Taking Snapshots of your AD DS in Windows 2008
Apologies if you saw the earlier half completed post. F12 in Windows Live Writer I now know publishes your blog !.
I have recently been investigating the new extended functionality of NTDSUTIL in Windows 2008. This now has the functionality built into it to create SnapShots of the Active Directory. To call it by its correct title this is now called "Using the Active Directory Database Mounting" These are point in time VSS of the volumes that contain the Active Directory Database and log files.
So what is the purpose of using this functionality in a Windows 2008 environment ?.
Well this can facilitate the speed and recovery of your restores. You can offline scan the various Snapshots you have created over a period of time to identify which restore use to recover your Active Directory Data. This will shorten user downtime. This will hopefully prevent the need to perform multiple restores to identify which Backup to use.
Steps to Create and Mount a Snapshot
On release of Windows 2008 the creation of the SnapShot and the mounting of the the Snapshot is all command line driven. By using the following two tools
- NTDSUTIL (Windows 2008 Version)
- Dsamain.exe (shipped with Windows 2008)
1. To create the SnapShot. Log on to the Domain Controller as Administrator.
2. Type NTDSUTIL (press enter)
3. Snapshot press (enter)
4. activate instance ntds (press enter)
5. At this command prompt type create
6.The following screen should be displayed on the successful creation of the snapshot. Note the Guid !
This snapshot is now ready to be mounted
7. To mount the Snapshot type Mount {Guid} where the {Guid} is the guid of the snapshot. I suggest mark and paste :)
8.
See the following step by step guide for more commands
To Expose the Mounted Snapshot for offline viewing
1. Run a command prompt as an Administrator
2. Type the following command from the command prompt. Again I suggest Mark and Paste for the Path.
dsamain /dbpath c:\$SNAP_200704181137_VOLUMED$\WINDOWS\NTDS\ntds.dit /ldapport 51389
3. Once the SnapShot is exposed. This can then be view by either LDP, Adsiedit or Users and Computers, or ADExplorer.
To use Ldp.exe to access AD DS or AD LDS data that is stored in snapshots (taken from Step By Step Guide)
1. Click Start, click Run, type ldp, and then click OK.
2. Click Connection, and then click Connect.
3. In Server, type the name of the server, or type localhost and, in Port, type a port number that you specified previously with dsamain. For example, type 51389. Click OK.
4. Click Connection, and then click Bind.
5. In Bind type, click Bind as currently logged on user or click Bind with credentials and type a name, password, and domain for a user account that has permission to access the Active Directory data. Click OK.
6. Click View, and then click Tree.
7. In BaseDN, type the distinguished name of the parent container for the data that you want to view, and then click OK. For example, to view all objects in the Contoso domain, type:
dc=contoso,dc=com
8. Double-click the appropriate containers for the object that you want to view, and then double-click that object to view its properties.
To use Active Directory Users and Computers to access Active Directory data that is stored in snapshots
1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
3. In the console tree, right - click Active Directory Users and Computers [ FQDN ] , and then click Change Domain Controller.
4. Click <Type a Domain Controller name or an IP Address here> , type the following, and then press ENTER:
hostname:port
where hostname is the name of the server where the snapshots are stored and port is the LDAP port number that you specified previously with dsamain. For example, type the following, and then click OK:
DC1:51389
5. Double-click the appropriate containers for the object that you want to view, and then double-click that object to view its properties
Now you have the ability to offline view your point in time snapshots of your Active Directory. This will quickly enable you to identify the correct backup to restore to your environment.