Working with Active Directory Snapshots in Windows Server 2008
Download Windows Server
2008 R2 with Service Pack 1Windows Server 2008 R2 with SP1 builds on the award-winning foundation of
Windows Server 2008.
Powerful tools such as Internet Information Services (IIS) version 7.5, updated Server Manager and Hyper-V platforms, Dynamic Memory, RemoteFX, and Windows PowerShell version 2.0 combine to give customers greater control, increased efficiency, and the ability to react to front-line business needs faster than ever before.
Powerful tools such as Internet Information Services (IIS) version 7.5, updated Server Manager and Hyper-V platforms, Dynamic Memory, RemoteFX, and Windows PowerShell version 2.0 combine to give customers greater control, increased efficiency, and the ability to react to front-line business needs faster than ever before.
Windows Server 2008 has a new feature allowing administrators to create snapshots of the Active Directory database for offline use.
With AD snapshots you can mount a backup of AD DS under a different set of ports and have read-only access to your backups through LDAP.
You should take measures to protect AD snapshots in a manner that is similar to protecting your regular DC backups. For example, use encryption or other data security precautions with AD DS snapshots to help mitigate the chance of unauthorized access to them.
There are quite a few scenarios for using AD snapshots. For example, if someone has changed properties of AD objects and you need to revert to their previous values, you can mount a copy of a previous snapshot to an alternate port and easily export the required attributes for every object that was changed. These values can then be imported into the running instance of AD DS. You can also restore deleted objects or simply view objects for diagnostic purposes.
AD snapshots, when mounted and connected to, allow you to see how the AD DB looked like at the moment of the snapshot creation, what objects existed and other type of information. However, out of the box, it does not allow you to move or copy items or information from the snapshot to the live database. In order to do that you will need to manually export the relevant objects or attributes from the snapshot, and manually import them back to the live AD database.
While the process of creating a snapshot, mounting it, connecting to it, disconnecting, unmounting and (perhaps) deleting it may seem a little confusing at first, after running through it a few times you'll get the hang of it. In any case it's a lot better than the alternative - taking down the DC, rebooting into DSRM, restoring the System State from a backup, and then exporting the attributes.
Here's how to do it.
Creating an Active Directory snapshot
In order to create an Active Directory snapshot you need to use the NTDSUTIL command. NTDSUTIL is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role or the AD LDS server role installed.Please follow these steps:
- Log on as a member of the Domain Admins group to one of your Windows Server 2008 Domain Controllers.
- Open a Command Prompt window by clicking on the CMD shortcut in the Start menu, or by typing CMD and pressing Enter in the Run or Quick Search parts of the Start menu. Note: You must run NTDSUTIL from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
- In the CMD window, type the following command:
- In the CMD window, type the following command:
- In the CMD window, type the following command:
- Before you can run the snapshot subcommand, you must run the activate instance subcommand in NTDSUTIL to set an active instance. In the CMD window, type the following command:
- In the CMD window, type the following command:
- To view all available snapshots, in the CMD window, type the following command:
- Next, you can leave the NTDSUTIL running, or you can quit by typing quit 2 times. Note: NTDSUTIL allows you to run the above commands in one line. Run the following command:
ntdsutil
snapshotNote: NTDSUTIL uses nested menu commands that you type one after the other. You can type "?" at any time to get the different command options at any menu level. Also note that you can usually type in the first few letters of each command. For example, instead of typing "snapshots" you can simply type "sna".
activate instance ntds
activate instance ntdsThe result should look like this:
snapshot: Activate Instance ntds Active instance set to "ntds".
createThe result should look like this:
snapshot: create Creating snapshot... Snapshot set {3a861a35-2f33-4d7a-8861-a10e47afdaba} generated successfully.
list allThe result should look like this:
snapshot: create snapshot: List All 1: 2008/10/25:03:14 {ec53ad62-8312-426f-8ad4-d47768351c9a} 2: C: {15c6f880-cc5c-483b-86cf-8dc2d3449348}
ntdsutil "Activate Instance NTDS" snapshot create quit quitYou can easily automate this process.
Mounting an Active Directory snapshot
Before connecting to the snapshot we need to mount it. By looking at the results of the List All command in step #8 above, identify the snapshot that you wish to mount, and note the number next to it.In order to mount an Active Directory snapshot follow these steps:
- Log on as a member of the Domain Admins group to one of your Windows Server 2008 Domain Controllers.
- Open a Command Prompt window by clicking on the CMD shortcut in the Start menu, or by typing CMD and pressing Enter in the Run or Quick Search parts of the Start menu. Note: You must run NTDSUTIL from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
- In the CMD window, type the following command:
- In the CMD window, type the following command:
- To view all available snapshots, in the CMD window, type the following command:
- In this example we only have one snapshot available, one from 2008/10/25 at 03:14AM (yes, I write articles at this time…). We'll mount this one. In the CMD window, type the following command:
- Next, you can leave the NTDSUTIL running, or you can quit by typing quit 2 times. Note: Like the above command, the mounting process can also be run in one line. However, note that NTDSUTIL requires that the "list all" command be run in the same session that you mount the snapshot. So in order to mount the snapshot with a one-liner, you will need to run "list all" first.
ntdsutil
snapshot
list allThe result should look like this:
snapshot: List All 1: 2008/10/25:03:14 {ec53ad62-8312-426f-8ad4-d47768351c9a} 2: C: {15c6f880-cc5c-483b-86cf-8dc2d3449348}
mount 2The result should look like this:
snapshot: mount 2 Snapshot {15c6f880-cc5c-483b-86cf-8dc2d3449348} mounted as C:'$SNAP_200810250314_VOLUMEC$'
ntdsutil snapshot "list all" "mount 2" quit quitNote: You do not need to quit from the NTDSUTIL command, you can keep it open assuming that you'll probably want to unmount the snapshot right after working with it.
Connecting an Active Directory snapshot
In order to connect to the AD snapshot you've mounted you will need to use the DSAMAIN command. DSAMAIN is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed.After using DSAMAIN to expose the information inside the AD snapshot, you can use any GUI tool that can connect to the specified port, tools such as Active Directory Users and Computers (DSA.msc), ADSIEDIT.msc, LDP.exe or others. You can also connect to it by using command line tools such as LDIFDE or CSVDE, tools that allow you to export information from that database.
- All permissions that apply to the data in the snapshot are enforced.
- By default, only members of the Domain Admins group and the Enterprise Admins group are allowed to view a snapshot because it can contain sensitive AD DS data.
- Open Windows Explorer and drill down through the folder tree until you reach the path where the NTDS.dit file is located. Copy the file's path, including the file name and extension.
- Do the above, but instead of relying on that path, you can simply copy the NTDS.dit file to any location of your choice. After doing that, note the file's new path. Don't forget the file name and extension. If you chose that way, remember that un-mounting the AD snapshot and deleting it won't actually delete the NTDS.dit file you've copied, and that, if not taken care of, might pose a security risk…
- LDAP: 10389
- LDAP/SSL: 10390
- GC: 10391
- GC/SSL: 10392
- Log on as a member of the Domain Admins group to one of your Windows Server 2008 Domain Controllers.
- Open a Command Prompt window by clicking on the CMD shortcut in the Start menu, or by typing CMD and pressing Enter in the Run or Quick Search parts of the Start menu. Note: You must run DSAMAIN from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
- In the CMD window, type the following command:
dsamain -dbpath "C:'$SNAP_200810250314_VOLUMEC$'Windows'NTDS'ntds.dit" -ldapport 10389You will not get any visual confirmation that the snapshot has been connected to. The only thing that will actually indicate that the DIT is mounted is the message "Microsoft Active Directory Domain Services startup complete". Do not close the command prompt. As long as the DSAMAIN is running, you can access the directory over LDAP on the port you specified.
The result should look like this:
C:'Users'Administrator>dsamain -dbpath "C:'$SNAP_200810250314_VOLUMEC$'Windows'NTDS'ntds.dit" -ldapport 10389 EVENTLOG (Informational): NTDS General / Service Control : 1000 Microsoft Active Directory Domain Services startup complete, version 6.0.6001.18072Disconnecting from the Active Directory snapshot
In order to disconnect from the AD snapshot all you need to do is to type CTRL+C at the DSAMAIN command prompt window. You'll get a message indicating that the DS shut down successfully.
The result should look like this:
EVENTLOG (Informational): NTDS General / Service Control : 1004 Active Directory Domain Services was shut down successfully.
Unmounting an Active Directory snapshot
The last thing we need to do is to unmount the snapshot. Again, this can be done through the NTDSUTIL command.In order to unmount an Active Directory snapshot follow these steps:
- Open a Command Prompt window by clicking on the CMD shortcut in the Start menu, or by typing CMD and pressing Enter in the Run or Quick Search parts of the Start menu. Note: You must run NTDSUTIL from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
- In the CMD window, type the following command:
- In the CMD window, type the following command:
- To view all available snapshots, in the CMD window, type the following
command:
list mounted
The result should look like this:
snapshot: List Mounted 1: 2008/10/25:03:14 {ec53ad62-8312-426f-8ad4-d47768351c9a} 2: C: {15c6f880-cc5c-483b-86cf-8dc2d3449348} C:'$SNAP_200810250314_VOLUMEC$'
- We'll unmount the mounted snapshot. In the CMD window, type the following command:
- Next, leave NTDSUTIL by typing quit 2 times. Note: Like the mounting command, the mounting process can also be run in one line. However, note that NTDSUTIL requires that the "list mounted" command be run in the same session that you mount the snapshot. So in order to unmount the snapshot with a one-liner, you will need to run "list mounted" first.
ntdsutil
snapshot
unmount 2The result should look like this:
snapshot: Unmount 2 Snapshot {15c6f880-cc5c-483b-86cf-8dc2d3449348} unmounted.
ntdsutil snapshot "list mounted" "unmount 2" quit quit
Deleting an Active Directory snapshot
You don't really have to delete the snapshot unless you want to.In order to delete an Active Directory snapshot follow these steps:
- Open a Command Prompt window by clicking on the CMD shortcut in the Start menu, or by typing CMD and pressing Enter in the Run or Quick Search parts of the Start menu. Note: You must run NTDSUTIL from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
- In the CMD window, type the following command:
- In the CMD window, type the following command:
- To view all available snapshots, in the CMD window, type the following command:
- We'll delete the only available snapshot. In the CMD window, type the following command:
- Next, leave NTDSUTIL by typing quit 2 times.
ntdsutil
snapshot
list allThe result should look like this:
snapshot: create snapshot: List All 1: 2008/10/25:03:14 {ec53ad62-8312-426f-8ad4-d47768351c9a} 2: C: {15c6f880-cc5c-483b-86cf-8dc2d3449348}
delete 2The result should look like this:
snapshot: delete 2 Snapshot {15c6f880-cc5c-483b-86cf-8dc2d3449348} deleted.
No comments:
Post a Comment