Analysis of Windows Server 2008 – AD Snapshot Viewer

This feature is currently known as the “Database Mounting Tool” (DMT), which is better than the previous name of “Data Mining Tool”. Who knows what we’ll end up calling this at RTM, but I like the previous name “Snapshot Viewer” the best so this is what I entitled the post.

DMT allows you to quickly take snapshots of your AD database at any point in time and view those snapshots using the LDP viewer of your choice. At first I was extremely excited about this feature, but after realizing the command-line action you have to go through in order to do this (see below), it killed my buzz a little bit. If you compare this to automating ldifde/csvde backups of your AD, I can see these advantages to snapshots:

  • You can mount a snapshot and attach GUI LDP tools to it. Ldifde/csvde method doesn’t do this.
  • You can “backup” the entire database in one shot. Ldifde/csvde only allows a single DN or partition per shot. 
  • The ldifde/csvde dump of your entire partition is in clear text and snapshots are not. However, from a security standpoint there’s not much difference considering if someone has the snapshot file they can also open it up but not as easily.

Below is a general process flow for recovering deleted object(s) more quickly using DMT (see step-by-step guide for more details):
1) Create a snapshot of your AD database using the ntdsutil snapshot sub-context menu system.
    Note: This can be automated if you so choose.

2) Mount the snapshot of your choice by using ntdsutil snapshot sub-context menu system again.

3) Make this snapshot readable by LDP, ADSIedit, AD Users and Computers (ADUC or dsa.msc), or other LDAP viewers using dsamain.exe (new tool included with WS2008 by default)
Note: At this point, you can view any object/attribute/etc of the snapshot to use for comparison.

Two paths to restore objects (using only MS tools):
4) Export/import the information from the snapshot to recover objects using ldifde/csvde: 
a. Utilize the tombstone reanimation process (same as in Server 2003) to recreate the object(s) which were deleted.  The ADRestore tool also helps here. b. Restore metadata such as back-links, attributes, etc for those objects by utilizing ldifde

5) Do an authoritative restore of a portion of the objects using NTDSutil (same way as you would in Server 2003). You can restore objects which haven't been already deleted from a DC (i.e. replication hasn't come to this DC yet) via using the restartable AD feature.

Bottom line: DMT is a nice feature to be able to view previous snapshots of your AD, but overall our restore story still doesn't help as great as some of the 3rd party tools do with AD object recovery (see below).

GET STARTED:
Database Mounting Tool Feature Overview
Step-by-Step Guide for Using the Active Directory Database Mounting Tool in Windows Server 2008
Ntdsutil snapshot command line syntax
Dsamain command line syntax
Microsoft Sysinternal ADRestore tool

Quest’s AD recovery tools
Scriptlogic's Active Administrator