Exporting Information from Active Directory Snapshots in Windows Server 2008
Overall, the process of creating and using the AD snapshot involves using the following procedure:
- Either manually create or schedule a task that regularly runs NTDSUTIL to take snapshots of the volume that contains the AD DS database.
- Run NTDSUTIL to list the snapshots that are available, and mount the snapshot that you want to view.
- Run DSAMAIN to expose the snapshot volume as an LDAP server.
Note: Unlike in Windows Server 2003, LDP.exe and ADSIEDIT.msc are now included with Windows Server 2008, and you do not need to install the Support Tools like you did in previous versions.
Note that this data is read-only data, and by default, only members of the Domain Admins and Enterprise Admins groups are allowed to view the snapshots. However, like with all sensitive information, you must make sure that you safeguard the AD DS snapshots from unauthorized access just as you protect backups of AD DS. A malicious user who has access to the snapshots can use them to reveal sensitive data that might be stored in AD DS.
The main difference between using the following tools with an AD snapshot and using them on a live AD database is the port number. While you usually do NOT need to specify the default LDAP port (389) when connecting to a live AD database, you MUST specify the port number when connecting to the AD snapshot. The port number is the same as the one you used with the DSAMAIN and ldapport switch.
In all the following examples we will use port 10389. I have also created an OU called "Dev" in my test domain, and placed a few users in it. I've created a snapshot, and afterwards I have made some changes on the Dev users in the live AD.
Using Active Directory Users and Computers – DSA.msc
Probably the easiest to use to visually see most of the needed information found in the snapshot. The benefit of using this tool in Windows Server 2008 is the fact that is now has some of ADSIEDIT's functionality built in, allowing you to view almost all the attributes for objects in the AD Domain partition.To use DSA.msc on an AD snapshot follow these steps:
- Log on as a member of the Domain Admins group to the Windows Server 2008 Domain Controller where you've mounted the AD snapshot.
- Click Start, in the search box type DSA.msc and press Enter.
- You'll see the live AD. Feel free to browse it. We'll use this instance of DSA.msc as a reference to the snapshot.
- Repeat step #2.
- In the second instance of DSA.msc, right-click on the domain name and select Change Domain Controller.
- In the Change Directory Server window, click on the <Type a Directory Server name[:port] here> line, and when it turns to a writable text, change it to the name of the server and port number you've used in DSAMAIN. In our case – WIN2008-DC1:10389.
- When you press Enter, the application will perform a check on the specified target, and if all is ok, you'll see the line turn "Online". Press Ok.
- Open the 2 instances of DSA.msc side by side, you'll see that the second one is actually read-only. You cannot create or change any object. Even though the X button seems to be still available for object deletion, it won't work.
- If you open the properties window for a user ("John" from the Dev OU in our case) you'll see the attribute values in the snapshot version as grayed out. You can use this information to manually edit values in the live AD database, based upon the values you see in the snapshot version.
- When done, close the second instance of DSA.msc.
Using ADSIEDIT.msc
The major benefit of ADSIEDIT.msc over DSA.msc is the fact that it can be used to connect to other AD partitions – the Configuration partition and the Schema partition, as well as to the Domain partition. It too allows for graphical browsing for objects and attributes.Note: ADSIEDIT.msc is now included with Windows Server 2008.
To use ADSIEDIT.msc on an AD snapshot follow these steps:
- Log on as a member of the Domain Admins group to the Windows Server 2008 Domain Controller where you've mounted the AD snapshot.
- Click Start, in the search box type ADSIEDIT.msc and press Enter.
- In the ADSIEDIT window, right-click ADSI Edit and select Connect To.
- In the Connection Settings window, enter the name of the server and port number you've used in DSAMAIN. In our case – WIN2008-DC1:10389. When done, press Ok.
- If all is ok, you'll see the AD snapshot information appear as a hierarchical tree on the left-hand side pane. Feel free to browse the tree and go to the right OU and object you need to look at. Note that here too, the information is read-only.
- When done, close the ADSIEDIT.msc.
Using LDP.exe
Like ADSIEDIT.msc, LDP.exe can be used to connect to other AD partitions – the Configuration partition and the Schema partition, as well as to the Domain partition. However, the browsing for objects and attributes is done textually, which might be useful in some cases.Note: LDP.exe is now included with Windows Server 2008.
To use LDP.exe on an AD snapshot follow these steps:
- Log on as a member of the Domain Admins group to the Windows Server 2008 Domain Controller where you've mounted the AD snapshot.
- Click Start, in the search box type LDP.exe and press Enter.
- In the LDP window, click Connections and select Connect.
- In the Connect window, enter the name of the server and port number you've used in DSAMAIN. In our case – WIN2008-DC1 and 10389. When done, press Ok.
- If all is ok, you'll see the connection information appear on the right-hand pane. In case you need to change the username and password you're connecting with, select Connections > Bind, and change that information.
- Click View > Tree.
- You can use the drop-down list to select either the default naming context – the AD Domain partition, or to the Configuration partition or the Schema partition. You can also type in a Distinguished Name of the object you're looking for.
- Browse the tree in the left-hand side pane for the OU and object you're looking for. When you double-click on it, you'll get all the object's attributes in the right-hand pane.
- When done, close the LDP.exe.
Another method – Using VBS scripts
I will not go into great detail here, but as you're probably aware, there's a lot you can do with a good VBS script against an AD database. Because mounted and exposed AD snapshots are treated as read-only Active Directory databases, VBS scripts can be used to export any type of information you need from the snapshot.It is beyond the scope of this article to give detailed examples of scripts, but I did find this nice script on Ken St. Cyr's Blog (see links below) and thought I should share it. This script will go through each user account and export the samAccountName and displayName attributes to a TSV (Tab Separated Values) file which can be later used in Excel or a text editor.
See the code (note that the script uses port 10389, change that to whatever port you've used in your DSAMAIN command):
'-------------------------------------------------------------------------- ' NAME: export-attr.vbs ' DATE: 3/6/2008 ' DESCRIPTION: Connects to a directory service provider on the specified ' port and exports a list of attributes for each user object ' in the directory to a tab-separated values file. ' AUTHOR: Ken St. Cyr '-------------------------------------------------------------------------- Option Explicit ' Define our parameters CONST LDAPPORT = 10389 CONST DCNAME = "localhost" CONST ATTRIBUTES = "samAccountName,displayName" CONST OUTPUT_FILE = "attribute_backup.tsv" ' Create the necessary objects for writing to a file Dim objFSO : Set objFSO = CreateObject("Scripting.FileSystemObject") Dim objFile : Set objFile = objFSO.OpenTextFile(OUTPUT_FILE, 8, True) ' Get the RootDSE for the directory on the port that we want Dim objRootDSE : Set objRootDSE = GetObject("LDAP://" & DCNAME & ":" & _ LDAPPORT & "/RootDSE") ' Create the connection object for the AD provider Dim objConnection : Set objConnection = CreateObject("ADODB.Connection") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" ' Define the search to execute Dim objCommand : Set objCommand = CreateObject("ADODB.Command") objCommand.CommandText = "<LDAP://" & DCNAME & ":" & LDAPPORT & "/" & _ objRootDSE.Get("defaultNamingContext") & ">;(&objectCategory=user);" & _ ATTRIBUTES & ";subtree" objCommand.ActiveConnection = objConnection ' Execute the search Dim objRecordSet : Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst ' Go through each result about output the attributes to a Tab-Separated file While Not objRecordSet.EOF Dim strSAMAccountName : strSAMAccountName = objRecordSet.Fields("samaccountname") Dim strDisplayName : strDisplayName = objRecordSet.Fields("displayName") objFile.WriteLine strSAMAccountName & vbtab & strDisplayName objRecordSet.MoveNext Wend objFile.Close WScript.Echo objRecordSet.RecordCount & " entries written to " & OUTPUT_FILE
No comments:
Post a Comment