How to Create Active Directory snapshots?

Good Day.

Today i have a new post for you that will help all AD administrators with issues similar to the one I faced recently which is comparing AD information between 2 time frames as some information was needed by the audit team.

The scenario is to take a scheduled active directory snapshots and restore AD database in offline mode so that you may compare the data you have.

Basically this tool creates a shadow copy of volumes that holds active directory data (Database and logs) using “Volume Shadow Copy Service (VSS)” running on server.

In order to create, view or restore AD snapshots, you need to be member of domain admin group or the enterprise administrator group.

Let’s go through the procedure for how we can create active directory snapshots.

  1. Log in the domain controller as a domain administrator or enterprise administrator with appropriate permissions.
  2. Right click on start button and select “Command Prompt (Admin)”. It will open up the command line interface.
  3. In command prompt type ntdsutil and enter to open up the ntdsutil tool.
  4. In next type activate instance ntds and press enter.
  5. Then type snapshot and press enter.ntds1
  6. Then type list all
  7. It will list down all the snapshot created.
  8. Then run command mount 2 ( this is the order number showing in list of snapshot and I needed to mount the one listed in number 2)ntds2
  9. Then as it saying it successfully mounted to the C: drive with folder Snapshot {b616bdfc-6e38-482b-b150-0247155e64e7} mounted as C:\$SNAP_201807181211_VOLUMEC$\ntds3.jpg
  10. Then enter quit command twice to exit from utility.
  11. Now to connect with the mounted snapshot we need to execute followingdsamain –dbpath C:\$SNAP_201807181211_VOLUMEC$\Windows\WinSxS\amd64_microsoft-windows-d..rvices-domain-files_31bf3856ad364e35_6.3.9600.18476_none_8bd6131b174d5ba6\ntds.dit–ldapport 10000

    ntds4.jpg

  12. “Go to server manager > tools > active directory users and computers”ntds5.jpg
  13. In mmc right click on active directory users and computers option and select change domain controller optionntds6.jpg
  14. In here type the domain controller name and the port. Then click ok the port should be 10000 ( the one we use with snapshot)ntds7
  15. As we can see here it successfully connect with the instance.ntds8.jpg
  16. now you have an offline copy of the AD database and you can look into the information you need.

Disconnect and unmount snapshot

In order to disconnect from the running instance, open the command line we left open and press CTRL+C

ntds9.jpg

  1. type ntdsutil to go in to ntdsutil utility
  2. In next type activate instance ntds and press enter.
  3. type snapshot and press enter.
  4. type list all
  5. This will list down all the snapshot created.ntds10
  6. type unmount 2 (this is the snapshot number I mapped). This will unmount the snapshot.
  7. enter quit command twice to exit.

ntds11

Best Regards.

Hisham Mezher

Published by hishammezher

I am a highly talented, Self-directed, flexible, focused, eager to learn new technologies and a proven technology professional with comprehensive accomplishments leading business development, program design, legacy system digital transformation and solutions architecture. I am able to effectively communicate ensuring superior customer service to maintain a strong customer relationship, committed to individual and team assignments and able to manage multiple tasks with aggressive timelines to formulate effective solutions increasing productivity and efficiency for cloud, Local or hybrid cloud setups.

Leave a Comment