Active Directory Snapshots are a tool you can use to query old Active Directory data. It’s not a complete backup system - but rather allows you to access older versions of your Active Directory. This would allow you to use other tools to perform disaster recoveries as needed.

Snapshots work like this:

1. Create a job to create snapshots
2. Mount a snapshot to an alternate port
3. Connect to that alternate port and view your old data

To create a new snapshot we need to open Command Prompt as an administrator and run the following commands:

ntdsutil

snapshot

Activate Instance NTDS

create

q

q

I am using one of Server Academy’s IT labs that are provided to all of our members for testing purposes. These labs are perfect since I don’t have to worry about losing data. If I mess up all, I need to do is click a button to revert the lab and I have everything back within minutes.

I am going to open Active Directory Users and Computers and make sure I have Advanced Features enabled:

Next remove the deletion protection from an Organizational Unit by right-clicking the OU you want to delete, selecting properties, go to the Object tab and un-check Protect object from accidental deletion:

Im going to use an OU in my lab called Domain Groups. Once I remove the protection, I can right-click and delete the OU:

So now the OU is missing and I can get on to mounting the old snapshot:

We can use NTDS snapshotting to view the old data. Open CMD as an Admin again, and run the following commands:

ntdsutil
snapshot
list all

This will return all snapshots 

First we need to run the mount command followed by the snapshot we wish to mount. In this case I will be mounting snapshot 1:

mount 1

This will output the directory where the snapshot is now mounted. Go ahead and exit the utilities by pressing Q until your back at the normal command prompt:

This mounts the old AD to the C drive:

The inside of that directory looks just like our C drive and it contains the Active Directory database file that contains AD information like user accounts, groups, and password hashes.

Now we are going to use a utility called dsamain (AD/DS/LDS offline data browser) to mount this older version (snapshot) of Active Directory to an alternative port that we can connect to and view. Open CMD as an Administrator and  run the command below (be sure to change the path to your snapshot location):

dsamain /dbpath c:\$SNAP_202004061016_VOLUMEC$\windows\ntds\ntds.dit /ldapport 5000

We will see that the command completed successfully:

Note: You need to keep this window open in order for the old data to be accessible on the port you specified. If you close this command prompt window, you won’t be able to connect to the mount and view the old data.

Now in the Active Directory console, right-click your domain and select Change Domain Controller:

Select This Domain Controller or AD LDS instance, and type in the name of your server followed by the port number you specified with the dsamain command. In my test lab, the DC is “sadc01” and the port I specified was 5000.

sadc01:5000

Now I can view the old snapshot of Active Directory and view my old data. Keep in mind you can't edit any of the data - this is strictly read only data.

To delete the data, we can run the commands below:

ntdsutil

snapshot

list all

unmount 1

list all

delete 1