One of the new features of Windows Server 2008 is that we can create snapshots of the Active Directory database for offline use.. Snapshot Volume is a shadow copy created by Shadow Copy and contains Active Directory database and log files. Thanks to snapshots, we can view Active Directory database and log files without starting the Domain Controller with Directory Service Restore Mode..
With Active Directory snapshot, we can mount our backup file on a different port under AD DS and view the data in the backup file as read-only via LDAP..
If we talk about a few scenarios where we can use AD snapshots; For example, the properties of an object in AD were changed by one of the users, and then the user stated that they should revert to the old properties.. In such a case, we can mount the AD snapshot on a different port, so that the changed object regains its old properties.. We can also perform the recovery of deleted objects in a similar way..
Allows you to view the types of existing objects and other information about them when AD snapshots are mounted. However, it does not allow you to copy and move objects to the running database. You have to manually export the objects you want to copy or move and then import them into the working database..
Creating snapshots, mounting, exporting and importing may seem complicated at first, such as solving a pool problem. However, as you use snapshots, you will see that it is not as difficult as it seems..
Also, one of the points we need to pay attention to is that we take the necessary security measures to protect AD Snapshots.. For example; We may encrypt AD DS snapshots or take measures such as security measures to protect data from unauthorized access..
Creating Active Directory Snapshot
To create Active Directory snapshots, you must use the NTDSUTIL command. If AD DS and AD LDS roles are installed on Windows Server 2008, we run the NTDSUTIL command..
We can make it easier to take Active Directory snapshots by automating these processes. I will explain how to do this in the following sections..
How to Mount Active Directory Snapshot?
In order to connect to Snapshot, we must first mount the snapshot. To mount the Active Directory snapshot, let’s complete the following operations.. We open the command line (cmd) with Administrator authority by saying Run as Administrator..
We need to use the DSAMAIN command to connect to the Active Directory snapshot. DAMAIN is a command that comes with Windows Server 2008. If Active Directory Domain Service or Active Directory Lightweight Directory Service role is installed on the server, we can use the DSMAIN command..
After using DSAMAIN, we can use GUI interface tools such as Active Directory Users and Computers, LDP.exe, ADSIEDIT.msc to connect to Active Directory snapshot.. We can also use tools such as LDIFDE or CSVDE to export the data in the database after connecting to the snapshot..
When we connect to the data contained in the snapshot using DAMAIN;
All permissions on data also apply on snapshot.
By default, members of the Domain Admins or Enterprise Admins group have permission to view snapshots.
To use the DSAMAIN command, we need to know the full path to the NTDS.dit file. To view or copy the path of the NTDS.dit file;
Open Windows Explorer and scroll down to where the NTDS.dit file is located. Copy the path of the file along with the filename and extension.
We do not forget that if we do not delete the Active Directory snapshot after unmounting, we will create a security risky situation..
Then we have to define a port for LDAP requests to the DSAMAIN command. The important point here is that we should use a port that is not in use.. In this example, I will use port 10389.. The 4 ports after the port I will assign for DSAMAIN will consist of LDAP, LDAP/SSL, GC, GC/SSL ports.. If you want, you can define a different port for each service..
• LDAP: 10389
• LDAP/SSL: 10390
• GC: 10391
• GC/SSL: 10392
Follow the steps below to connect to Active Directory Snapshot;
Logo with a user with Domain Admins authority on Windows Server 2008 D.C. Open the command line with “Run as Administrator” and enter the following command.
Disconnect from Active Directory Snapshot (Disconnect)
To disconnect from AD Snapshot, all we have to do is use the CTRL+C key combination. As a result, we get an output like the following:.
Active Directory Snapshot Unmount
And we continue with the last step we need to do, namely snapshot unmount. Log in with a user with Domain Admins authority on Windows Server 2008 D.C.. Open the command line with “Run as Administrator” and enter the following commands in order.
Deleting Active Directory Snapshot
To delete Active Directory Snapshots, we enter the following commands in order on the command line.
After explaining how to take, mount, unmount and delete Active Directory Snapshots, it’s time to automate the process of taking Snapshots..
Automating Active Directory Snapshots
To automate Active Directory Snapshots, we first create a script file.
The name of the file as ad-snapshot.bat (you can give the file any name you want) I save it in a folder named Scripts on the C drive. If you want to run this script manually, you must be logged in with a user with Domain Admins or Enterprise Admins privileges..
Open Task Scheduler from Server Manager console.
We write a name and description for the task we want to create on the Create Basic Task screen and proceed by saying next.
After specifying the time we want to run the task on the Task Trigger screen, we proceed..
In the Weekly window, we select the day and time we want to run the task..
We continue by selecting Start a Program in the Action section.
After showing the path of the script we created via Browse, we continue by saying Next.
And we complete our process by taking a last look at the settings we have made so far..
We can go back to the Task Scheduler console and examine our task configuration.
I select a user to run this task from the Change User or Group section by going to the General tab of the properties of the task we created by right-clicking on the task we have defined in the Task Scheduler and choosing properties. Even if the user that I defined in this section does not have a logon, I select the “Run whether user is logged on or not” option and click the Change User or Group button to perform this operation.. (The reason I do this is to be able to run this task thanks to the Run-as command even if I am logged in with a normal user account instead of being logged in with the Administrator account)
A user to run the script on the Select User or Group screen i define the account. Here I select the Administrator user and say ok.
After adding the user account, when I click ok to close this window, I get an authentication screen.. I complete this step by entering the password of the user I added here to run the script..
If we want to test the task we created, we can create a snapshot by right-clicking on the task and clicking Run.. If snapshot is created then there is no problem.
We have come to the end of our article about Active Directory Snapshot operations. hope it was helpful.