Active Directory Snapshot, new feature in Windows 2008


Windows Server 2008 has a new feature allowing administrators to create snapshots of the Active Directory database for offline use. With AD snapshots you can mount a backup of AD DS under a different set of ports and have read-only access to your backups through LDAP. There are quite a few scenarios for using AD snapshots. For example, if someone has changed properties of AD objects and you need to revert to their previous values, you can mount a copy of a previous snapshot to an alternate port and easily export the required attributes for every object that was changed. These values can then be imported into the running instance of AD DS. You can also restore deleted objects or simply view objects for diagnostic purposes.

AD snapshots, when mounted and connected to, allow you to see how the AD Database looked like at the moment of the snapshot creation, what objects existed and other type of information. However, out of the box, it does not allow you to move or copy items or information from the snapshot to the live database. In order to do that you will need to manually export the relevant objects or attributes from the snapshot, and manually import them back to the live AD database. The process is listed out as 1. creating a snapshot, 2. mounting it, 3. connecting to it, 4. disconnecting, 5. unmounting and 6. deleting it. In any case it's a lot better than the alternative - taking down the DC, rebooting into DSRM, restoring the System State from a backup, and then exporting the attributes.

1. Create a snapshot:

open CMD.exe, Ntdsutil, activate instance ntds, snapshot, create, list all.


2. Mounting an Active Directory snapshot:

Before connecting to the snapshot we need to mount it. By looking at the results of the List All command in above step, identify the snapshot that you wish to mount, and note the number next to it.

Type Ntdsutil, Snapshot, List all, Mount 2. The snapshot gets mounted to c:\$SNAP_200901250030_VOLUMEC$. Now you can refer this path to see the objects in these snapshots.


3. Connecting an Active Directory snapshot:

In order to connect to the AD snapshot you've mounted you will need to use the DSAMAIN command. DSAMAIN is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed.

After using DSAMAIN to expose the information inside the AD snapshot, you can use any GUI tool that can connect to the specified port, tools such as Active Directory Users and Computers (DSA.msc), ADSIEDIT.msc, LDP.exe or others. You can also connect to it by using command line tools such as LDIFDE or CSVDE, tools that allow you to export information from that database.

dsamain -dbpath " c:\$SNAP_200901250030_VOLUMEC$\Windows\NTDS\ntds.dit" -ldapport 10289


The above command will allow you to access the database using port 10289.

Now you can use LDP.exe tool to connect to this mounted instance.


4. Disconnecting from the Active Directory snapshot:

In order to disconnect from the AD snapshot all you need to do is to type CTRL+C at the DSAMAIN command prompt window. You'll get a message indicating that the DS shut down successfully.


5. Unmounting the snapshot:

Run command, Ntdsutil, Snapshot, List all, Unmount 2.


Comments (3)
  1. Mifo says:

    Cool. Thank you.

    Compare to other, even more famous IT sites, you dont have typos or mistakes in the commands, so when I follow it, it works!!!

  2. 4myinfo says:

    does this need to be done on a domain controller or can be done from a domain joined workstation

  3. sjsueztech says:

    Question: We redirect our NTDS folder to a separate partition, when I try to mount the snapshot I created, it fails. This appears to be to the fact that the snapshot does not know about the NTDS folder being redirected and only takes a snapshot of the
    c directory structure.

    Has anyone else run into this? Any fixes?

    In the process of writing the question, I figured it out myself. I noticed that there are 3 snapshots that I have access to and one of them was for my E drive partition where my "NTDS" folder resides, so I mounted that snapshot instead, since the path is valid
    given the "NTDS" folder actually exists in that partition. The difference in the syntax for the example give above would something like below:

    dsamain -dbpath " c:$SNAP_200901250030_VOLUMEE$WindowsNTDSntds.dit" -ldapport 10289

    Notice that instead of using "…30_VOLUMEC$…"; instead, we use "…30_VOLUMEE$…"

    Hopefully, this is helpful to someone else.

Comments are closed.

Skip to main content