Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser) Step-by-Step Guide
To: Windows Server 2008
This guide shows how you can use an improved version of Ntdsutil and a new
Active Directory® database mounting tool in Windows Server® 2008 to create and
view snapshots of data that is stored in Active Directory Domain Services
(AD DS) or Active Directory Lightweight Directory Services (AD LDS), without
restarting the domain controller or AD LDS server. A snapshot is a shadow
copy—created by the Volume Shadow Copy Service (VSS)—of the volumes that contain
the Active Directory database and log files.
The Active Directory database mounting tool (Dsamain.exe) can improve
recovery processes for your organization by providing a means to compare data as
it exists in snapshots that are taken at different times so that you can better
decide which data to restore after data loss. This eliminates the need to
restore multiple backups to compare the Active Directory data that they
contain.
This guide provides step-by-step instructions for using the Active Directory database mounting tool, including creating, listing, and mounting snapshots of AD DS; preparing them for viewing as a Lightweight Directory Access Protocol (LDAP) server; and viewing the data itself.
For more information about VSS snapshots, see Shadow Copies and Shadow Copy Sets (VSS) (http://go.microsoft.com/fwlink/?LinkId=90631).
Note |
---|
During product development, this feature has also been known by other names, including Snapshot Viewer, Snapshot Browser, and Active Directory data mining tool. |
This guide provides step-by-step instructions for using the Active Directory database mounting tool, including creating, listing, and mounting snapshots of AD DS; preparing them for viewing as a Lightweight Directory Access Protocol (LDAP) server; and viewing the data itself.
For more information about VSS snapshots, see Shadow Copies and Shadow Copy Sets (VSS) (http://go.microsoft.com/fwlink/?LinkId=90631).
In this guide
End-to-End
Scenario That Uses the Active Directory Database Mounting Tool
Who should use this guide?
The following individuals should review this information about the
Active Directory database mounting tool:
- Information technology (IT) planners and analysts who are
technically evaluating the product
- Enterprise IT planners and designers for
organizations
- Administrators, operators, and managers who are responsible
for IT operations, including recovery of deleted Active Directory
data
Scenarios for using the Active Directory database mounting tool
This section describes common scenarios in which you can use the
Active Directory database mounting tool.
Simplifying the forest recovery process
For organizations that have domain controllers running Windows Server 2003,
the forest recovery process requires a determination of which backup is best to
use for recovery. In general, you must consider whether to restore a recent
backup of your data or an older backup that you believe may be safer. Choosing a
more recent backup recovers more useful data, but it might increase the risk of
reintroducing dangerous data into the restored forest.
To determine which backup is best, you must restore it to a domain controller to view its contents. Each restore operation requires that you restart the domain controller in Directory Services Restore Mode (DSRM).
For some organizations, the loss of productivity caused by the time required for such restore operations is great. These organizations often must keep detailed logs about the Active Directory health state on a daily basis so that, in case of a failure throughout the forest, the approximate time of failure can be identified.
In a forest recovery scenario, the ability to precisely determine which backup contains the best data to recover can drastically reduce downtime.
To determine which backup is best, you must restore it to a domain controller to view its contents. Each restore operation requires that you restart the domain controller in Directory Services Restore Mode (DSRM).
For some organizations, the loss of productivity caused by the time required for such restore operations is great. These organizations often must keep detailed logs about the Active Directory health state on a daily basis so that, in case of a failure throughout the forest, the approximate time of failure can be identified.
In a forest recovery scenario, the ability to precisely determine which backup contains the best data to recover can drastically reduce downtime.
Auditing modified and deleted objects
Dsamain.exe helps you examine any changes that are made to Active Directory
data. For example, if an object is accidentally modified, you can use this tool
to examine the changes and to help you better decide how to correct them if
necessary.
By scheduling a task to regularly create snapshots of the AD DS database, you can keep detailed records of AD DS data as it changes over time. You can create AD DS snapshots without devoting as much time and storage space as Windows Server Backup requires for critical-volume backups.
By scheduling a task to regularly create snapshots of the AD DS database, you can keep detailed records of AD DS data as it changes over time. You can create AD DS snapshots without devoting as much time and storage space as Windows Server Backup requires for critical-volume backups.
Requirements for using the Active Directory database mounting tool
You do not need any additional software to use the Active Directory database
mounting tool. All the tools that are required to use this feature are built
into Windows Server 2008 and are available if you have the AD DS or the AD LDS
server role installed. These tools include the following:
All permissions that apply to the data in the snapshot are enforced when you view the data. For example, suppose that members of the Domain Admins groups are explicitly denied Read permission for an object in AD DS. If you supply credentials for a member of that group when you try to view the snapshot data for that object, access is denied.
Moreover, you cannot change the existing permission to grant Read access in the snapshot that you are viewing because the Active Directory data is read-only. Any add, modify, or delete operations will fail.
However, a malicious user might be able to copy sensitive data that might be stored in AD DS snapshots to another forest and then use privileged credentials from that forest to examine the data. Therefore, you should protect them in a manner that is similar to how you protect domain controller backups. Use encryption or other data security precautions with AD DS snapshots to help mitigate the chance of unauthorized access to them.
- A new ntdsutil snapshot operation that you
can use to create, list, mount, and unmount snapshots of AD DS or AD LDS
data
Note You are not required to run the ntdsutil snapshot operation to use Dsamain.exe. You can instead use a backup of the AD DS or AD LDS database or another domain controller or AD LDS server. The ntdsutil snapshot operation simply provides a convenient data input for Dsamain.exe. - Dsamain.exe, which you can use to expose the snapshot data
as an LDAP server
- Existing LDAP tools, such as Ldp.exe and Active Directory
Users and Computers
All permissions that apply to the data in the snapshot are enforced when you view the data. For example, suppose that members of the Domain Admins groups are explicitly denied Read permission for an object in AD DS. If you supply credentials for a member of that group when you try to view the snapshot data for that object, access is denied.
Moreover, you cannot change the existing permission to grant Read access in the snapshot that you are viewing because the Active Directory data is read-only. Any add, modify, or delete operations will fail.
However, a malicious user might be able to copy sensitive data that might be stored in AD DS snapshots to another forest and then use privileged credentials from that forest to examine the data. Therefore, you should protect them in a manner that is similar to how you protect domain controller backups. Use encryption or other data security precautions with AD DS snapshots to help mitigate the chance of unauthorized access to them.
Steps for using the Active Directory database mounting tool
You are not required to use the ntdsutil snapshotoperation
to create the snapshots. You can use any backup of an AD DS or AD LDS database
that uses VSS, including non-Microsoft backup solutions. The database must be in
a consistent state; that is, the logs must be replayed. If you use Ntdsutil.exe
or Windows Server Backup on a server running Windows Server 2008, the resulting
snapshot or backup will be consistent.
You can use either Ntdsutil.exe to mount the snapshot or use Windows Server
Backup to restore the backup to an alternative location or to another computer.
Then, you can use a tool such as Ldp.exe to view the data.
You can use the following process to use the Active Directory database mounting tool:
If you have some idea which organizational unit (OU) or objects were deleted, you can look up the deleted objects in the snapshots and record the attributes and back-links that belonged to the deleted objects. You can reanimate these objects by using the tombstone reanimation feature on a domain controller in your production environment. Then, you must manually repopulate these objects with the stripped attributes and back-links as identified in the snapshots. For more information about tombstone reanimation, see Reanimating Active Directory Tombstone Objects (http://go.microsoft.com/fwlink/?LinkID=116204).
Although you must manually re-create the stripped attributes and back links, the Active Directory database mounting tool makes it possible for you to re-create deleted objects and their back-links without rebooting the domain controller into Directory Services Restore Mode. You can also use the tool to look up previous configurations of AD DS as well, including permissions that were in effect.
Note |
---|
A domain controller backup contains more data than an AD DS snapshot because it also includes files that are needed to restore the operating system. |
You can use the following process to use the Active Directory database mounting tool:
- Although it is not a requirement, you can schedule a task that regularly
runs Ntdsutil.exe to take snapshots of the volume that contains the AD DS or
AD LDS database.
- Run Ntdsutil.exe to list the snapshots that are available and then mount the
snapshot that you want to view.
- Run Dsamain.exe to expose the snapshot volume as an LDAP server.
Dsamain.exe takes the following arguments:
- AD DS or AD LDS database (Ntds.dit) full file path. By
default this file is opened as read-only. Only ASCII paths are supported.
Network share paths are not supported.
- Log path. This can be a temporary path, but you must have
write access. This parameter is optional. If you do not specify the log path,
logs and a temporary database are created in the Temp folder.
- Four port numbers for LDAP, LDAP-SSL, Global Catalog, and
Global Catalog–SSL. Only the LDAP port is required. If the other ports are not
specified, they will use LDAP+1, LDAP+2, and LDAP+3, respectively. For example,
if you specify LDAP port 41389 without specifying other port values, the
LDAP-SSL port will use port 41390 by default, and so on.
- AD DS or AD LDS database (Ntds.dit) full file path. By
default this file is opened as read-only. Only ASCII paths are supported.
Network share paths are not supported.
- Run and attach Ldp.exe to the snapshot’s LDAP port that you specified when
you exposed the snapshot as an LDAP server in the previous step.
You can also try using the Active Directory Users and Computers snap-in that is installed by default on a Windows Server 2008 domain controller, as described in the procedure later in this guide. - Browse the snapshot just as you would with any live domain
controller.
If you have some idea which organizational unit (OU) or objects were deleted, you can look up the deleted objects in the snapshots and record the attributes and back-links that belonged to the deleted objects. You can reanimate these objects by using the tombstone reanimation feature on a domain controller in your production environment. Then, you must manually repopulate these objects with the stripped attributes and back-links as identified in the snapshots. For more information about tombstone reanimation, see Reanimating Active Directory Tombstone Objects (http://go.microsoft.com/fwlink/?LinkID=116204).
Although you must manually re-create the stripped attributes and back links, the Active Directory database mounting tool makes it possible for you to re-create deleted objects and their back-links without rebooting the domain controller into Directory Services Restore Mode. You can also use the tool to look up previous configurations of AD DS as well, including permissions that were in effect.
Step 1: Create, mount, and list snapshots
To create a snapshot, you must be a member of the Enterprise Admins groups or
the Domain Admins group or you must have been delegated the appropriate
permissions. Review details about using the appropriate accounts and group
memberships at Local and
Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
After you create and mount a snapshot, you can run Dsamain.exe to expose the
AD DS or AD LDS data in the snapshot as an LDAP server.
To create an AD DS or AD LDS snapshot
- Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group.
- Click Start, right-click Command Prompt, and then click Run as administrator.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
-
At the elevated command prompt, type the following command, and then press
ENTER:
ntdsutil -
At the ntdsutil prompt, type the following command, and then press ENTER:
snapshot -
At the snapshot prompt, type the following command, and then press ENTER:
activate instance ntds -
At the snapshot prompt, type the following command, and then press ENTER:
create
The command returns the following output:
CopySnapshot set {GUID} generated successfully.
-
At the snapshot prompt, type the following command, and then press ENTER:
mount { GUID } -
As an option, to see a list of all mounted snapshots, you can type the
following command, and then press ENTER:
list mounted
The output lists each mounted snapshot and a corresponding index number. You can use the index number instead of the GUID to subsequently mount, unmount, or delete the snapshot. -
To unmount the snapshot after you have finished viewing the data, type either
of the following commands, and then press ENTER:
unmount index #
-or-
unmount { GUID } -
Delete old snapshots that you are no longer using because they consume disk
space. To delete a snapshot, type either of the following commands, and then
press ENTER:
delete index #
-or-
delete { GUID } - After you are done with snapshot operations, type quit to return to the ntdsutil menu, and then type quit again to return to the command prompt.
Step 2 (Optional): Schedule a task that creates AD DS snapshots
You have the option to schedule a task that runs Ntdsutil.exe regularly to
create snapshots.
To schedule a task to create AD DS or AD LDS snapshots, you must be a member of the Enterprise Admins group or the Domain Admins group. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To schedule a task to create AD DS or AD LDS snapshots, you must be a member of the Enterprise Admins group or the Domain Admins group. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To schedule a task to create AD DS or AD LDS snapshots
- Log on to a domain controller as a member of the Enterprise Admins group or the Domain Admins group.
- Click Start, click Administrative Tools, and then click Task Scheduler.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Click Action, and then click Create task.
- On the General tab, type a name for your task, and then select the appropriate security options to run the task.
- On the Triggers tab, click New.
- In New Trigger, select the appropriate settings for the task, and then click OK.
- On the Action tab, click New.
-
In New Action, type the name or browse to the file path that
contains Ntdsutil.exe and in Add arguments (optional), type the
following command, and then press ENTER:
ntdsutil "activate instance ntds" snapshot create quit quit - On the Conditions tab and the Settings tab, select any additional settings that you want to apply to the task, and then click OK.
- If you are prompted, enter the password for a member of the Enterprise Admins group or the Domain Admins group, and then click OK.
Step 3: Expose an AD DS or AD LDS snapshot as an LDAP server
By default, you must be a member of the Enterprise Admins groups or the
Domain Admins group to run Dsamain.exe and to access the Active Directory data
that it exposes. If the snapshot is taken from a domain that no longer exits,
you can specify the /allowNonAdminAccess parameter. Review
details about using the appropriate accounts and group memberships at Local and Domain Default
Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
Allow Dsamain.exe to continue running in the command prompt window while you
use an LDAP tool such as Ldp.exe or Active Directory Users and Computers to view
the AD DS or AD LDS data in the snapshot.
To expose an AD DS or AD LDS snapshot as an LDAP server
- Log on to a domain controller as a member Enterprise Admins groups or the Domain Admins group.
- Click Start, right-click Command Prompt, and then click Run as administrator.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
-
At the elevated command prompt, type the following command, and then press
ENTER. Be sure to include a space between the name of the parameter and the
value that you specify.
dsamain /dbpath <path_to_database_file> /ldapport <port_#>
If you plan to view the snapshot data on a domain controller, specify ports that are different from the ports that the domain controller will use. For example, type:
dsamain /dbpath E:\$SNAP_200704181137_VOLUMED$\WINDOWS\NTDS\ntds.dit /ldapport 51389
A message indicates that Active Directory Domain Services startup is complete.
Step 4: Access Active Directory data that is stored in snapshots
To use Ldp.exe or Active Directory Users and Computers to access the AD DS or
AD LDS data, you must be a member of the Enterprise Admins groups or the Domain
Admins group or you must have been delegated permission. Review details about
using the appropriate accounts and group memberships at Local and Domain Default
Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To use Ldp.exe to access AD DS or AD LDS data that is stored in snapshots
- Click Start, click Run, type ldp, and then click OK.
- Click Connection, and then click Connect.
- In Server, type the name of the server, or type localhost and, in Port, type a port number that you specified previously with dsamain. For example, type 51389. Click OK.
- Click Connection, and then click Bind.
- In Bind type, click Bind as currently logged on user or click Bind with credentials and type a name, password, and domain for a user account that has permission to access the Active Directory data. Click OK.
- Click View, and then click Tree.
-
In BaseDN, type the distinguished name of the parent
container for the data that you want to view, and then click
OK. For example, to view all objects in the Contoso domain,
type:
dc=contoso,dc=com - Double-click the appropriate containers for the object that you want to view, and then double-click that object to view its properties.
To use Active Directory Users and Computers to access Active Directory data that is stored in snapshots
- Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- In the console tree, right-click Active Directory Users and Computers [FQDN], and then click Change Domain Controller.
-
Click <Type a Domain Controller name or an IP Address
here>, type the following, and then press ENTER:
hostname:port
where hostname is the name of the server where the snapshots are stored and port is the LDAP port number that you specified previously with dsamain. For example, type the following, and then click OK:
DC1:51389 - Double-click the appropriate containers for the object that you want to view, and then double-click that object to view its properties.
No comments:
Post a Comment