This new feature of Windows Server 2008 allows you to create a snapshot of the Active Directory database with the command line tool ntdsutil. The created snapshot can be exposed as an LDAP server using the dsamain utility. This is useful whenever you accidently delete Active Directory objects and are unsure which backup to restore. You can also use snapshots as backups. However, this is not really a substitute for professional backups. The whole procedure for creating snapshots and viewing is quite long-winded and inconvenient in my view. Here is how it goes:
- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
You have to use the ntdsutil tool to create a snapshot first. This is the printout of my test on the command prompt:
ntdsutil
ntdsutil: snapshot
snapshot: Activate Instance NTDS
Active instance set to "NTDS".
snapshot: create
Creating snapshot...
Snapshot set {8e2d4f3a-4857-4aa1-8291-0b970f1e99bd} generated successfully.
Before you can access the snapshot, you have to mount it:
snapshot: mount {8e2d4f3a-4857-4aa1-8291-0b970f1e99bd}
Snapshot {43178609-4381-4825-9562-66012e743728} mounted as C:\$SNAP_200706141320 _VOLUMEC$\
This long number is the GUID of the snapshot. Next, you have to expose this snapshot thru an LDAP server using the dsamain tool:
dsamain -dbpath:c:\$SNAP_200706141320_VOLUMEC$\Windows\NTDS\ntds.dit -ldapport:15000
Now, you can access this Active Directory snapshot for read access with Windows tools such as ldp or ADSIEdit. You can run the LDAP server on an active domain controller if you used ports other than the default ones. In my example, you could connect to the port 15000 to access the snapshot with ADSIEdit.
You can now browse for the objects that were accidently deleted. If you found them, you would know which backup should be restored. You probably know that it is possible to restore single Active Directory objects by marking them as authoritative. Check out this article for information about authoritative restores.
Subscribe to 4sysops newsletter!
All in all, I still find handling Active Directory backups quite complicated. However, there are third party tools which can make it a bit easier, for example the AD recovery tools from Quest. Which tools do you use to backup and restore Active Directory?
ntbackup
Small Businesses are fun 😉
Yeah, NTbackup is a great backup tool for small business. Unfortunately, it will be replaced with Windows Server Backup which doesn’t support tape backups.
We use active administratorr – powerful solution with an intuitive interface. It can backup all active directory objects in a domain and then restore only necessary ones with their attributes.Or if you have container object – you can restore all objects it contains or only objects of a particular type. In addtion – this tool is also good in active directory auditing and group policy managing.
Thanks for the tip. Seems to be an interesting tool. Do you know the price? Didn’t find it on their site.
how would i go about doing this on windows server 2003? better yet, is it even possible to do this on windows server 2003?