Sunday, 25 March 2012

Working with Active Directory Snapshots in Windows Server 2008


Working with Active Directory Snapshots in Windows Server 2008


A snapshot is a shadow copy—created by the Volume Shadow Copy Service (VSS)—of the volumes that contain the Active Directory database and log files. With Active Directory snapshots, you can view the data inside such a snapshot on a domain controller without the need to start the server in Directory Services Restore Mode.

Download Windows Server 2008 R2 with Service Pack 1Windows Server 2008 R2 with SP1 builds on the award-winning foundation of Windows Server 2008.

Powerful tools such as Internet Information Services (IIS) version 7.5, updated Server Manager and Hyper-V platforms, Dynamic Memory, RemoteFX, and Windows PowerShell version 2.0 combine to give customers greater control, increased efficiency, and the ability to react to front-line business needs faster than ever before.

Windows Server 2008 has a new feature allowing administrators to create snapshots of the Active Directory database for offline use.
With AD snapshots you can mount a backup of AD DS under a different set of ports and have read-only access to your backups through LDAP.
You should take measures to protect AD snapshots in a manner that is similar to protecting your regular DC backups. For example, use encryption or other data security precautions with AD DS snapshots to help mitigate the chance of unauthorized access to them.
There are quite a few scenarios for using AD snapshots. For example, if someone has changed properties of AD objects and you need to revert to their previous values, you can mount a copy of a previous snapshot to an alternate port and easily export the required attributes for every object that was changed. These values can then be imported into the running instance of AD DS. You can also restore deleted objects or simply view objects for diagnostic purposes.
AD snapshots, when mounted and connected to, allow you to see how the AD DB looked like at the moment of the snapshot creation, what objects existed and other type of information. However, out of the box, it does not allow you to move or copy items or information from the snapshot to the live database. In order to do that you will need to manually export the relevant objects or attributes from the snapshot, and manually import them back to the live AD database.
While the process of creating a snapshot, mounting it, connecting to it, disconnecting, unmounting and (perhaps) deleting it may seem a little confusing at first, after running through it a few times you'll get the hang of it. In any case it's a lot better than the alternative - taking down the DC, rebooting into DSRM, restoring the System State from a backup, and then exporting the attributes.
Here's how to do it.

Creating an Active Directory snapshot

In order to create an Active Directory snapshot you need to use the NTDSUTIL command. NTDSUTIL is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role or the AD LDS server role installed.
Please follow these steps:
  1. Log on as a member of the Domain Admins group to one of your Windows Server 2008 Domain Controllers.
  2. Open a Command Prompt window by clicking on the CMD shortcut in the Start menu, or by typing CMD and pressing Enter in the Run or Quick Search parts of the Start menu.
  3. Note: You must run NTDSUTIL from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
  4. In the CMD window, type the following command:
  5. ntdsutil
  6. In the CMD window, type the following command:
  7. snapshot
    Note: NTDSUTIL uses nested menu commands that you type one after the other. You can type "?" at any time to get the different command options at any menu level. Also note that you can usually type in the first few letters of each command. For example, instead of typing "snapshots" you can simply type "sna".
  8. In the CMD window, type the following command:
  9. activate instance ntds
  10. Before you can run the snapshot subcommand, you must run the activate instance subcommand in NTDSUTIL to set an active instance.
  11. In the CMD window, type the following command:
    activate instance ntds
    The result should look like this:
    snapshot: Activate Instance ntds
    Active instance set to "ntds".
  12. In the CMD window, type the following command:
  13. create
    The result should look like this:
    snapshot: create
    Creating snapshot...
    Snapshot set {3a861a35-2f33-4d7a-8861-a10e47afdaba} generated successfully.
  14. To view all available snapshots, in the CMD window, type the following command:
  15. list all
    The result should look like this:
    snapshot: create
    snapshot: List All
     1: 2008/10/25:03:14 {ec53ad62-8312-426f-8ad4-d47768351c9a}
     2: C: {15c6f880-cc5c-483b-86cf-8dc2d3449348}
  16. Next, you can leave the NTDSUTIL running, or you can quit by typing quit 2 times.
  17. Note: NTDSUTIL allows you to run the above commands in one line. Run the following command:
    ntdsutil "Activate Instance NTDS" snapshot create quit quit
    You can easily automate this process.

Mounting an Active Directory snapshot

Before connecting to the snapshot we need to mount it. By looking at the results of the List All command in step #8 above, identify the snapshot that you wish to mount, and note the number next to it.
In order to mount an Active Directory snapshot follow these steps:
  1. Log on as a member of the Domain Admins group to one of your Windows Server 2008 Domain Controllers.
  2. Open a Command Prompt window by clicking on the CMD shortcut in the Start menu, or by typing CMD and pressing Enter in the Run or Quick Search parts of the Start menu.
  3. Note: You must run NTDSUTIL from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
  4. In the CMD window, type the following command:
  5. ntdsutil
  6. In the CMD window, type the following command:
  7. snapshot
  8. To view all available snapshots, in the CMD window, type the following command:
  9. list all
    The result should look like this:
    snapshot: List All
     1: 2008/10/25:03:14 {ec53ad62-8312-426f-8ad4-d47768351c9a}
     2: C: {15c6f880-cc5c-483b-86cf-8dc2d3449348}
  10. In this example we only have one snapshot available, one from 2008/10/25 at 03:14AM (yes, I write articles at this time…). We'll mount this one.
  11. In the CMD window, type the following command:
    mount 2
    The result should look like this:
    snapshot: mount 2
    Snapshot {15c6f880-cc5c-483b-86cf-8dc2d3449348} mounted as C:'$SNAP_200810250314_VOLUMEC$'
  12. Next, you can leave the NTDSUTIL running, or you can quit by typing quit 2 times.
  13. Note: Like the above command, the mounting process can also be run in one line. However, note that NTDSUTIL requires that the "list all" command be run in the same session that you mount the snapshot. So in order to mount the snapshot with a one-liner, you will need to run "list all" first.
    ntdsutil snapshot "list all" "mount 2" quit quit
    Note: You do not need to quit from the NTDSUTIL command, you can keep it open assuming that you'll probably want to unmount the snapshot right after working with it.

Connecting an Active Directory snapshot

In order to connect to the AD snapshot you've mounted you will need to use the DSAMAIN command. DSAMAIN is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed.
After using DSAMAIN to expose the information inside the AD snapshot, you can use any GUI tool that can connect to the specified port, tools such as Active Directory Users and Computers (DSA.msc), ADSIEDIT.msc, LDP.exe or others. You can also connect to it by using command line tools such as LDIFDE or CSVDE, tools that allow you to export information from that database.



When you use DSAMAIN to connect to the data that is contained in a snapshot, the following is true:
  • All permissions that apply to the data in the snapshot are enforced.
  • By default, only members of the Domain Admins group and the Enterprise Admins group are allowed to view a snapshot because it can contain sensitive AD DS data.
First, DSAMAIN requires the exact and full path to the NTDS.dit file. In order to obtain that path you can do one of the following:
  1. Open Windows Explorer and drill down through the folder tree until you reach the path where the NTDS.dit file is located. Copy the file's path, including the file name and extension.

  2. Do the above, but instead of relying on that path, you can simply copy the NTDS.dit file to any location of your choice. After doing that, note the file's new path. Don't forget the file name and extension. If you chose that way, remember that un-mounting the AD snapshot and deleting it won't actually delete the NTDS.dit file you've copied, and that, if not taken care of, might pose a security risk…
Second, you have to give the DSAMAIN a unique port to service LDAP requests on. You can use any port as long as it's not in use. In this example I'll use port 10389. DSAMAIN will expose the directory on 4 subsequent ports - LDAP, LDAP/SSL, GC, and GC/SSL. You can manually specify each of the different ports that you want to use for each protocol connection, but if you just give it one port (i.e. 10389), it will mount the subsequent listeners numerically. So if you specific 10389 for the LDAP port, this is what you end up with:
  • LDAP: 10389
  • LDAP/SSL: 10390
  • GC: 10391
  • GC/SSL: 10392
In order to connect to an Active Directory snapshot follow these steps:
  1. Log on as a member of the Domain Admins group to one of your Windows Server 2008 Domain Controllers.
  2. Open a Command Prompt window by clicking on the CMD shortcut in the Start menu, or by typing CMD and pressing Enter in the Run or Quick Search parts of the Start menu.
  3. Note: You must run DSAMAIN from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
  4. In the CMD window, type the following command:
  5. dsamain -dbpath "C:'$SNAP_200810250314_VOLUMEC$'Windows'NTDS'ntds.dit" -ldapport 10389
    You will not get any visual confirmation that the snapshot has been connected to. The only thing that will actually indicate that the DIT is mounted is the message "Microsoft Active Directory Domain Services startup complete". Do not close the command prompt. As long as the DSAMAIN is running, you can access the directory over LDAP on the port you specified.
    The result should look like this:
    C:'Users'Administrator>dsamain -dbpath
    "C:'$SNAP_200810250314_VOLUMEC$'Windows'NTDS'ntds.dit" -ldapport 10389
    EVENTLOG (Informational): NTDS General / Service Control : 1000
    Microsoft Active Directory Domain Services startup complete, version 6.0.6001.18072
    Disconnecting from the Active Directory snapshot
    In order to disconnect from the AD snapshot all you need to do is to type CTRL+C at the DSAMAIN command prompt window. You'll get a message indicating that the DS shut down successfully.
    The result should look like this:
    EVENTLOG (Informational): NTDS General / Service Control : 1004
    Active Directory Domain Services was shut down successfully.

Unmounting an Active Directory snapshot

The last thing we need to do is to unmount the snapshot. Again, this can be done through the NTDSUTIL command.
In order to unmount an Active Directory snapshot follow these steps:
  1. Open a Command Prompt window by clicking on the CMD shortcut in the Start menu, or by typing CMD and pressing Enter in the Run or Quick Search parts of the Start menu.
  2. Note: You must run NTDSUTIL from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
  3. In the CMD window, type the following command:
  4. ntdsutil
  5. In the CMD window, type the following command:
  6. snapshot
  7. To view all available snapshots, in the CMD window, type the following command:
    list mounted
    The result should look like this:
    snapshot: List Mounted
     1: 2008/10/25:03:14 {ec53ad62-8312-426f-8ad4-d47768351c9a}
     2: C: {15c6f880-cc5c-483b-86cf-8dc2d3449348} C:'$SNAP_200810250314_VOLUMEC$'
  8. We'll unmount the mounted snapshot. In the CMD window, type the following command:
  9. unmount 2
    The result should look like this:
    snapshot: Unmount 2
    Snapshot {15c6f880-cc5c-483b-86cf-8dc2d3449348} unmounted.
  10. Next, leave NTDSUTIL by typing quit 2 times.
  11. Note: Like the mounting command, the mounting process can also be run in one line. However, note that NTDSUTIL requires that the "list mounted" command be run in the same session that you mount the snapshot. So in order to unmount the snapshot with a one-liner, you will need to run "list mounted" first.
    ntdsutil snapshot "list mounted" "unmount 2" quit quit

Deleting an Active Directory snapshot

You don't really have to delete the snapshot unless you want to.
In order to delete an Active Directory snapshot follow these steps:
  1. Open a Command Prompt window by clicking on the CMD shortcut in the Start menu, or by typing CMD and pressing Enter in the Run or Quick Search parts of the Start menu.
  2. Note: You must run NTDSUTIL from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
  3. In the CMD window, type the following command:
  4. ntdsutil
  5. In the CMD window, type the following command:
  6. snapshot
  7. To view all available snapshots, in the CMD window, type the following command:
  8. list all
    The result should look like this:
    snapshot: create
    snapshot: List All
     1: 2008/10/25:03:14 {ec53ad62-8312-426f-8ad4-d47768351c9a}
     2: C: {15c6f880-cc5c-483b-86cf-8dc2d3449348}
  9. We'll delete the only available snapshot. In the CMD window, type the following command:
  10. delete 2
    The result should look like this:
    snapshot: delete 2
    Snapshot {15c6f880-cc5c-483b-86cf-8dc2d3449348} deleted.
  11. Next, leave NTDSUTIL by typing quit 2 times.

No comments:

Post a Comment