP_200810250314_VOLUMEC$'
Note: Like the above command, the mounting process can also be run in one line. However, note that NTDSUTIL requires that the “list all” command be run in the same session that you mount the snapshot. So in order to mount the snapshot with a one-liner, you will need to run “list all” first.
ntdsutil snapshot "list all" "mount 2" quit quit
Note: You do not need to quit from the NTDSUTIL command, you can keep it open assuming that you’ll probably want to unmount the snapshot right after working with it.
In order to connect to the AD snapshot you’ve mounted you will need to use the DSAMAIN command. DSAMAIN is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed.
After using DSAMAIN to expose the information inside the AD snapshot, you can use any GUI tool that can connect to the specified port, tools such as Active Directory Users and Computers (DSA.msc), ADSIEDIT.msc, LDP.exe or others. You can also connect to it by using command line tools such as LDIFDE or CSVDE, tools that allow you to export information from that database. Please read more on that in my “”Directory Service Comparison Tool” and “Exporting Information from Active Directory Snapshots in Windows Server 2008” articles.
When you use DSAMAIN to connect to the data that is contained in a snapshot, the following is true:
First, DSAMAIN requires the exact and full path to the NTDS.dit file. In order to obtain that path you can do one of the following:
Second, you have to give the DSAMAIN a unique port to service LDAP requests on. You can use any port as long as it’s not in use. In this example I’ll use port 10389. DSAMAIN will expose the directory on 4 subsequent ports – LDAP, LDAP/SSL, GC, and GC/SSL. You can manually specify each of the different ports that you want to use for each protocol connection, but if you just give it one port (i.e. 10389), it will mount the subsequent listeners numerically. So if you specific 10389 for the LDAP port, this is what you end up with:
In order to connect to an Active Directory snapshot follow these steps:
Note: You must run DSAMAIN from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
dsamain -dbpath "C:'$SNAP_200810250314_VOLUMEC$'Windows'NTDS'ntds.dit" -ldapport 10389
You will not get any visual confirmation that the snapshot has been connected to. The only thing that will actually indicate that the DIT is mounted is the message “Microsoft Active Directory Domain Services startup complete”. Do not close the command prompt. As long as the DSAMAIN is running, you can access the directory over LDAP on the port you specified.
The result should look like this:
C:'Users'Administrator>dsamain -dbpath "C:'$SNAP_200810250314_VOLUMEC$'Windows'NTDS'ntds.dit" -ldapport 10389 EVENTLOG (Informational): NTDS General / Service Control : 1000 Microsoft Active Directory Domain Services startup complete, version 6.0.6001.18072
Next, you need to read my “Directory Service Comparison Tool” and “Exporting Information from Active Directory Snapshots in Windows Server 2008” articles.
In order to disconnect from the AD snapshot all you need to do is to type CTRL+C at the DSAMAIN command prompt window. You’ll get a message indicating that the DS shut down successfully.
The result should look like this:
EVENTLOG (Informational): NTDS General / Service Control : 1004 Active Directory Domain Services was shut down successfully.
The last thing we need to do is to unmount the snapshot. Again, this can be done through the NTDSUTIL command.
In order to unmount an Active Directory snapshot follow these steps:
Note: You must run NTDSUTIL from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
ntdsutil
snapshot
list mounted
The result should look like this:
snapshot: List Mounted 1: 2008/10/25:03:14 {ec53ad62-8312-426f-8ad4-d47768351c9a} 2: C: {15c6f880-cc5c-483b-86cf-8dc2d3449348} C:'$SNAP_200810250314_VOLUMEC$'
unmount 2
The result should look like this:
snapshot: Unmount 2 Snapshot {15c6f880-cc5c-483b-86cf-8dc2d3449348} unmounted.
Note: Like the mounting command, the mounting process can also be run in one line. However, note that NTDSUTIL requires that the “list mounted” command be run in the same session that you mount the snapshot. So in order to unmount the snapshot with a one-liner, you will need to run “list mounted” first.
ntdsutil snapshot "list mounted" "unmount 2" quit quit
You don’t really have to delete the snapshot unless you want to.
In order to delete an Active Directory snapshot follow these steps:
Note: You must run NTDSUTIL from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
ntdsutil
snapshot
list all
The result should look like this:
snapshot: create snapshot: List All 1: 2008/10/25:03:14 {ec53ad62-8312-426f-8ad4-d47768351c9a} 2: C: {15c6f880-cc5c-483b-86cf-8dc2d3449348}
delete 2
The result should look like this:
snapshot: delete 2 Snapshot {15c6f880-cc5c-483b-86cf-8dc2d3449348} deleted.
Got a question? Post it on our Windows Server 2008 forums!