In this post, I want to show you how you can use ntdsutil.exe to create snapshots of the Active Directory database and how you can use tools to examine its contents, either to compare or transfer objects without starting in Restore Mode Directory Services (DSRM)

Important:

Log on as a member of the Domain Admins group.

NTDSUTIL from an elevated command prompt. You must runfrom an elevated command prompt.

The ADDS service must be running to create a snapshot.

Create an Active Directory snapshot

To create a snapshot, use the NTDSUTIL tool with the following syntax:

ntdsutil.exe snapshot "Activate Instance NTDS" create quit quit 1 2 3 ntdsutil.exe snapshot "Activate Instance NTDS" create quit quit

You can also create a scheduled task to create snapshots on a regular basis.

List all available snapshots

You can view a list of all created snapshots on a domain controller by running the following command:

ntdsutil.exe snapshot "list all" quit quit 1 2 3 ntdsutil.exe snapshot "list all" quit quit

As you can see, each snapshot is identified by a GUID.

Mount an Active Directory snapshot

To mount a snapshot, take note of the GUID of the snapshot you want to mount and then run the following command:

ntdsutil.exe "activate instance ntds" snapshot "mount {GUID}" quit quit 1 2 3 ntdsutil.exe "activate instance ntds" snapshot "mount {GUID}" quit quit

When the snapshot is mounted, take note of the path associated with the snapshot. You will use this path when connecting the snapshot using the DSAMAIN command-line tool.

Connect an Active Directory snapshot

To connect with the mounted snapshot you need to use the DSAMAIN tool with the following syntax:

dsamain.exe /dbpath C:\$SNAP_201909011401_VOLUMEC$\Windows\NTDS

tds.dit /ldapport 50389 1 2 3 dsamain.exe / dbpath C : \ $ SNAP _ 201909011401 _ VOLUMEC $ \ Windows \ NTDS \ ntds . dit / ldapport 50389

You can choose to mount the snapshot using any available TCP port number. Do not close the command prompt. As long as the DSAMAIN is running. After the snapshot is mounted, you can access it using Active Directory Users And Computers. To do this, perform the following steps:

Open Active Directory Users And Computers. Right-click the root node and click Change Domain Controller. In the Change Directory Server dialog box, enter the name of the domain controller and the port you specified early.

Now you can then view the contents of the snapshot using Active Directory Users And Computers in the same way that you would the contents of the current directory.

Unmount an Active Directory snapshot

To unmount a snapshot, first use Ctrl + C to close DSAMAIN and then run the following command to unmount the snapshot:

ntdsutil.exe "activate instance ntds" snapshot "unmount {GUID}" quit quit 1 2 3 ntdsutil.exe "activate instance ntds" snapshot "unmount {GUID}" quit quit

Delete an Active Directory snapshot

Finally, if you want to delete the created snapshot, use the following command:

ntdsutil.exe snapshot "list all" "delete 1" quit quit 1 2 3 ntdsutil.exe snapshot "list all" "delete 1" quit quit

For more information about managing snapshots with NTDSUTIL, check out this link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v%3Dws.11)

Was this article useful? Support my work!