Monday, March 15, 2010

How To Snapshot Active Directory

Snapshots are a useful feature of Windows Server 2008. Taking a snapshot of Active Directory as a scheduled task can prove to be a wise precaution in case disaster strikes. Once they are mounted, they can be accessed by any LDAP tool which allows the user to specify a host name and port number.

Snapshots are a feature of Active Directory introduced in Windows Server 2008. In order to use them you don’t have to have your domain running in Windows Server 2008 mode but you do need at least one Windows Server 2008 or Windows Server 2008 R2 domain controller.

Snapshots are created and manipulated using the ntdsutil.exe command line utility. Once you have an Active Directory snapshot you can export it using dsamain.exe (otherwise known as the Active Directory database mounting tool), and you can then interact with it using any Active Directory or LDAP tool. To work with Active Directory snapshots you need to be a member of either the Domain Admins or Enterprise Admins group.

The process of creating an Active Directory snapshot is reasonably straightforward:

1. Log onto a Windows Server 2008 domain controller
2. Launch an elevated command prompt
3. Type ntdsutil and press enter
4. Type snapshot and press enter
5. Type activate instance ntds and press enter.
6. Type create and press enter.

The create command will return the following output:
Snapshot set {} generated successfully.

  1. Type quit and press enter to return to the ntdsutil menu, then type quit again.


A snapshot can also be created with a single line ntdsutil.exe command:

ntdsutil snapshot “activate instance ntds” create quit quit


The single line command can be used to automate the creation of Active Directory snapshots by putting it in a batch file and using Task Scheduler to automate its execution (with the appropriate credentials).

Once snapshots have been created they can be listed with the ntdsutil.exe list all command:


A snapshot is then mounted using the mount command:


After the snapshot is mounted you can quit ntdsutil.

To export the data we use the dsamain.exe command line utility with the following syntax:

dsamain /dbpath /ldapport


Once the snapshot is exported with dsamain.exe you can connect to the LDAP server which it hosts using the familiar suite of Active Directory tools such as Active Directory Users and Computers or ADSIEdit. For example, to connect using Active Directory Users and Computers:

1. Launch Active Directory Users and Computers
2. Right-click Active Directory Users and Computers then click Change Domain Controller
3. Click , type the name of the Directory Server and port, press enter, then click OK

Active Directory Users and Computers is now accessing the snapshot data, and you will notice that the object attributes are read-only.