This new feature of Windows Server 2008 allows you to create a snapshot of the Active Directory database with the command line tool ntdsutil. The created snapshot can be exposed as an LDAP server using the dsamain utility. This is useful whenever you accidently delete Active Directory objects and are unsure which backup to restore. You can also use snapshots as backups. However, this is not really a substitute for professional backups. The whole procedure for creating snapshots and viewing is quite long-winded and inconvenient in my view. Here is how it goes:

Michael Pietroforte

Michael Pietroforte is the founder and editor in chief of 4sysops. He has more than 35 years of experience in IT management and system administration.

You have to use the ntdsutil tool to create a snapshot first. This is the printout of my test on the command prompt:

ntdsutil: snapshot
snapshot: Activate Instance NTDS
Active instance set to "NTDS".
snapshot: create
Creating snapshot...
Snapshot set {8e2d4f3a-4857-4aa1-8291-0b970f1e99bd} generated successfully.

Before you can access the snapshot, you have to mount it:

snapshot: mount {8e2d4f3a-4857-4aa1-8291-0b970f1e99bd}
Snapshot {43178609-4381-4825-9562-66012e743728} mounted as C:\$SNAP_200706141320 _VOLUMEC$\

This long number is the GUID of the snapshot. Next, you have to expose this snapshot thru an LDAP server using the dsamain tool:

dsamain -dbpath:c:\$SNAP_200706141320_VOLUMEC$\Windows\NTDS\ntds.dit -ldapport:15000

Now, you can access this Active Directory snapshot for read access with Windows tools such as ldp or ADSIEdit. You can run the LDAP server on an active domain controller if you used ports other than the default ones. In my example, you could connect to the port 15000 to access the snapshot with ADSIEdit.

You can now browse for the objects that were accidently deleted. If you found them, you would know which backup should be restored. You probably know that it is possible to restore single Active Directory objects by marking them as authoritative. Check out this article for information about authoritative restores.

All in all, I still find handling Active Directory backups quite complicated. However, there are third party tools which can make it a bit easier, for example the AD recovery tools from Quest. Which tools do you use to backup and restore Active Directory?

Win the monthly 4sysops member prize for IT pros

  1. Lukas Beeler 12 years ago


    Small Businesses are fun 😉


  2. Michael Pietroforte 12 years ago

    Yeah, NTbackup is a great backup tool for small business. Unfortunately, it will be replaced with Windows Server Backup which doesn’t support tape backups.


  3. [...]   On the Sysinternals page over at Microsoft, there’s a new tool called Active Directory Explorer. You could describe it as ADSIEDIT on steroids. An interesting feature is the ability to save snapshots of Active Directory and compare them. A similar snapshot feature  will also be part of Windows Server 2008. A nice overview of the Windows Server 2008 snapshot feature can be found here. [...]


  4. Will 12 years ago

    We use active administratorr - powerful solution with an intuitive interface. It can backup all active directory objects in a domain and then restore only necessary ones with their attributes.Or if you have container object - you can restore all objects it contains or only objects of a particular type. In addtion - this tool is also good in active directory auditing and group policy managing.


  5. Michael Pietroforte 12 years ago

    Thanks for the tip. Seems to be an interesting tool. Do you know the price? Didn't find it on their site.


  6. mike 12 years ago

    how would i go about doing this on windows server 2003? better yet, is it even possible to do this on windows server 2003?


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2019


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account